Prof Messer CompTIA Security+ SY0-701 - 4.8

NIST SP 800-61

incidence response lifecycle

- preparation

- detection

- containment, eradication and recovery

- post incident activity

preparing for an incident

Communication methods

- Phones and contact information

Incident handling hardware and software

- Laptops, removable media, forensic software,

digital cameras, etc.

Incident analysis resources

- Documentation, network diagrams, baselines, critical file hash values

Incident mitigation software

- Clean OS and application images

Policies needed for incident handling

- Everyone knows what to do

detecting security incidents

many diff detection sources

large amount of "volume"

- attacks come all the time, which ones are legit?

incidents are almost always complex

incident analysis

an incident might occur in the future

exploit announcement

- security patches

direct threats

attack is underway

- buffer overflow attempt

- antivirus identifies malware

- configuration changes

- network traffic anomalies

isolation and containment

dont let an attack run its course or spread

can be problematic sometimes

- malware can act differently in a sandbox

sandboxes

an isolated OS

you can run apps and see what happens

recovery after incident

remove bad, replace it with known good

remove malware

disable breached accs

fix vulnerabilities

recover the system

- restore from backups

- rebuild from scratch

- replace files

- tighten perimeter

lessons learned

learn and improve

post incident meeting

- better done ASAP

training for an incident

train team prior to incident

- initial response

- investigation plans

- incident reporting

etc

too late when an attack occurs

can be expensive

exercising (incident planning)

test yourself before an actual event

use well defined rules of engagement

- dont use production systems

limited time to run the tests

evaluate response

tabletop exercses

talking through a disaster drill on a table

- without performing a full scale drill

simulation

test with a simulated event

phishing sims

test internal security

root cause analysis

determine the ultimate cause of an incident

create a set of conclusions

can be more than 1 root cause

threat hunting

trying to find vulnerabilities before attackers

- game of cat and mouse

strategies constantly change

intelligence data is reactive

- cant see an attack until it happens

speed up reaction time

digital forensics

collect and protect info related to an intrusion

standard best practice process

- acquisition, analysis and reporting

legal hold

legal technique to preserve relevant info

separate repository for ESI (elec stored info)

ongoing preservation

chain of custody

keep integrity of evidence

use hashes and dig sigs to track who accesses data, and to keep integrity

label and catalog everything

- digitally tag all items

acquisition

obtain data

- disk, RAM, etc

some data may not be on a single system

- servers, network data, etc

for VMs, get a snapshot

- contains all files and info

look for any left behind digital items

- artifacts

- log info, recycle bins, browser bookmarks, etc

reporting (digital forensics)

document findings

overview of security event

detailed, step by step method of data acquisition process

analysis of findings

conclusion

preservation

isolate and protect it

work with copies

- keeps original data untouched and you have backups

live data collection is important

- data may be encrypted or harder to get after system is powered down

e-discovery

collect, prepare, review, interpret and produce elec documents

does not generally involve analysis

works together with digital forensics

- they do the analysis