CySa+ Jason Dion Notes

Considerations for conducting triage on an incident

Considerations for conducting triage on an incident

- Damage to data integrity
- Unauthorized changes
- Theft of data or resources
- Disclosure of confidential data
- Interruption of services
- System downtime

Impact-based Approach

Categorization approach that focuses on the severity of an incident, such as emergency, significant, moderate, or low.

Taxonomy-based Approach

Approach that defines incident categories at the top level, such as worm outbreak, phishing attempt, DDoS, external host/account compromise, or internal privilege abuse.

Organizational Impact

Incident that affects mission essential functions so the organization cannot operate as intended.

Localized impact

Incident that is limited in scope to a single department, small user group or a few systems.

Immediate Impact

Incident measurment based on direct costs incurred because of an incident, such as downtime, asset damage, penalties and fees

Total Impact

Incident measurement based on the costs that arise during and following the incident, including damage to the company's reputation.

Incident Classification - ways to classify

- Data Integrity
- System Process Criticality
- Downtime
- Economic
- Data Correlation
- Reverse Engineering
- Recovery Time
- Detection Time

Data Integrity

Any incident where data is modified or loses integrity

System Process Criticality

Incidents that disrupt or threaten a mission essential business function

Downtime

An incident that degrades or interrupts the availability of an asset, system or business process

Economic

incident that creates short-term or long-term costs

Data Correlation

Incident that is linked to the TTP of known adversary groups with extensive capabilities

Reverse Engineering

Incident in which the capabilities of the malware are discovered to be linked to an adversary group

Recovery Time

Incident which requires extensive recovery time due to its scope or severity.

Detection time

- incident which was not discovered quickly
- Only 10% of data breaches discovered within first hour
- Nearly 40% of adversaries had successfully exfiltrated data within minutes of starting an attack.

Containment

Rapid containment important to IR
- Limit the scope and magnitude of the incident by securing data and lmiting impact to business operations and your customers.

Five Steps for Conducting Containment

1. Ensure the safety and security of all personnel
2. Prevent an ongoing intrusion or data breach
3. Identify if the intrusion is the primary or secondary attack
4. Avoid alerting the attacker that the attack has been discovered
5. Preserve any forensic evidence of the intrusion and attack.

Isolation

Mitigation strategy that involves removing an affected component from larger environment

Segmentation

mitigation strategy that achieves the isolation of a host or group of hosts using network technologies and architecture
- Uses VLANs, routing/subnets, and firewall ACLs to prevent communication outside the protected segment.
- Can be used to reroute adversary traffic as part of a deceiption defensive capability.

Sandboxing

Security mechanism that separates a system from other critical system resources and programs.

Eradication and Recovery

Remove the cause of the incident and bring the system back to a secure state

Eradication

Complete removal and destruction of the cause of the incident.
- Simplest option for eradicating contaminated system is to replace it with a clean image from a trusted store.

Sanitization

Procedures that an organization uses to govern the disposal of obsolete information and equipment, including storage devices, devices with internal data storage capabilities, and paper records.

Cryptographic Erase (CE)

Method of sanitizing a self-encrypting drive by erasing the media encryption key

Zero-fill

Sanitizing a drive by overwriting all bits on a drive to zero
- not reliable method with SSDs and hybrid drives

Secure Erase (SE)

Sanitizing a sold-state device using manufacturer provided software.

Secure Disposal

Sanitizing by physical destruction of the media by mechanical shredding, incineration, or degaussing.

Eradication Actions

- Reconstruction
- Reimaging
- Reconstitution

Reconstruction

Restoring a system that has been sanitized using scripted installation routines and templates.

Reimaging

Restoring a system that has been sanitized using an image-based backup.

Reconstitution

Method of restoring a system that cannot be sanitized using manual removal, reinstallation and monitoring processes.

7 steps for reconstitution

1. Analyze the processes and network activity for signs of malware
2. Terminate suspicious processes and securely delete them from the system
3. Identify and disable autostart locations to prevent processes from executing
4. Replace contaminated processes with clean versions from trusted media.
5. Reboot the system and analyze for signs of continued malware infection
6. If continued malware infection, analyze firmware and USB devices for infection
7. If tests are negative reintroduce the system to the production environment.

Recovery

Actions taken to ensure that hosts are fully reconfigured to operate the business workflow they were performing before the incident ocurred.

Recovery Actions

- Patching
- Permissions
- Logging
- System Hardening

Patching

Installing a set of changes to a computer program or its supporting data designed to update, to fix, or to improve it

Logging

Ensure that scanning and monitoring/log retrieval systems are functioning properly following the incident.

System Hardening

Securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised

Actions performed when conducting system hardening

- Deactivate unnecessary components
- Disable unused user accounts
- Implement patch management
- Restrict host access to peripherals
- Restrict shell commands

Three mottos for system hardening

- Uninstall anything you aren't using
- If you need it, patch it frequently
- Always restrict users to least privilege

Post-Incident Activity

Analyze the incident and responses to identify whether procedures or systems could be improved.

Main areas of post-incident activity

- Report Writing
- Incident Summary Report
- Evidence Retention

Report Writing

An essential analyst skill that is used to communicate information about the incident to a wide variety of stakeholders
- Reports should be clearly marked for the intended audience

Incident Summary Report

Report written for specific audience with key information about the incident and their use
- Contain information about how the incident ocurred, how it could be prevented in the future, the impact and damage on the systems, and any lessons learned.

Evidence Retention

preservation of evidence based upon the required time period defined by regulations if there is a legal or regulatory impact caused by an incident.

Lessons Learned

An analysis of events that can provide insight into how to improve response processes in the future

Six Questions to Structure Lessons Learned Meeting

1. Who was the adversary?
2. Why was the incident conducted?
3. When did the incident occur?
4. Where did the incident occur?
5. How did the incident occur?
6. What controls could have mitigated it?

After-Action Report / Lessons Learned Report

Report providing isnight into the specific incident and how to improve response processes in the future

Benefits of using lessons learned and after-action reports

- Incident Response Plan Update
- IoC Generation and Monitoring
- Change Control Process

Root Cause Analysis

Systematic process to identify the initial source of the incident and how to prevent it from occurring again.
- Need to figure out what caused the incident and then see how many other things across your network are going to have the same type of feature sets to prevent future attacks.

4 Steps of Root Cause Analysis

- Define and scope the incident
- Determine the casual relationships
- Identify an effective solution
- Implement and track the solution.

Enterprise Risk Management (ERM)

Comprehensive process of evaluating, measuring and mitigating the many risks that pervade an organization.

Why is risk management adopted by organizations

- Keep data confidential
- Avoid financial loss
- Avoid legal issues
- Maintain positive brand image
- Ensuring COOP
- Establishing trust and mitigating liability
- Meeting stakeholder's objectives

NIST Managing Information Security Risk Framework

- Frame
- Assess
- Respond
- Monitor

Frame

Establish a strategic risk management framework that is supported by decision makers at the top tier of the organization

Assess

Identify and prioritize business processes/workflow

Respond

Mitigate each risk factor through the deployment of managerial, operational, and technical security controls.

Monitor

Evaluate the effectiveness of risk response measures and identify changes that could affect risk management processes

Risk identification takes place by:

evaluating threats, identifying vulnerabilities, and assessing the probability (or likelihood) of an event affecting an asset or process.

Business Continuity Loss

A loss associated with no longer being able to fulfill contracts and orders due to the breakdown of critical systems.

Legal Costs

A loss created by organizational liability due to prosecution (criminal law) or damages (civil law).

Reputational Harm

A loss created by negative publicity and the consequential loss of market position or consumer trust.

System assessments are conducted to:

better posture an organization to reduce risk and prevent losses

System Assessments

systematic identification of critical systems by compiling an inventory f te business processes and the tangible assets and resources that support those processes.

System Assessments include:

- People
- Tangible assets
- Intangible assets
- Procedures.

Mission Essential Function (MEF)

a business or organizational activity that is too critical to be deferred for anything more than a few hours (if at all)

Asset/Inventory Tracking

- Use of a software or hardware solution to track and manage any assets within an organization

Asset Management Database

Contains data such as the type, model, serial number, asset ID, location, user, value, and service information

Threat and Vulnerability Assessment

An ongoing process of assessing assets against a set of known threats and vulnerabilities.

Risk =

Probability x impact

Quantitative Risk Calculation

Uses mathematical and statistical techniques to assign numerical values to the likelihood and impact of potential threats.

Probability

The chance or likelihood of a threat being realized

Impact

measured in terms of the financial loss or damage that would result if the threat was materialized.

Single Loss Expectancy (SLE)

A metric to determine the expected financial loss from a single event.
- allows orbanizations to determine the expected loss from a single event
- only provides the value for a single occurence or loss

SLE =

AV (Asset Value) x EF (Exposure Factor)

Annual Rate of Occurrence (ARO)

Number of times per year that a specific threat is expected to occur.

ARO =

# of threat occurrence / # of years in the period

Annual Loss Expectancy (ALE)

Expected financial loss for multiple events during a year.

ALE =

SLE x ARO

Qualitative Risk Calculation

Uses subjective judgement and expert opinions to evaluate thel ikelihood and impact of threats.

Reasons why qualitative risk calculations sometimes preferred over quantitative risk calculations

- Complexity
- Unknowns
- Limited Data
- Resource Constraints
- Communication

Semi-Quantitative Method

Uses a mixture of concrete values with opinions and reasoning to measure the likelihood and impact of risk
- attempts to find middle ground to create a hybrid risk analysis method.

Business Impact Analysis (BIA)

a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
- governed by metrics that express system availability

Maximum Tolerable Downtime (MTD)

Longest period of time a business can be inoperable without causing irrevoable business failure
- each process can have own MTD
- MTD sets upper limit on recovery time that system and assset owners need to resume operations.

Recovery Time Objective (RTO)

lenght of time it takes after an event to resume normal business operations and activities.

Work Recovery Time (WRT)

length of time in addition to the RTO of idividual systems to perform reintegration and testing of a restored or upgraded system following an event.

Recovery Point Objective (RPO)

longest period of time that an organization can tolerate lost data being unrecoverable
- focused on how long you can be without your data

MTD and RPO help determine:

which business functions are critical and to specify appropriate risk countermeasures

Mitigation

add controls

Avoidance

changing plans

Transference

Insurance

Acceptance

Low Risk

Security Control Prioritization Considerations

- Control is required by framework, best practice, or regulation
- cost of control
- amount of risk a control mitigates

Return on Security Investment (RSOI)

metric to calculate whehter a security control is worth the cost of deploying and maintaining it.
- Risk is not always in opposition to an organization's goals
((ALE - ALEm) - C /C = ROSI

Engineering Tradeoff

assessment of the benefit of risk reduction against the increased compelxity or cost in a system design or specification

DoS Attack

type of cyber-attack which is used to overwhelm a computer, service, or resource by providing an extraneous number of requests in a limited duration.

Risk Register

Document highlighting the results of risk assessments in an easily comprehensible format
- impact/likelihood ratings
- Date of identification
- Description
- Countermeasures/controls
- Risk Owner
- Status
Should be shared between stakeholders so they understand the risks associated with the workflows they manage

Compensating Controls

A type of security control that acts as a substitute for a principal control
- provides the same (or better) level of potetion but uses a different methodology or technology

Exception Management

formal process that is used to document each case where a funciton or asset is noncompliant with written policy and procedureal controls

Tabletop Exercies (TTX)

Exercise that uses an incident scenario against a framework of controls or a red team
- discussion of simulated emergency situations and security incidents