Learning Module 13: O Incident

UNIT 5: Preparation, Response and Investigation

Module Objectives

By the end of this module, you should be able to:

1. Explain the steps in preparing for a cybersecurity incident

2. Describe how to respond in an incident

3. List the steps in an incident investigation

Reasons for Cybersecurity Incidents

Cybersecurity incidents can be classified into two broad areas:

• Weak Account Types

• Poor Access Control

Weak Account Types:

• Strong authentication should be required on all user accounts.

• User accounts should be routinely reviewed for security.

• Accounts may need to be deleted or strengthened as necessary.

• The following accounts should be prohibited:

  • Shared accounts

  • Generic accounts

  • Guest accounts

Poor Access Control:

• Access Control: The mechanism to control who can access what.

• Physical Access Control: Implementation of fencing, hardware locks, and mantraps to limit physical access to systems.

• Technical Access Control: Policies/technologies that restrict users from accessing certain data on computers.

• Implementation of Access Control Models to enforce access permissions.

Access Control Concepts

• Identification: The process of recognizing users.

  • Example: A delivery driver presenting an employee badge.

• Authentication: Validating user credentials.

  • Example: Checking the driver’s badge.

• Authorization: Granting permission for actions.

  • Example: Allowing the driver to pick up a package.

• Access: The right to access specific resources.

• Accounting: A preserved record of who accessed the network, resource interactions, and disconnections.

Terms in Access Control

• Object: A specific resource (e.g., a file).

• Subject: A user or process (e.g., computer user).

• Operation: Action taken by the subject over an object (e.g., deleting a file).

Example of Access Control

• Object: SALARY.XLSX

  • Owner: MWiley

  • Access Level: Read-only for department managers.

  • Authentication: Requires username and password.

  • Final access operation: Opening the document.

Access Control Schemes

Access control schemes provide standards for managing controlled access. Five major schemes include:

1. Discretionary Access Control (DAC)

2. Mandatory Access Control (MAC)

3. Role-Based Access Control (RBAC)

4. Rule-Based Access Control

5. Attribute-Based Access Control (ABAC)

Discretionary Access Control (DAC)

• Provides ownership to users over their objects.

• Owners can assign permissions to other users.

• Weaknesses:

  • Relies on end user decisions for security.

  • Permissions may be inherited by programs executed by users.

Mandatory Access Control (MAC)

• Most restrictive; users cannot set controls.

• Key Elements:

  • Labels: Classification of objects indicating importance.

  • Levels: Hierarchical structure for privileges.

Role-Based Access Control (RBAC)

• Permissions based on job functions.

• Users assigned to roles, which define permissions.

Rule-Based Access Control (RB-RBAC)

• Assigns roles dynamically based on rules.

• Utilized for managing user access across systems.

Attribute-Based Access Control (ABAC)

• Combines multiple attributes for access policies.

• Utilizes an If-Then-Else structure for rule formatting.

Access Control Lists (ACLs)

• Set of permissions attached to an object that dictate which subjects can access them.

• Limitations:

  • Inefficiency in managing numerous ACLs in large organizations.

  • Time-consuming to change individual ACLs.

Preparing for an Incident

Incident Response Plan (IRP)

• A written guide for responding to security incidents.

• Actions include:

  • Preparation

  • Identification

  • Containment

  • Eradication

  • Recovery

  • Lessons Learned

Essential Components of an IRP

• Incident definitions

• Incident response teams

• Reporting requirements

• Retention policy

• Stakeholder management

• Communication plan

Types of Exercises

1. Tabletop: Informal discussions about potential incidents.

2. Walkthrough: Reviews of the plan by IT personnel.

3. Simulation: Hands-on tests of the plan against realistic scenarios.

Attack Frameworks

• Models that represent the actions of threat actors.

Common Frameworks include:

1. MITRE ATT&CK

2. The Diamond Model of Intrusion Analysis

3. Cyber Kill Chain

Incident Response Steps

• Utilize SOAR runbooks and playbooks.

• Execute containment actions.

• Implement configuration changes.

Utilize SOAR Runbooks and Playbooks

• SOAR platforms help manage and respond to security alerts.

• Playbook: Checklist for manual incident response steps.

• Runbook: Automation of conditional steps in response procedures.

Perform Containment

• Limit attack spread using network segmentation.

• Segregation based on trust principles and sensitivity levels.

Make Configuration Changes

• Adjustments necessary for prevention and mitigation of attacks.

• Areas for configuration changes include:

  • Firewall rules

  • URL filters

  • Digital certificates

  • Data loss prevention settings

  • Mobile device management settings

Incident Investigation

An investigation is required for every cybersecurity incident to:

• Identify causes and prevent future incidents.

• Comply with regulatory requirements.

Key Investigation Steps

• Analyze data sources

• Conduct digital forensics

Data Sources

Log Files

• Analyze log sources and data to identify attack vectors.

• Use logs from security systems, network devices, and applications.

• Challenges include volume, multiple formats, and managing log retention.

Additional Data Sources

• Accumulate data from various sources:

• IP monitors

• Metadata

• Analyzers

• Vulnerability scans

Digital Forensics

Definition

• Forensic science applies to legal queries; digital forensics focuses on cybercrime evidence recovery from various devices.

Forensic Procedures include:

1. Secure the crime scene

2. Preserve evidence

3. Establish chain of custody

4. Examine evidence

5. Enable recovery

Secure the Scene

• Damage control and immediate response setup.

• Quarantine equipment, document the scene, and conduct interviews.

Preserve the Evidence

• Ensure that digital evidence remains intact and secure.

• Use tamper-evident and tamper-resistant bags for evidence collection.

Document Chain of Custody

• Record handling and custodianship of evidence continuously.

• Include all serial numbers, custody durations, and shipment processes in documentation.

Examine for Evidence

• Follow the order of volatility when analyzing data to preserve fragile information.

• Create a mirror image of systems before examination.

Enable Recovery

• Focus on recovering data and learning from security incidents.

• Strategic intelligence collection assists in policy adjustments.

Forensics Tools

Software Tools

• Examples include:

  • DD imaging utility

  • Memdump for memory captures

  • WinHex

  • Autopsy

Hardware Tools

• Digital forensic workstations and mobile forensics tools are critical resources.

Cloud Forensics

• In cloud incidents, audit rights are significant for logging reviews.

• Quick communication with cloud providers is crucial to understand incident impacts and scope.