# Hacking The fundamental element of intelligence is the `indicator`. An `indicator` is any piece of information that describes an intrusion. * Atomic: cannot be broken down into smaller parts and retain their meaning. * e.g. IP address, email address, vuln identifier * Computed: are derived from data involved in an incident. * e.g. hash values, regular expressions. * Behavioral: are collections of computed and atomic indicators, often subject to qualification by quantity and possible combinatorial logic. * e.g. "generated network traffic matching [regex] at the rate of [frequency] to [ip], and then replace it with one matching [hash value] once established." ```plaintext Indicator Life Cycle ------------ -- Report --> | Revealed |-----| ------------ | A | | Leverage |------- | | | Analyze | | V | ---------- | | Mature | | ---------- ------------ | | Utilized | <--discover--| ------------ ``` The `kill chain` is a systemic approach to target and engage an adversary to create desired effects. US Department of Defense 1. find: find adversary targets suitable for engagement 1. fix: fix their location 1. track: track and observe 1. target: target with suitable weapon or asset to create desired effects 1. engage: engage adversary 1. assess: assess effects. Intrusion: Aggressor must develop a payload to breach a trusted boundary, establish a presence inside a trusted environment, and from that presence, take actions towards their objectives. Intrusion kill chain 1. Reconnaissance: research, identification and selection of targets. 1. Weaponization: coupling a remote access trojan with an exploit into a deliverable payload. 1. Delivery: transmission of the weapon to the targeted environment. 1. Exploitation: after weapon is delivered to victim host, exploitation triggers intruders' code. 1. Installation: installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. 1. Command and Control (C2): compromised hosts must beacon outbound to an internet control server to establish a C2 channel. 1. Actions on Objectives: intruders take actions to achieve their original objectives. e.g. data exfiltration, violate data integrity or availability, hop to additional systems. ## SOC * tier 1: triage analysis via intaking many events and alerts. * determine relevance and urgency of the alert * a ticket is created with a severity level. * tier 2: determines root cause of alert. * assess the IOC * tracks down affected assets * determines scope of threat. * tier 3: SOC Manager * supervises the team. * ensures team is well-trained and up to date. * finds new talent, coordinates training, manages escalations. | NIST | SANS | ISO | Secureworks | | ---- | ---- | --- | ----------- | | Prepration | Preparation | Prepare | Prepare | | Detection & Analysis | Identification | Identify | Detect & Investigate | | Containment, Eradication & Recovery | Containment | Assess | Remediate | | | Eradication | Respond | | | | Recovery | | | | Post-incident activity | Lessons learned | Learn | Follow-up | Stages of SANS IR Plan 1. Preparation * policy: have clearly written policies * team: A CSIRT team will include expertise in IT, legal, PR. * tools: * SIEM monitors and alerts about breaches. * anti-phishing features in email servers. 2. Identification * Alerts fire -> CSIRT team analyzes and assesses severity. * Examine scope and impact 3. Containment: aims at mitigating the impact of the breach. * short term: instant responses intended to stop the breach from spreading. * long term: restoration of essential systems back into operation without the affected systems. 4. Eradication: removing all traces of the breach. 5. Recovery: CSIRT recommends when and how all the systems will be returned to operation. After restoration, the CSIRT team monitors all systems to ensure they are free from anomolies. 6. Lessons Learned: CSIRT compiles activities about the incident into a report. * stakeholders review the report to understand the breach and its impact. * review is used to determine potential preventative measures, scope of the breach, breach containment, recovery activities, areas where CSIRT was effective and areas for improvement. Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the US Computer Emergency Readiness Team (US-CERT) office within the Deparment of Homeland Security (DHS). IR Team Services * Intrusion Detection * Advisory Distribution * Education and Awareness * Information Sharing Preventing Incidents * Risk Assessments * Host Security * Network Security * Malware Prevention * User Awareness and Training Attack Vectors * External/Removable Media: e.g. USB flash drive * Attrition: brute force methods to compromise, degrade, destroy. e.g. DDoS * Web: e.g. XSS * Email: e.g. exploit code disguised as an attachment * Impersonation: replacing something benign with something malicious. e.g. MiTM * Improper Usage: Violation of AUP * Loss or Theft of Equipment: e.g. stolen laptop, authn token Incident Analysis * Profile Networks and Systems. * Understand Normal Behaviours * Create a Log Retention Policy * Perform Event Correlation * Keep All Host Clocks Synchronized * Maintain and Use a Knowledge Base of Information * Use Internet Search Engines for Research * Run Packet Sniffers to Collect Additional Data * Filter the Data * Seek Assistance from Others Incident Documentation * The current status * A summary * Indicators related to the incident * Other incidents related to the incident * Actions taken by all incident handler on this incident * Chain of custody * Impact assessments related to the incident * Contact information for other involved parties * A list of evidence gathered during the incident investigation * Comments from incident handlers * Next steps to be taken Incident Prioritization * Functional Impact of the Incident * Information Impact of the Incident * Recoverability from the Incident Functional Impact Categories | Category | Definition | | --------- | ---------- | | None | No effect to the organization's ability to provide all services to all users | | Low | Minimal effect; the organization can still provide all critical services to all users but has lost efficiency | | Medium | Organization has lost the ability to provide a critical service to a subset of system users | | High | Organization is no longer able to provide some critical services to any users | Information Impact Categories | Category | Definition | | -------- | ---------- | | None | No information was exfiltrated, changed, deleted, or otherwise compromised. | | Privacy Breach | Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc. was access or exfiltrated | | Proprietary Breach | Unclassified proprietary information, such as protected critical infrastructure information (PCII), was accessed or exfiltrated | | Integrity Loss | Sensitive or proprietary information was changed or deleted | Recoverability Effort Categories | Category | Definition | | -------- | ---------- | | Regular | Time to recovery is predictable with existing resources | | Supplemented | Time to recovery is predictable with additional resources | | Extended | Time to recovery is unpredictable; additional resources and outside help are needed | | Not Recoverable | Recovery from the incident is not possible (e.g. sensitive data exfiltrated and posted publicly); launch investigation | Identifying the Attacking Hosts * Validating the Attacking Host's IP Address * Researching the Attacking Host through Search Engines. * Using Incident Databases * Monitoring Possible Attacker Communication Channels Eradication * eliminate components of the incident * deleting malware * disabling breached accounts * identifying and mitigating vulnerabilities that were exploited * identify all affected hosts within the organization Recovery * restore systems to normal operation * confirm that systems are functioning normally * remediate vulnerabilities Lessons Learned * What happened and at what times? * How well did staff deal with the incident? * were procedures followed? * were they adequate? * What info was needed sooner? * Were any steps or actions taken that might have inhibited the recovery? * What would staff do differently the next time a similar incident occurs? * How could info sharing with other organizations have been improved? * What corrective actions can prevent similar incidents in the future? * What precursors or indicators should be watched for in the future to detect similar incidents? * What additional tools or resources are needed to detect, analyze, and mitigate future incidents? Evidence Retention * Prosecution: evidence may need to be retained until all legal actions have been completed. * Data Retention: Data retention policies state how long certain types of data may be kept. if a disk image contains email, that org may not want the image to be kept for more than 180 days if that's their retention policy. * Cost: original hardware that is stored as evidence are generally inexpensive. However this can become costly if many components need to be stored for many years. Incident Handling Checklist | | Action | Completed | | --- | ------ | --------- | | | Detection and Analysis | | | 1. | Determine whether an incident has occurred | | | 1.1 | Analyze the precursors and indicators | | | 1.2 | Look for correlating information | | | 1.3 | Perform research (e.g. search engines, knowledge base) | | | 1.4 | As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence | | | 2. | Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) | | | 3. | Report the incident to the appropriate internal personnel and external organizations | | | | Containment, Eradication, and Recovery | | | 4. | Acquire, preserve, secure, and document evidence | | | 5. | Contain the incident | | | 6. | Eradicate the incident | | | 6.1 | Identify and mitigate all vulnerabilities that were exploited | | | 6.2 | Remove malware, inappropriate materials, and other components | | | 6.3 | If more affected hosts are discovered (e.g. new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them | | | 7. | Recover from the incident | | | 7.1 | Return affected systems to an operationally ready state | | | 7.2 | Confirm that the affected systems are functioning normally | | | 7.3 | If necessary, implement additional monitoring to look for future related activity | | | | Post-Incident Activity | | | 8. | Create a follow-up report | | | 9. | Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) | | Information Sharing Techniques Organizations need to be able to share incident information with peers and partners in order to deal with many incidents effectively. Organizations should share information throughout the incident response life cycle and not wait until an incident has been fully resolved before sharing details of it with others. * Ad Hoc: such as email, IM, and phone. * relies on individual employee's connections with employees in IR teams of partner organizations. * Partially Automated: organizations should decide what types of info they will communicate with partners. must also work with its partner org to agree on the technical transport mechanisms for enabling info exchange to occur in an automated fashion. Risk Management Risk mgmt is the ongoing process of identifying, assessing, and responding to risk. ## Glossary * ACL: Access Control List * APT: Advanced Persisten Threat * AUP: Acceptable Usage Policy * CEA: Cybersecurity Enhancement Act * CIA: Confidentiality, Integrity, Availability * CIRT: Computer Incident Response Team * CISO: Chief Information Security Officer * CSIRC: Computeer Security Incident Response Capability * CSIRT: Computer Security Incident Response Team * DEP: Data Execution Prevention * FISMA: Federal Information Security Management Act * HIDS: Host Intrustion Detection System * IOC: Indicator of Compromise * IR: Incident Response * NIDS: Network Intrustion Detection System * NIST: National Institute of Standards and Technology * PE: Portable Executable * PII: Personally Identifiable Information * PR: Public Relations * PoLP: Principle of Least Privilege * SIEM: Security Information Event Management * SOC: Security Operation Center * SOP: Standard Operating Procedure * TME: Targeted Malicious Email * Availability: TODO:: * Confidentiality: TODO:: * Data Compromise: gaining financial or individual information through phishing or malware. * Integrity: TODO:: * Event: is any observable occurrence in a system or network. * Adverse Event: an event with a negative consequence. * Computer Security Incident: is a violation of computer security policies, acceptable use policies, or standard security practices. ## Papers * [IR in a SOC](https://sansorg.egnyte.com/dl/bkbu9M1bKY) * [Intel Driven Defense](https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf) * [IR Stages](https://www.secureworks.com/blog/incident-response-life-cycle-phases-for-effective-ir) * [NIST IR Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) * [Framework for Improving Critical Infrastructure](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)