# Summarize Incident Response Procedures ![[Pasted image 20230711085627.png|700]] ## Cyber Incident Response Team - first responders - **CIRT/CERT/CSIRT/SOC** -> personnel positions ## Communication Plan and Stakeholder Management - Out of band communications - Don't communicate over the same network the attacker has compromised - avoid alerting the intruder - Maybe picking up a cellphone, secure chat app that is out of network - Share information on a need to know basis - Stakeholder management - executives, share holders etc.. - notification and reporting ## Incident Response Plan - List the procedures, contacts, and resources available to responders for various incident categories - categories: Accidental, malicious insider, ransomware etc... - playbook for each determining how to handle the attack - Prioritization factors - Data integrity - Downtime - Economic/publicity - Scope - Detection time - Recovery time ## Cyber Kill Chain Attack Framework ![[Pasted image 20230711090603.png]] ![[Pasted image 20230711090625.png]] ![[Pasted image 20230711090932.png]] [MITRE ATT&CK®](http://attack.mitre.org) ![[Pasted image 20230711090956.png]] ## Incident Response Exercises ![[Pasted image 20230711091930.png]] ## Incident Response, Disaster Recovery, and Retention Policy - Incident response vs disaster recovery and business continuity - **Business continuity plan (BCP)** - Making business procedures resilient - keeping the business functional - **Continuity of operation planning (COOP)** - **Disaster recovery plan (DRP)** - Response and recovery planning for major incidents - Incident response, forensics, and retention policy - Digital forensics requirements - Retention policies for evidence preservation # Utilize Appropriate Data Sources for Incident Response ## Incident Identification - Precursors and detection channels - Heavy scanning on firewalls - Security mechanisms (IDS, log analysis, alerts) - Manual inspections (devices connected on switches we dont recognize) - Notification procedures - Public reporting - Confidential reporting/whistleblowing ## Security and Information Event Management (SIEM) - "mothership of all security data for an organization" - Correlation - correlates the data from all sources and gives a much better picture of the environment - Static rules and logical expressions - Threat intelligence feeds - AI-Assisted analysis - Retention - Preserve evidence of attack - Facilitate threat hunting and retrospective incident identification ## SIEM Dashboards ![[Pasted image 20230711092953.png]] ## Trend Analysis - Detecting indicators over a time series - Prediction of future events - Visualization - Frequency-based - Number of events per period - Volume-based - Increasing or decreasing size - Statistical deviation - Identify - anomalous data points ## Logging Platforms - Syslog (port 514) - Logging format, protocol, and server (daemon) software - PRI - Facility and severity - Timestamp - Host - Message part - Rsyslog and syslog-ng - `journalctl` - Binary logging - Nxlog - Log normalization tool ![[Pasted image 20230711093159.png]] ## Network, OS, and Security Log Files - event viewer (windows logs) - security log - failed & successful logins and much more - System and security logs - Application - Security/audit - System - Setup - Forwarded events - Network logs - Traffic and access data from network appliances - Authentication logs - Security log or RADIUS/TACACS+ application logs - Vulnerability scan output ![[Pasted image 20230711093358.png]] ## Application Log Files - DNS event logs - Types of queries made by clients - hosts using suspicious IP address ranges or domains - Statistical anomalies - WEB/HTTP access logs - HTTP status codes - HTTP headers - VoIP and call managers and Session Initiation Protocol (SIP) traffic - Log endpoint connections - Type of connection - Via headers - Dump files - more complex - Data from system memory ## Metadata Background data about a file, for example on pictures there can be location, zoom, lens, etc... - File - Date/time and security attributes - Extended attributes and properties - Web - Request and response headers - Email - Internet header listing message transfer agents - Spam/security analysis - Mobile - Call detail records (CDRs) ## Network Data Sources - Cisco Netflow, records meta data about the network # Apply Mitigation Controls ## Containment Phase - Response must satisfy different or competing objectives - What is the loss or potential for loss? - What countermeasures are available? - What evidence can be collected? - Isolation-based containment - Remove the affected system - Disconnect hosts from power - Prevent hosts communicating on network - Disable user accounts or applications - Segmentation-based containment - Use sinkhole or sandbox to analyze attack - own little network and monitor malware ## Incident Eradication and Recovery - purge system of bad software - recover the system - what can we change? - 3rd party notification ![[Pasted image 20230711095108.png]] ![[Pasted image 20230711095116.png]] ![[Pasted image 20230711095145.png]] ![[Pasted image 20230711095152.png]] ![[Pasted image 20230711095159.png]] ![[Pasted image 20230711095206.png]]