The Process
The first step in the Incident Response Cycle.
Preparation
A database of attacks and techniques used by threat actors from the perspective of an attacker
MITRE’s ATT&CK
Devices and software that can collect and aggregate log data from a variety of sources and then perform correlation and analysis with that data
SIEM
Stored information about failed and successful logins, as well as other authentication log information
Security log
Used to simplify decision making and build automation for tasks like communication, malware removal, or scanning
Runbooks
“What other tools or training might mitigate this vulnerability in the future?”
Lessons learned
Has 8 steps and was created to defend against sophisticated cyber attacks
Lockheed Martin’s Cyber Kill Chain
Two primary thresholds to consider when configuring sensors
Frequency and severity
Files created when a system experiences a critical error
Dump files
Isolate the issue and allows for investigation into the incident by preserving the digital artifacts
Quarantining
IR exercise in which the team goes through the steps of an incident.
Walk-through
Step in the Kill Chain that will allow remote control of a channel to manipulate the victim
Command and control
Events like malware beaconing and infection are automatically categorized, prioritized, marked by source and destination, and matched to an investigation
Alarms and Alerts
Includes call logs, SMS and other messages, GPS tracking, and cell tower info.
Mobile Metadata
Used to make sure specific sites or content are not able to be browsed or accessed
Content filters
Type of IR Plan that focuses on individuals who have invested roles in systems, organizations, or services impacted by an incident
Stakeholder Management Plan
Gives analysts a comprehensive view of cyber attacks, uncover insights and gain knowledge of malicious activities. Its ultimate goal is Mitigation.
Diamond Model of Intrusion Analysis
An improved logging tool which supports extremely high message rates
rsyslog
How you might determine who created a file, if it was modified, and what type of file it is
File metadata
Place systems with different functions or data security levels in different zones of a network
Segmentation
Federal program that defines requirements that government agencies need to meet to ensure continuity can be ensured after an incident
Continuity of Operations Planning (COOP)
The 4 corners of the Diamond Model of Intrusion Analysis
adversaries, capabilities, infrastructures, and victims
Open source and commercially supported syslog centralization and aggregation tool
NXLog
How your email service knows that a message is spam
Anti-spam tags (email metadata)
In the event that a private key is compromised, this will need to be reviewed.
Certificates