CySa+ Jason Dion Notes

4.0(1)
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/968

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

969 Terms

1
New cards

Considerations for conducting triage on an incident

- Damage to data integrity
- Unauthorized changes
- Theft of data or resources
- Disclosure of confidential data
- Interruption of services
- System downtime

2
New cards

Impact-based Approach

Categorization approach that focuses on the severity of an incident, such as emergency, significant, moderate, or low.

3
New cards

Taxonomy-based Approach

Approach that defines incident categories at the top level, such as worm outbreak, phishing attempt, DDoS, external host/account compromise, or internal privilege abuse.

4
New cards

Organizational Impact

Incident that affects mission essential functions so the organization cannot operate as intended.

5
New cards

Localized impact

Incident that is limited in scope to a single department, small user group or a few systems.

6
New cards

Immediate Impact

Incident measurment based on direct costs incurred because of an incident, such as downtime, asset damage, penalties and fees

7
New cards

Total Impact

Incident measurement based on the costs that arise during and following the incident, including damage to the company's reputation.

8
New cards

Incident Classification - ways to classify

- Data Integrity
- System Process Criticality
- Downtime
- Economic
- Data Correlation
- Reverse Engineering
- Recovery Time
- Detection Time

9
New cards

Data Integrity

Any incident where data is modified or loses integrity

10
New cards

System Process Criticality

Incidents that disrupt or threaten a mission essential business function

11
New cards

Downtime

An incident that degrades or interrupts the availability of an asset, system or business process

12
New cards

Economic

incident that creates short-term or long-term costs

13
New cards

Data Correlation

Incident that is linked to the TTP of known adversary groups with extensive capabilities

14
New cards

Reverse Engineering

Incident in which the capabilities of the malware are discovered to be linked to an adversary group

15
New cards

Recovery Time

Incident which requires extensive recovery time due to its scope or severity.

16
New cards

Detection time

- incident which was not discovered quickly
- Only 10% of data breaches discovered within first hour
- Nearly 40% of adversaries had successfully exfiltrated data within minutes of starting an attack.

17
New cards

Containment

Rapid containment important to IR
- Limit the scope and magnitude of the incident by securing data and lmiting impact to business operations and your customers.

18
New cards

Five Steps for Conducting Containment

1. Ensure the safety and security of all personnel
2. Prevent an ongoing intrusion or data breach
3. Identify if the intrusion is the primary or secondary attack
4. Avoid alerting the attacker that the attack has been discovered
5. Preserve any forensic evidence of the intrusion and attack.

19
New cards

Isolation

Mitigation strategy that involves removing an affected component from larger environment

20
New cards

Segmentation

mitigation strategy that achieves the isolation of a host or group of hosts using network technologies and architecture
- Uses VLANs, routing/subnets, and firewall ACLs to prevent communication outside the protected segment.
- Can be used to reroute adversary traffic as part of a deceiption defensive capability.

21
New cards

Sandboxing

Security mechanism that separates a system from other critical system resources and programs.

22
New cards

Eradication and Recovery

Remove the cause of the incident and bring the system back to a secure state

23
New cards

Eradication

Complete removal and destruction of the cause of the incident.
- Simplest option for eradicating contaminated system is to replace it with a clean image from a trusted store.

24
New cards

Sanitization

Procedures that an organization uses to govern the disposal of obsolete information and equipment, including storage devices, devices with internal data storage capabilities, and paper records.

25
New cards

Cryptographic Erase (CE)

Method of sanitizing a self-encrypting drive by erasing the media encryption key

26
New cards

Zero-fill

Sanitizing a drive by overwriting all bits on a drive to zero
- not reliable method with SSDs and hybrid drives

27
New cards

Secure Erase (SE)

Sanitizing a sold-state device using manufacturer provided software.

28
New cards

Secure Disposal

Sanitizing by physical destruction of the media by mechanical shredding, incineration, or degaussing.

29
New cards

Eradication Actions

- Reconstruction
- Reimaging
- Reconstitution

30
New cards

Reconstruction

Restoring a system that has been sanitized using scripted installation routines and templates.

31
New cards

Reimaging

Restoring a system that has been sanitized using an image-based backup.

32
New cards

Reconstitution

Method of restoring a system that cannot be sanitized using manual removal, reinstallation and monitoring processes.

33
New cards

7 steps for reconstitution

1. Analyze the processes and network activity for signs of malware
2. Terminate suspicious processes and securely delete them from the system
3. Identify and disable autostart locations to prevent processes from executing
4. Replace contaminated processes with clean versions from trusted media.
5. Reboot the system and analyze for signs of continued malware infection
6. If continued malware infection, analyze firmware and USB devices for infection
7. If tests are negative reintroduce the system to the production environment.

34
New cards

Recovery

Actions taken to ensure that hosts are fully reconfigured to operate the business workflow they were performing before the incident ocurred.

35
New cards

Recovery Actions

- Patching
- Permissions
- Logging
- System Hardening

36
New cards

Patching

Installing a set of changes to a computer program or its supporting data designed to update, to fix, or to improve it

37
New cards

Logging

Ensure that scanning and monitoring/log retrieval systems are functioning properly following the incident.

38
New cards

System Hardening

Securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised

39
New cards

Actions performed when conducting system hardening

- Deactivate unnecessary components
- Disable unused user accounts
- Implement patch management
- Restrict host access to peripherals
- Restrict shell commands

40
New cards

Three mottos for system hardening

- Uninstall anything you aren't using
- If you need it, patch it frequently
- Always restrict users to least privilege

41
New cards

Post-Incident Activity

Analyze the incident and responses to identify whether procedures or systems could be improved.

42
New cards

Main areas of post-incident activity

- Report Writing
- Incident Summary Report
- Evidence Retention

43
New cards

Report Writing

An essential analyst skill that is used to communicate information about the incident to a wide variety of stakeholders
- Reports should be clearly marked for the intended audience

44
New cards

Incident Summary Report

Report written for specific audience with key information about the incident and their use
- Contain information about how the incident ocurred, how it could be prevented in the future, the impact and damage on the systems, and any lessons learned.

45
New cards

Evidence Retention

preservation of evidence based upon the required time period defined by regulations if there is a legal or regulatory impact caused by an incident.

46
New cards

Lessons Learned

An analysis of events that can provide insight into how to improve response processes in the future

47
New cards

Six Questions to Structure Lessons Learned Meeting

1. Who was the adversary?
2. Why was the incident conducted?
3. When did the incident occur?
4. Where did the incident occur?
5. How did the incident occur?
6. What controls could have mitigated it?

48
New cards

After-Action Report / Lessons Learned Report

Report providing isnight into the specific incident and how to improve response processes in the future

49
New cards

Benefits of using lessons learned and after-action reports

- Incident Response Plan Update
- IoC Generation and Monitoring
- Change Control Process

50
New cards

Root Cause Analysis

Systematic process to identify the initial source of the incident and how to prevent it from occurring again.
- Need to figure out what caused the incident and then see how many other things across your network are going to have the same type of feature sets to prevent future attacks.

51
New cards

4 Steps of Root Cause Analysis

- Define and scope the incident
- Determine the casual relationships
- Identify an effective solution
- Implement and track the solution.

52
New cards

Enterprise Risk Management (ERM)

Comprehensive process of evaluating, measuring and mitigating the many risks that pervade an organization.

53
New cards

Why is risk management adopted by organizations

- Keep data confidential
- Avoid financial loss
- Avoid legal issues
- Maintain positive brand image
- Ensuring COOP
- Establishing trust and mitigating liability
- Meeting stakeholder's objectives

54
New cards

NIST Managing Information Security Risk Framework

- Frame
- Assess
- Respond
- Monitor

55
New cards

Frame

Establish a strategic risk management framework that is supported by decision makers at the top tier of the organization

56
New cards

Assess

Identify and prioritize business processes/workflow

57
New cards

Respond

Mitigate each risk factor through the deployment of managerial, operational, and technical security controls.

58
New cards

Monitor

Evaluate the effectiveness of risk response measures and identify changes that could affect risk management processes

59
New cards

Risk identification takes place by:

evaluating threats, identifying vulnerabilities, and assessing the probability (or likelihood) of an event affecting an asset or process.

60
New cards

Business Continuity Loss

A loss associated with no longer being able to fulfill contracts and orders due to the breakdown of critical systems.

61
New cards

Legal Costs

A loss created by organizational liability due to prosecution (criminal law) or damages (civil law).

62
New cards

Reputational Harm

A loss created by negative publicity and the consequential loss of market position or consumer trust.

63
New cards

System assessments are conducted to:

better posture an organization to reduce risk and prevent losses

64
New cards

System Assessments

systematic identification of critical systems by compiling an inventory f te business processes and the tangible assets and resources that support those processes.

65
New cards

System Assessments include:

- People
- Tangible assets
- Intangible assets
- Procedures.

66
New cards

Mission Essential Function (MEF)

a business or organizational activity that is too critical to be deferred for anything more than a few hours (if at all)

67
New cards

Asset/Inventory Tracking

- Use of a software or hardware solution to track and manage any assets within an organization

68
New cards

Asset Management Database

Contains data such as the type, model, serial number, asset ID, location, user, value, and service information

69
New cards

Threat and Vulnerability Assessment

An ongoing process of assessing assets against a set of known threats and vulnerabilities.

70
New cards

Risk =

Probability x impact

71
New cards

Quantitative Risk Calculation

Uses mathematical and statistical techniques to assign numerical values to the likelihood and impact of potential threats.

72
New cards

Probability

The chance or likelihood of a threat being realized

73
New cards

Impact

measured in terms of the financial loss or damage that would result if the threat was materialized.

74
New cards

Single Loss Expectancy (SLE)

A metric to determine the expected financial loss from a single event.
- allows orbanizations to determine the expected loss from a single event
- only provides the value for a single occurence or loss

75
New cards

SLE =

AV (Asset Value) x EF (Exposure Factor)

76
New cards

Annual Rate of Occurrence (ARO)

Number of times per year that a specific threat is expected to occur.

77
New cards

ARO =

# of threat occurrence / # of years in the period

78
New cards

Annual Loss Expectancy (ALE)

Expected financial loss for multiple events during a year.

79
New cards

ALE =

SLE x ARO

80
New cards

Qualitative Risk Calculation

Uses subjective judgement and expert opinions to evaluate thel ikelihood and impact of threats.

81
New cards

Reasons why qualitative risk calculations sometimes preferred over quantitative risk calculations

- Complexity
- Unknowns
- Limited Data
- Resource Constraints
- Communication

82
New cards

Semi-Quantitative Method

Uses a mixture of concrete values with opinions and reasoning to measure the likelihood and impact of risk
- attempts to find middle ground to create a hybrid risk analysis method.

83
New cards

Business Impact Analysis (BIA)

a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
- governed by metrics that express system availability

84
New cards

Maximum Tolerable Downtime (MTD)

Longest period of time a business can be inoperable without causing irrevoable business failure
- each process can have own MTD
- MTD sets upper limit on recovery time that system and assset owners need to resume operations.

85
New cards

Recovery Time Objective (RTO)

lenght of time it takes after an event to resume normal business operations and activities.

86
New cards

Work Recovery Time (WRT)

length of time in addition to the RTO of idividual systems to perform reintegration and testing of a restored or upgraded system following an event.

87
New cards

Recovery Point Objective (RPO)

longest period of time that an organization can tolerate lost data being unrecoverable
- focused on how long you can be without your data

88
New cards

MTD and RPO help determine:

which business functions are critical and to specify appropriate risk countermeasures

89
New cards

Mitigation

add controls

90
New cards

Avoidance

changing plans

91
New cards

Transference

Insurance

92
New cards

Acceptance

Low Risk

93
New cards

Security Control Prioritization Considerations

- Control is required by framework, best practice, or regulation
- cost of control
- amount of risk a control mitigates

94
New cards

Return on Security Investment (RSOI)

metric to calculate whehter a security control is worth the cost of deploying and maintaining it.
- Risk is not always in opposition to an organization's goals
((ALE - ALEm) - C /C = ROSI

95
New cards

Engineering Tradeoff

assessment of the benefit of risk reduction against the increased compelxity or cost in a system design or specification

96
New cards

DoS Attack

type of cyber-attack which is used to overwhelm a computer, service, or resource by providing an extraneous number of requests in a limited duration.

97
New cards

Risk Register

Document highlighting the results of risk assessments in an easily comprehensible format
- impact/likelihood ratings
- Date of identification
- Description
- Countermeasures/controls
- Risk Owner
- Status
Should be shared between stakeholders so they understand the risks associated with the workflows they manage

98
New cards

Compensating Controls

A type of security control that acts as a substitute for a principal control
- provides the same (or better) level of potetion but uses a different methodology or technology

99
New cards

Exception Management

formal process that is used to document each case where a funciton or asset is noncompliant with written policy and procedureal controls

100
New cards

Tabletop Exercies (TTX)

Exercise that uses an incident scenario against a framework of controls or a red team
- discussion of simulated emergency situations and security incidents