Incidence Response Procedures
detective phase where we pull together all of the facts and plan to prevent a re-occurrence in the future. Failure to carry this out will lead to a re-occurrence
What is lessons learned
used to understand your network traffic flow
What is bandwidth monitors
where the approved applications are listed
What is Whitelist.
a battery that is a standby device so that when the computer power fails, it kicks in.
What is an UPS.
The first stage after a domain controller is infected with a virus
What is Containment
has information about hardware changes, updates to devices, and time synchronization, and they log group policy events and whether they have been successful.
What is a system log file
A set of rules and actions to enable the SOAR.
What is playbook.
Network Interface Card (NIC) Teaming.
should one adapter fail, the other adapter can be used for load balancing, performance, and increased throughput.
Three exercises that you can carry out to ensure your company is ready fro any disaster
What is a Tabletop Exercise, Structured Walk through, & Simulation
A vulnerability scanner can identify
What is such as missing patches, open ports,
services that should not be running, and weak passwords.
A quarantine network where a remediation server applies patches to the system before it is allowed back on to the network.
Network Access Control (NAC)
A method for the immediate transfer of data and virtual machines within a network.
What is Replication.
3 people on the incident response team and their roles
What is:
Incident Response Manager: A top-level manager who takes charge.
Security Analyst: Technical support to the incident.
IT Auditor: Checks that the company is compliant.
Risk Analyst: Evaluates all aspects of risk.
HR: Sometimes employees are involved in the incident.
Legal: Gives advice and makes decisions on legal issues.
Public Relations: Deals with the press to reduce the impact.
Cyber Incident Response Team: The cyber incident response team must move rapidly and have upto- date training for the variety of incidents that they may encounter. They may have to use third-party specialists in some aspects of cybercrime.
3 types of data that can be found on the SIEM dashboard and what they are
What is:
Sensor: Sensors are deployed across your network to monitor and collect changes collected by the log files to give visibility as events occur.
Sensitivity: The SIEM system can monitor PII and sensitive information to ensure that we are compliant. An example would be to ensure that all Health Insurance Portability and
Accountability Act (HIPAA) regulations are observed so that organizations are compliant. The SIEM system has the ability to maintain a Personal Data Breach Register to ensure that we have, for example, GDPR compliance.
Trends: A SIEM system can identify trends in hardware breakdown and performance issues, so that they predict when we may need to carry out maintenance in the future, thereby preventing breakdowns. We will have separate categories of events, such as application, system, and security events.
Alerts: Log files provide information about events on hosts and network devices but are not automated. A SIEM system can set up alerts so that when certain information appears in the log files, the security team is notified immediately. Another way would be to install agents on devices so that when an event is triggered, the SIEM system correlates the events and notifies the security team in real time.
Correlation: The SIEM correlates and aggregates the log files from multiple sources and from that it can generate a single report that provides a picture of events.
The acronym I.C.S
What is Isolation, Containerization and Segmentation.
Three Main types of backups.
Full Backup, Incremental, Differential
Incident Response Process
What is Preparation, Identification, Containment, Eradication, Recovery, & Lessons Learned
Five kind of log files and what they are
What is :
Network: This log file can identify the IP address and the MAC address of devices that are attached to your network. The log files from the NIDS and NIPS can be very important and we can track users by using the log files from a proxy server. We can identify DDoS traffic as it arrives due to the duplicate entries and be able to stop it.
System: System log files have information about hardware changes, updates to devices, and time synchronization, and they log group policy events and whether they have been successful.
Application: Application log files contain information about a software application, when it was launched, whether it was successful, or whether it carries warnings about potential problems or errors.
Security: Security log files contain information about a successful login or an unauthorized attempt to access the system. This can identify attackers trying to log in to your computer systems.
Web: Web servers log many types of information about the web requests and can be very useful in identifying events. Let's look at the type of information collected about each web session: IP address request, Date and time, HTTP method, such as GET/POST, Browser used, and HTTP Status code.
These can be broken down into the following:
a. 100 series, request received; an example would be 102 processing request.
b. 200 series, successful login attempt.
c. 300 series, more action needed to complete the request.
d. 400 series, client-side error; an example would be 403, where you are forbidden access, or 404 file not found.
e. 500 series, server-side error, failure to carry out a request; examples would be 500 internal server error, 502 bad gateway, where an upstream proxy returns an invalid response, or 503 service is unavailable.
DNS: This log contains all DNS information, such as zone transfer, name resolution queries, DNS server errors, DNS caching, and DNSSEC.
Authentication: This log gives information about login events, and whether they are successful or not. One of the best resources for authenticating log files in a domain environment would be a RADIUS server, which maintains a log of when people log in and out. Therefore, it is able to not only authenticate users, but to track them as well. Authentication log files are also kept on a domain controller or remote users coming in via a VPN server.
Dump Files: Dump files is when a computer crashes (commonly known as the blue screen of death), and all of the contents in the memory are saved in a dump file (.dmp). These dump files can be analyzed by using a tool such as the Blue Screen Review.
VoIP and Call Managers: These systems provide information on the calls being made and the devices that they originate from. They also measure the quality of the call by logging the Mean Optical Score (MOS), jitter, and loss of signal. Each call is logged where you can see inbound and outbound calls, the person making the call, and the person receiving the call.
Session Initiation Protocol (SIP) Traffic: SIP is used for internet-based calls and the log files show the 100 events, known as the INVITE, the imitation of a connection, that relates to ringing and then 200 OK is followed by an acknowledgement. If users cannot connect to their SIP calls, this log file can be used to troubleshoot them.
Name four types of Configuration changes.
What is Firewall Rules, Mobile Device Management (MDM), Data Loss Prevention (DLP), Content Filter/URL Filter, Unified Threat Management (UTM), Update or Revoke Certificates.
Different Redundant Array of Independent Disks (RAID) Levels.
RAID 0: RAID 0 uses a minimum of two disks with a maximum of 32 disks
RAID 1: RAID 1 is two disks, known as a mirror set where you have an original disk that is live with a copy on the second disk.
RAID 5: RAID 5 has a minimum of three disks and is known as a stripe set with parity. It is written across the disks in 64 KB stripes just like RAID 0 but, when each stripe is written, one of the disks has a single parity block for each line of data.
RAID 6: RAID 6 has a minimum of four disks and the same configuration as RAID 5, but it has an additional disk that holds another copy of the parity.
RAID 10: RAID 10 is also known as RAID 1+0. This is a RAID configuration that combines both mirroring and striping to protect data.
Multipath: This is normally used by a SAN storage solution where there is more than one network path between the SAN storage and the target server.