From 9fac461538f1a654b418aa3fe2a22868f3070442 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 9 May 2022 14:55:34 -0600 Subject: docs: add notes on IR from NIST --- learn/hacking/README.md | 175 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 174 insertions(+), 1 deletion(-) diff --git a/learn/hacking/README.md b/learn/hacking/README.md index dc3d3c4..21cbcc6 100644 --- a/learn/hacking/README.md +++ b/learn/hacking/README.md @@ -115,31 +115,204 @@ Stages of SANS IR Plan breach, breach containment, recovery activities, areas where CSIRT was effective and areas for improvement. +Organizations must create, provision, and operate a formal incident response +capability. Federal law requires Federal agencies to report incidents to the US +Computer Emergency Readiness Team (US-CERT) office within the Deparment of +Homeland Security (DHS). + +IR Team Services + +* Intrusion Detection +* Advisory Distribution +* Education and Awareness +* Information Sharing + +Preventing Incidents + +* Risk Assessments +* Host Security +* Network Security +* Malware Prevention +* User Awareness and Training + +Attack Vectors + +* External/Removable Media: e.g. USB flash drive +* Attrition: brute force methods to compromise, degrade, destroy. e.g. DDoS +* Web: e.g. XSS +* Email: e.g. exploit code disguised as an attachment +* Impersonation: replacing something benign with something malicious. e.g. MiTM +* Improper Usage: Violation of AUP +* Loss or Theft of Equipment: e.g. stolen laptop, authn token + +Incident Analysis + +* Profile Networks and Systems. +* Understand Normal Behaviours +* Create a Log Retention Policy +* Perform Event Correlation +* Keep All Host Clocks Synchronized +* Maintain and Use a Knowledge Base of Information +* Use Internet Search Engines for Research +* Run Packet Sniffers to Collect Additional Data +* Filter the Data +* Seek Assistance from Others + +Incident Documentation + +* The current status +* A summary +* Indicators related to the incident +* Other incidents related to the incident +* Actions taken by all incident handler on this incident +* Chain of custody +* Impact assessments related to the incident +* Contact information for other involved parties +* A list of evidence gathered during the incident investigation +* Comments from incident handlers +* Next steps to be taken + +Incident Prioritization + +* Functional Impact of the Incident +* Information Impact of the Incident +* Recoverability from the Incident + +Functional Impact Categories + +| Category | Definition | +| --------- | ---------- | +| None | No effect to the organization's ability to provide all services to all users | +| Low | Minimal effect; the organization can still provide all critical services to all users but has lost efficiency | +| Medium | Organization has lost the ability to provide a critical service to a subset of system users | +| High | Organization is no longer able to provide some critical services to any users | + +Information Impact Categories + +| Category | Definition | +| -------- | ---------- | +| None | No information was exfiltrated, changed, deleted, or otherwise compromised. | +| Privacy Breach | Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc. was access or exfiltrated | +| Proprietary Breach | Unclassified proprietary information, such as protected critical infrastructure information (PCII), was accessed or exfiltrated | +| Integrity Loss | Sensitive or proprietary information was changed or deleted | + +Recoverability Effort Categories + +| Category | Definition | +| -------- | ---------- | +| Regular | Time to recovery is predictable with existing resources | +| Supplemented | Time to recovery is predictable with additional resources | +| Extended | Time to recovery is unpredictable; additional resources and outside help are needed | +| Not Recoverable | Recovery from the incident is not possible (e.g. sensitive data exfiltrated and posted publicly); launch investigation | + +Identifying the Attacking Hosts + +* Validating the Attacking Host's IP Address +* Researching the Attacking Host through Search Engines. +* Using Incident Databases +* Monitoring Possible Attacker Communication Channels + +Eradication + +* eliminate components of the incident +* deleting malware +* disabling breached accounts +* identifying and mitigating vulnerabilities that were exploited +* identify all affected hosts within the organization + +Recovery + +* restore systems to normal operation +* confirm that systems are functioning normally +* remediate vulnerabilities + +Lessons Learned + +* What happened and at what times? +* How well did staff deal with the incident? + * were procedures followed? + * were they adequate? +* What info was needed sooner? +* Were any steps or actions taken that might have inhibited the recovery? +* What would staff do differently the next time a similar incident occurs? +* How could info sharing with other organizations have been improved? +* What corrective actions can prevent similar incidents in the future? +* What precursors or indicators should be watched for in the future to detect similar incidents? +* What additional tools or resources are needed to detect, analyze, and mitigate future incidents? + +Evidence Retention + +* Prosecution: evidence may need to be retained until all legal actions have been completed. +* Data Retention: Data retention policies state how long certain types of data + may be kept. if a disk image contains email, that org may not want the image + to be kept for more than 180 days if that's their retention policy. +* Cost: original hardware that is stored as evidence are generally inexpensive. + However this can become costly if many components need to be stored for many + years. + +Incident Handling Checklist + +| | Action | Completed | +| --- | ------ | --------- | +| | Detection and Analysis | | +| 1. | Determine whether an incident has occurred | | +| 1.1 | Analyze the precursors and indicators | | +| 1.2 | Look for correlating information | | +| 1.3 | Perform research (e.g. search engines, knowledge base) | | +| 1.4 | As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence | | +| 2. | Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) | | +| 3. | Report the incident to the appropriate internal personnel and external organizations | | +| | Containment, Eradication, and Recovery | | +| 4. | Acquire, preserve, secure, and document evidence | | +| 5. | Contain the incident | | +| 6. | Eradicate the incident | | +| 6.1 | Identify and mitigate all vulnerabilities that were exploited | | +| 6.2 | Remove malware, inappropriate materials, and other components | | +| 6.3 | If more affected hosts are discovered (e.g. new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them | | +| 7. | Recover from the incident | | +| 7.1 | Return affected systems to an operationally ready state | | +| 7.2 | Confirm that the affected systems are functioning normally | | +| 7.3 | If necessary, implement additional monitoring to look for future related activity | | +| | Post-Incident Activity | | +| 8. | Create a follow-up report | | +| 9. | Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) | | + ## Glossary * ACL: Access Control List * APT: Advanced Persisten Threat +* AUP: Acceptable Usage Policy * CIA: Confidentiality, Integrity, Availability * CIRT: Computer Incident Response Team +* CISO: Chief Information Security Officer +* CSIRC: Computeer Security Incident Response Capability * CSIRT: Computer Security Incident Response Team * DEP: Data Execution Prevention +* FISMA: Federal Information Security Management Act * HIDS: Host Intrustion Detection System * IOC: Indicator of Compromise * IR: Incident Response * NIDS: Network Intrustion Detection System * PE: Portable Executable +* PII: Personally Identifiable Information * PR: Public Relations +* SIEM: Security Information Event Management * SOC: Security Operation Center +* SOP: Standard Operating Procedure * TME: Targeted Malicious Email -* SIEM: Security Information Event Management * Availability: TODO:: * Confidentiality: TODO:: * Data Compromise: gaining financial or individual information through phishing or malware. * Integrity: TODO:: +* Event: is any observable occurrence in a system or network. +* Adverse Event: an event with a negative consequence. +* Computer Security Incident: is a violation of computer security policies, + acceptable use policies, or standard security practices. ## Papers * [IR in a SOC](https://sansorg.egnyte.com/dl/bkbu9M1bKY) * [Intel Driven Defense](https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf) * [IR Stages](https://www.secureworks.com/blog/incident-response-life-cycle-phases-for-effective-ir) +* [NIST IR Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) -- cgit v1.2.3