Lecture 1-2

System is working properly. Then, a user opens a suspicious email. Sensors do not detect anything. User tries to authenticate from their phone but says system is unable to authenticate. Help desk starts troubleshooting the problem. Since these are indications of compromise, security incident is created. Incident response continues from there.

All IT employees should be trained to know how to handle a security incident. All users should be trained to know the core fundamentals of security. An integration between the help desk and the security response team. Good sensors (intrusion detection system) in places. For example, network and host sensors for quick and comprehensive detection. IR process must be in line with the laws and the company's regulations.

Objective: what's the purpose of the process? Scope: to whom does this process apply? Definition/terminology: Each company may have different understanding of the security incident. Define what constitutes a security incident and give examples. Create their own definition using a clearly defined terminology Roles and Responsibilities: Who has the authority to take a computer in order to perform further investigation? define who has this type of authority and let the whole company know about this. Priorities/severity levels: Type of information affected by the incident and recoverability.

Their roles involve identifying and reporting security incidents. They should know how to create a security incident. They are required to attend the security awareness training.

System and network profiles can be treated as digital footprints, and they can be checked for records of evidence. Check log retention policies records of events that happened on the computer. Also, all the clocks should be synced to get the correct timing of when it happened. Instruct the end user to contact support when the issue is currently happening and provide them with the environment to capture data.

Preparation, detection/analysis, containment/eradication/recovery, post-incident activity.

implementation of security controls that were created based on the number of risks that may occur. Implementation of other security controls such as endpoint protection, malware protection and network security. The preparation phase is not static. This phase will receive input from post incident activity.

Detection system must be aware of the attack vectors. Detection system must be able to dynamically learn more about new threats and new behaviours. Detection system triggers an alert if a suspicious activity is encountered. To detect threats more quickly and reduce false positives, the use of security intelligence and advanced analytics are required. Detection and analysis are sometimes done almost in parallel: An attack is still taking place when it is detected.

A combination of these tools are required: endpoint protection and system logs to detect phishing email, lateral movement. Server logs and network captures for unauthorized or malicious process. The firewall log and network capture for data extraction and submission.

containment: Perform short-term containment by isolating the portion of the network that is under threat. Then, focus on long-term containment, which requires temporary adjustments to allow systems to be used in production while rebuilding clean systems. Restore affected systems in minimal time. eradication: Remove malware from all infected devices, acknowledge the root cause of the attack and take necessary steps to avoid similar attacks in the future. recovery: To avoid further attacks, put the affected production systems back online. To ensure that they return to normal operation, test, check and track the affected systems.

Documenting Lesson Learned ✓It is one of the most valuable pieces of information that you have in the post-incident activity phase. ✓It helps to keep refining the process through the identification of gaps in the current process and areas of improvement. ✓This documentation must be very detailed with the full timeline of the incident. ✓Content: The steps that were taken to resolve the problem, what happened during each step and how the issue was finally resolved outlined in depth.

A shared responsibility between the cloud provider and the company that is contracting the service.

responsibility is shared between the could provider and the customer. customers have full control over their virtual machines and access to their OS-level logs, the cloud provider maintains control over and access to the underlying infrastructure and hypervisor logs.

The primary responsibility lies with the cloud service provider. In case of an incident, customers should contact the cloud provider directly or open an incident through the provider's portal. Customers should review the Service Level Agreement (SLA) to understand the procedures, responsibilities, and response times during an incident.

needs to update the contact list to include the cloud provider contact information, on-call process, and so on. include the cloud provider solution for detection in order to assist you during the investigation. Revisit the cloud provider capabilities to isolate an incident.

Forensic data collection, discovery phase, qualification phase, investigation phase, neutralization phase, and recovery phase.

collection of security event and alarm data, machine data and logs and forensic sensor data. The threats come through the seven domains of IT. The more of the IT infrastructure the organization can see, the more threats it can detect.

Search analytics: reviewing the reports from the network and antivirus software. Machine analytic: scanning a large amount of data and giving a brief simplified result in machine language.

Threats are evaluated to determine their potential impact, urgency of resolution, and how to mitigate that threat. Inefficient qualification may lead to true positives being missed and false positives being included.

Investigation phase: The qualified threats are fully investigated to determine whether or not they have caused a security incident. Neutralization phase: Eliminate or reduce the impact of an identified threat. Automated process to ensure a higher throughput of deleting threats, and to ease information sharing and collaboration in the organization.

External reconnaissance: gain vulnerability information of the target from external sources and decide on which compromising techniques is best to use. Compromising: compromising the system. Lateral movement: the use of various scanning tools to find loopholes that can be exploited to stage an attack. Access and Privilege Escalation: privilege escalation is performed to move around without being detected. vertical - move from one account to higher authority, horizontal - move between same level accounts. Concluding the mission: exfiltration - extract sensitive data from the company. sustainment - remain silent and install malware in the victim's device to access it anytime. assault - permanently damage the data and software. obfuscation - attacker covers up their tracks.