Module 1 - Introduction to Incident Handling and Response

Information security

Refers to the protection or safeguarding of information and information systems (i.e., systems that use, store and transmit information) from unauthorized accesses, disclosures, alterations, and destruction.

What are the 5 Elements of Information Security?

Confidentiality, Integrity, Availability, Authenticity, Non-Repudiation

Confidentiality

The assurance that information is accessible only to those who are authorized to have access.

Integrity

Trustworthiness of data or resources in the prevention of improper and unauthorized changes.

Availability

The assurance that the systems responsible for delivering, storing, and processing information area accessible when required by authorized users.

Authenticity

Genuineness or uncorruptedness of any communication, document or data.

Non-repudiation

A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

Characteristics of an information asset?

・Recognized to be of value
・Considered an asset to the org
・Difficult to replace with cost, skills, time and resources
・Part of the org's corporate identity
・Data classified as an information asset are confidential and proprietary
・Plays a significant role in the org's business
・Organized documentation that motivates the org to achieve its goals
・Maintained by people working in a consistent and cooperative manner.
・Can be part of a unique enterprise application or part of one.
The loss of information affects the org's investments in different business activities.

Defense-in-depth?

A security strategy in which security professionals use several protection layers throughout an information system.

What are the goals of security policies?

・Reduce or eliminate legal liability of employees and third parties.
・Protect confidential and proprietary information from them, misuse, unauthorized disclosure, or modification.
・They prevent wastage of the company's computing resources.

What's the difference between technical and administrative security policies?

・Technical security policies describe the configuration of the technology for convenient use.
・Administrative security policies address how all persons should behave.

What is a Promiscuous Policy?

No restrictions on usage of system resources.

What is a Permissive Policy?

Policy begins wide open and only know dangerous services, attacks or behaviors are blocked.

Regularly updated to ensure effectiveness.

What is a Prudent Policy?

Policy provides maximum security while allowing known but necessary dangers.

Blocks all services and only safe/necessary services are enabled individually; everything is logged.

Paranoid Policy

Policy forbids everything, no internet connection/severely limited internet usage

Access Control Policy

Defines the resources being protected and the rules that control access to them.

Remote-Access Policy

Defines who can have remote access, defines access medium, and defines remote access security controls.

Firewall Management Policy

Defines access, management, and monitoring of firewalls in organization.

Network Connection Policy

Defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.

Passwords Policy

Provides guidance for using strong password protection on organization's resources.

User-Account Policy

Defines the account creation process and the authority, rights and responsibilities of user accounts.

Information Protection Policy

Defines the sensitivity levels of information, who may have access, how information is stored and transmitted, and how information should be deleted from storage media.

Special Access Policy

Defines the terms and conditions of granting special access to system resources.

Email Security Policy

Created to govern the proper usage of corporate email.

Acceptable Use Policy

Defines the acceptable use of system resources.

Formula for an Attack?

Attacks = Motive (Goal) + Method + Vulnerability

Motive?

A motive originates from the notion that the target system stores or processes something valuable; this signals that the system may be under threat of an attack.

Typical motives behind infosec attacks?

・Disruption business continuity
・Performing information theft
・Manipulating data
・Creating fear and chaos by disrupting critical infrastructure
・Bringing financial loss to the target
・Propagating religious or political beliefs
・Achieving the state's military objectives
・Damaging the reputation of the target
・Taking revenge
・Demanding ransom
・Fun/thrills/exploration

Top infosec Attack Vectors?

・Cloud Computing Threats
・Advanced Persistent Threats (APT)
・Viruses and Worms
・Ransomware
・Mobile Threats
・Botnet
・Insider Attack
・Phishing
・Web Application Threats
・Internet of Things (IoT) Threats

What are the three main categories of information security threats?

Network threats, Host threats and Application Threats

Typical network threats?

・Information gathering
・Sniffing and eavesdropping
・Spoofing
・Session hijacking
・Man-in-the-middle attack
・DNS and ARP poisoning
・Password-based attacks
・Denial-of-service attack
・Compromised-key attack
・Firewall and IDS attacks

Typical Host threats?

・Malware attacks
・Footprinting
・Profiling
・Password attacks
・Denial-of-service attacks
・Arbitrary code execution
・Unauthorized access
・Privilege escalation
・Backdoor attacks
・Physical security threats

Typical Application threats?

・Improper data/input validation
・Authentication and authorization attacks
・Security misconfiguration
・Improper error handling and exception management
・Information disclosure
・Hidden-field manipulation
・Broken session management
・Buffer overflow issues
・Cryptography attacks
・SQL injection
・Phishing

How do you define a "Threat"?

An undesired event that attempts to access, exfiltrate, manipulate, or damage the integrity, confidentiality, security, and availability of an organization's resources.

What is a "threat actor"?

A person or entity responsible for the harmful incidents or with the potential to impact the security of an organization's network.

What are the types of threat actors?

・Script kiddies
・Organized hackers
・Hacktivists
・State-sponsored Attackers
・Insider Threat
・Cyber Terrorists
・Recreational Hackers
・Suicide Hackers
・Industrial Spies

What are some of the impacts of an Information Security Attack?

・Financial Losses
・Loss of Confidentiality and Integrity
・Damaged Customer Relationship
・Loss of Business Reputation
・Legal and Compliance Issues
・Operational Iimpacts

InfoWar

The use of information and communication technologies (ICT) for competitive advantages over an opponent.

Command-and-control Warfare (C2 Warfare)

Refers to the impact an attacker possesses over a compromised system or network that they control.

Intelligence-based Warfare

Sensor-based technology that directly corrupts technological systems.

Electronic Warfare

Uses radio-electronic and cryptographic techniques to degrade communication.

Psychological Warfare

Use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in battle.

Hacker warfare

Various purposes including theft of information, false messaging and other infosec attacks.

Economic Warfare

By blocking the flow of information, can affect the economy of a business or nation.

Cyber Warfare

The use of information systems against the virtual personas of individuals or groups.

Defensive Information Warfare

Refers to all the strategies and actions for security professionals and incident responders to defend their organization its ICT assets from cyber attackers.

Offensive Information Warfare

Involves attacks against ICT assets of an opponent to compromise the target's assets.

Types of information security incidents:

・Malicious Code or Insider Threat Attacks
・Unauthorized Access
・Unauthorized Usage of Services
・Email-based Abuse
・Espionage
・Fraud and Theft
・Employee Sabotage and Abuse
・Network and Resources Abuses
・Resource Misconfiguration Abuses

Two categories of incident signs:

Precusor - indicates the possibility of the occurrence of a security incident in the future (i.e., threats from hackers, new exploit, etc.)

Indicators - sign representing that the incident has probably occurred or is currently in progress (i.e., warning from AV or scanner, Firewall/IDS/IPS alerts, web server unavailability).

Common sources of Precusors and Indicators:

IDPS, SIEM, Antivirus/Antispam Software, File Integrity Checking Software, Third-Party Monitoring Services, OS/Service/Network/Application Logs.

Cost of an incident?

The sum of the total amount lost directly and indirectly due to the attack and the amount spent on recovering from the incident, including IH&R functions.

Orgs typically employ financial auditors to estimate the total cost.

Tangible Cost

Direct expenditures related to an incident. Can be quantified and identified (i.e., lost productive hours, loss of business, loss or theft of resources).

Intangible Cost

Expenditures that the org cannot calculate directly or value accurately (i.e., damage to corporate reputation, loss of goodwill, psychological damage, damage to shareholder's value).

Incident Management

It is a set of defined processes used to identify, analyze, prioritize, and resolve security incidents and restore a system to normal service and operations as soon as possible while preventing further recurrence of the incident.

It improves service quality, resolves problems proactively, reduces impacts of incidents, meets service availability requirements, increases staff efficiency and productivity, improves user/customer satisfaction and assists in handling future incidents.

What processes are included under Incident Management?

・Vulnerability analysis
・Artifact analysis
・Security awareness training
・Intrusion Detection
・Technology Monitoring

Incident Handling and Response (IH&R)

A process of taking organized and careful steps when reacting to a security incident or cyberattack.

IH&R Steps

1) Preparation
2)Incident Recording and Assignment
3) Incident Triage
4) Notification
5) Containment
6) Evidence Gathering and Forensic Analysis
7) Eradication
8) Recovery
9) Post-Incident Activities

Vulnerability Management

Proactive approach designed to identify, classify, and mitigate vulnerabilities.

What is a vulnerability?

The existence of a weakness or a design or implementation error that, when exploited, leads to an unexpected an undesirable event that compromises the security of the system.

Common areas of Vulnerability:

・Users
・Operating System
・Applications
・Network Devices
・Network Infrastructure
・Internet of Things (IoT)
・Configuration Files

Common areas of vulnerability in applications:

・Networking software
・Network operations and management
・Firewall and network security applications
・Database software

Network devices susceptible to vulnerabilities:

・Access points
・Routers
・Wireless routers
・Switches
・Firewall

How do Security Experts and vulnerability scanners classic vulnerabilities?

Severity Level: low, medium or high

Exploit Range: Local or remote

Vulnerability Classifications:

・Misconfigurations
・Default Installations
・Buffer Overflows
・Unpatched Servers
・Design Flaws
・Operating System Flaws
・Application Flaws
・Open Services
・Default Passwords

Vulnerability assessment

Examination of the ability of a system or application, including current security procedures and controls, to withstand assault.

Recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels.

What information does a vulnerability scanner identify?

・OS version running on computers or devices
・IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening
・Applications installed on computers
・Accounts with weak passwords
・Files and folders with weak permissions
・Default services and applications that might have to be uninstalled
・Mistakes in the security configuration of common applications
・Computers exposed to known or publicly reported vulnerabilities

Active assessment

Uses a network scanner to find hosts, services, and vulnerabilities

Passive assessment

A technique used to sniff the network traffic to uncover active systems, network services, applications, and vulnerabilities

External Assessment

Assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world

Internal Assessment

A technique to scan the internal infrastructure to uncover exploits and vulnerabilities.

Host-Based Assessment

Determines the vulnerabilities in a specific workstation or server by performing a configuration-level check through the command line.

Network Assessments

Determines the possible network security attacks that may be waged on the organization's system

Application Assessments

Tests the web infrastructure for any misconfigurations and known vulnerabilities

Wireless Network Assessments

Determines the vulnerabilities in the organization's wireless networks

Steps in the Vulnerability Management Life Cycle

1) Baseline Creation
2) Vulnerability Assessment
3) Risk Assessment
4) Remediation
5) Verification
6) Monitoring

Threat assessment

Process of examining, filtering, transforming, and modeling of acquired threat data to extract threat intelligence.

Threat Targets and Assets

Organizational resources attacked by threat actors in order to gain control or steal information and launch further attacks on the organization.

Commonly Targeted Assets

・Personal Details
・Financial Information
・Intellectual Property
・Sensitive Business Data
・Login Details and IT System Information

Threat intelligence

Collection and analysis of information about threats and adversaries.

Includes drawing of patterns that inform knowledgeable decisions related to cyber attack preparedness, prevention, and response.

Also known as "cyber threat intelligence (CTI)".

Threat Contextualization

Process of assessing threats and their impacts under various (contextual) conditions. Threat context is obtained by detecting and analyzing current vulnerabilities in the IT resources, such as networks and information systems.

Threat Correlation

Helps organization to monitor, detect and escalate various evolving threats from organizational networks.

Main objective is to reduce false positive alert rates and detect and escalate stealthy, complex attacks.

Commonly used correlation techniques:

・Relating multiple incident types and sources across multiple nodes
・Incident sequence
・Incident persistence
・Incident-directed data collection

Threat Attribution

Process of identifying and attributing the actors behind an attack as well as their goals, motives and sponsors.

Group attribution

Deals with attributing based on the common group or association of multiple malicious actors and their attack methodologies.

Campaign attribution

Deals with attributing based on the malware or the campaign strategy of specific malware.

Intrusion-set Attribution

Deals with attributing the attacker based on the intrusion patterns.

True Attribution

Deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target.

Nation state attribution

Deals with attributing attacks sponsored by one nation against another nation.

Risk

Degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or resources under specified conditions.

Risk Management

A set of policies or procedures to identify, assess, prioritize, minimize and control risks.

Risk Mitigation

A strategic approach to preparing to handle risks and reduce their impact on the organization.

Risk Assessment

Identification of risks, estimation of their impact, and determination of sources to recommend proper mitigation measures. Identification of risk is the initial step of the risk management plan.

What are the steps in Risk Assessment?

1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Likelihood Analysis
6) Impact Analysis
7) Risk Determination
8) Control Recommendation
9) Risks Assessment Report

What are the most common threat sources?

Human, natural, environmental

Control analysis

The process of analyzing various security controls implemented by the organization to eradicate or minimize the probability that a threat will exploit a system vulnerability.

Likelihood Analysis

The calculation of probability that a threat source exploits an existing system vulnerability

Impact analysis

Involves estimating the adverse impact of exploitation of a vulnerability by a threat source.

Mission Impact Analysis

Based on a qualitative or quantitative assessment of the sensitivity and criticality of the assets, prioritizes the impact levels associated with the compromise of those assets.

Asset criticality assessment

Identifies and prioritize the sensitive and critical information assets that support the critical missions of the organization.

Risk Determination

The probability of occurrence of an anticipated incident.