1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
|
# Hacking
The fundamental element of intelligence is the `indicator`.
An `indicator` is any piece of information that describes an intrusion.
* Atomic: cannot be broken down into smaller parts and retain their meaning.
* e.g. IP address, email address, vuln identifier
* Computed: are derived from data involved in an incident.
* e.g. hash values, regular expressions.
* Behavioral: are collections of computed and atomic indicators, often subject
to qualification by quantity and possible combinatorial logic.
* e.g. "generated network traffic matching [regex] at the rate of [frequency]
to [ip], and then replace it with one matching [hash value] once
established."
```plaintext
Indicator Life Cycle
------------
-- Report --> | Revealed |-----|
------------ |
A |
| Leverage
|------- |
| |
Analyze |
| V
| ----------
| | Mature |
| ----------
------------ |
| Utilized | <--discover--|
------------
```
The `kill chain` is a systemic approach to target and engage an adversary to
create desired effects.
US Department of Defense
1. find: find adversary targets suitable for engagement
1. fix: fix their location
1. track: track and observe
1. target: target with suitable weapon or asset to create desired effects
1. engage: engage adversary
1. assess: assess effects.
Intrusion: Aggressor must develop a payload to breach a trusted boundary,
establish a presence inside a trusted environment, and from that presence, take
actions towards their objectives.
Intrusion kill chain
1. Reconnaissance: research, identification and selection of targets.
1. Weaponization: coupling a remote access trojan with an exploit into a
deliverable payload.
1. Delivery: transmission of the weapon to the targeted environment.
1. Exploitation: after weapon is delivered to victim host, exploitation triggers
intruders' code.
1. Installation: installation of a remote access trojan or backdoor on the
victim system allows the adversary to maintain persistence inside the
environment.
1. Command and Control (C2): compromised hosts must beacon outbound to an
internet control server to establish a C2 channel.
1. Actions on Objectives: intruders take actions to achieve their original
objectives. e.g. data exfiltration, violate data integrity or availability,
hop to additional systems.
## SOC
* tier 1: triage analysis via intaking many events and alerts.
* determine relevance and urgency of the alert
* a ticket is created with a severity level.
* tier 2: determines root cause of alert.
* assess the IOC
* tracks down affected assets
* determines scope of threat.
* tier 3: SOC Manager
* supervises the team.
* ensures team is well-trained and up to date.
* finds new talent, coordinates training, manages escalations.
| NIST | SANS | ISO | Secureworks |
| ---- | ---- | --- | ----------- |
| Prepration | Preparation | Prepare | Prepare |
| Detection & Analysis | Identification | Identify | Detect & Investigate |
| Containment, Eradication & Recovery | Containment | Assess | Remediate |
| | Eradication | Respond | |
| | Recovery | | |
| Post-incident activity | Lessons learned | Learn | Follow-up |
Stages of SANS IR Plan
1. Preparation
* policy: have clearly written policies
* team: A CSIRT team will include expertise in IT, legal, PR.
* tools:
* SIEM monitors and alerts about breaches.
* anti-phishing features in email servers.
2. Identification
* Alerts fire -> CSIRT team analyzes and assesses severity.
* Examine scope and impact
3. Containment: aims at mitigating the impact of the breach.
* short term: instant responses intended to stop the breach from spreading.
* long term: restoration of essential systems back into operation without the
affected systems.
4. Eradication: removing all traces of the breach.
5. Recovery: CSIRT recommends when and how all the systems will be returned to
operation. After restoration, the CSIRT team monitors all systems to ensure
they are free from anomolies.
6. Lessons Learned: CSIRT compiles activities about the incident into a report.
* stakeholders review the report to understand the breach and its impact.
* review is used to determine potential preventative measures, scope of the
breach, breach containment, recovery activities, areas where CSIRT was
effective and areas for improvement.
Organizations must create, provision, and operate a formal incident response
capability. Federal law requires Federal agencies to report incidents to the US
Computer Emergency Readiness Team (US-CERT) office within the Deparment of
Homeland Security (DHS).
IR Team Services
* Intrusion Detection
* Advisory Distribution
* Education and Awareness
* Information Sharing
Preventing Incidents
* Risk Assessments
* Host Security
* Network Security
* Malware Prevention
* User Awareness and Training
Attack Vectors
* External/Removable Media: e.g. USB flash drive
* Attrition: brute force methods to compromise, degrade, destroy. e.g. DDoS
* Web: e.g. XSS
* Email: e.g. exploit code disguised as an attachment
* Impersonation: replacing something benign with something malicious. e.g. MiTM
* Improper Usage: Violation of AUP
* Loss or Theft of Equipment: e.g. stolen laptop, authn token
Incident Analysis
* Profile Networks and Systems.
* Understand Normal Behaviours
* Create a Log Retention Policy
* Perform Event Correlation
* Keep All Host Clocks Synchronized
* Maintain and Use a Knowledge Base of Information
* Use Internet Search Engines for Research
* Run Packet Sniffers to Collect Additional Data
* Filter the Data
* Seek Assistance from Others
Incident Documentation
* The current status
* A summary
* Indicators related to the incident
* Other incidents related to the incident
* Actions taken by all incident handler on this incident
* Chain of custody
* Impact assessments related to the incident
* Contact information for other involved parties
* A list of evidence gathered during the incident investigation
* Comments from incident handlers
* Next steps to be taken
Incident Prioritization
* Functional Impact of the Incident
* Information Impact of the Incident
* Recoverability from the Incident
Functional Impact Categories
| Category | Definition |
| --------- | ---------- |
| None | No effect to the organization's ability to provide all services to all users |
| Low | Minimal effect; the organization can still provide all critical services to all users but has lost efficiency |
| Medium | Organization has lost the ability to provide a critical service to a subset of system users |
| High | Organization is no longer able to provide some critical services to any users |
Information Impact Categories
| Category | Definition |
| -------- | ---------- |
| None | No information was exfiltrated, changed, deleted, or otherwise compromised. |
| Privacy Breach | Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc. was access or exfiltrated |
| Proprietary Breach | Unclassified proprietary information, such as protected critical infrastructure information (PCII), was accessed or exfiltrated |
| Integrity Loss | Sensitive or proprietary information was changed or deleted |
Recoverability Effort Categories
| Category | Definition |
| -------- | ---------- |
| Regular | Time to recovery is predictable with existing resources |
| Supplemented | Time to recovery is predictable with additional resources |
| Extended | Time to recovery is unpredictable; additional resources and outside help are needed |
| Not Recoverable | Recovery from the incident is not possible (e.g. sensitive data exfiltrated and posted publicly); launch investigation |
Identifying the Attacking Hosts
* Validating the Attacking Host's IP Address
* Researching the Attacking Host through Search Engines.
* Using Incident Databases
* Monitoring Possible Attacker Communication Channels
Eradication
* eliminate components of the incident
* deleting malware
* disabling breached accounts
* identifying and mitigating vulnerabilities that were exploited
* identify all affected hosts within the organization
Recovery
* restore systems to normal operation
* confirm that systems are functioning normally
* remediate vulnerabilities
Lessons Learned
* What happened and at what times?
* How well did staff deal with the incident?
* were procedures followed?
* were they adequate?
* What info was needed sooner?
* Were any steps or actions taken that might have inhibited the recovery?
* What would staff do differently the next time a similar incident occurs?
* How could info sharing with other organizations have been improved?
* What corrective actions can prevent similar incidents in the future?
* What precursors or indicators should be watched for in the future to detect similar incidents?
* What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
Evidence Retention
* Prosecution: evidence may need to be retained until all legal actions have been completed.
* Data Retention: Data retention policies state how long certain types of data
may be kept. if a disk image contains email, that org may not want the image
to be kept for more than 180 days if that's their retention policy.
* Cost: original hardware that is stored as evidence are generally inexpensive.
However this can become costly if many components need to be stored for many
years.
Incident Handling Checklist
| | Action | Completed |
| --- | ------ | --------- |
| | Detection and Analysis | |
| 1. | Determine whether an incident has occurred | |
| 1.1 | Analyze the precursors and indicators | |
| 1.2 | Look for correlating information | |
| 1.3 | Perform research (e.g. search engines, knowledge base) | |
| 1.4 | As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence | |
| 2. | Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) | |
| 3. | Report the incident to the appropriate internal personnel and external organizations | |
| | Containment, Eradication, and Recovery | |
| 4. | Acquire, preserve, secure, and document evidence | |
| 5. | Contain the incident | |
| 6. | Eradicate the incident | |
| 6.1 | Identify and mitigate all vulnerabilities that were exploited | |
| 6.2 | Remove malware, inappropriate materials, and other components | |
| 6.3 | If more affected hosts are discovered (e.g. new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them | |
| 7. | Recover from the incident | |
| 7.1 | Return affected systems to an operationally ready state | |
| 7.2 | Confirm that the affected systems are functioning normally | |
| 7.3 | If necessary, implement additional monitoring to look for future related activity | |
| | Post-Incident Activity | |
| 8. | Create a follow-up report | |
| 9. | Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) | |
Information Sharing Techniques
Organizations need to be able to share incident information with peers and
partners in order to deal with many incidents effectively. Organizations should
share information throughout the incident response life cycle and not wait until
an incident has been fully resolved before sharing details of it with others.
* Ad Hoc: such as email, IM, and phone.
* relies on individual employee's connections with employees in IR teams of
partner organizations.
* Partially Automated: organizations should decide what types of info they will
communicate with partners. must also work with its partner org to agree on the
technical transport mechanisms for enabling info exchange to occur in an
automated fashion.
Risk Management
Risk mgmt is the ongoing process of identifying, assessing, and responding to
risk.
## Glossary
* ACL: Access Control List
* APT: Advanced Persisten Threat
* AUP: Acceptable Usage Policy
* CEA: Cybersecurity Enhancement Act
* CIA: Confidentiality, Integrity, Availability
* CIRT: Computer Incident Response Team
* CISO: Chief Information Security Officer
* CSIRC: Computeer Security Incident Response Capability
* CSIRT: Computer Security Incident Response Team
* DEP: Data Execution Prevention
* FISMA: Federal Information Security Management Act
* HIDS: Host Intrustion Detection System
* IOC: Indicator of Compromise
* IR: Incident Response
* NIDS: Network Intrustion Detection System
* NIST: National Institute of Standards and Technology
* PE: Portable Executable
* PII: Personally Identifiable Information
* PR: Public Relations
* PoLP: Principle of Least Privilege
* SIEM: Security Information Event Management
* SOC: Security Operation Center
* SOP: Standard Operating Procedure
* TME: Targeted Malicious Email
* Availability: TODO::
* Confidentiality: TODO::
* Data Compromise: gaining financial or individual information through phishing or malware.
* Integrity: TODO::
* Event: is any observable occurrence in a system or network.
* Adverse Event: an event with a negative consequence.
* Computer Security Incident: is a violation of computer security policies,
acceptable use policies, or standard security practices.
## Papers
* [IR in a SOC](https://sansorg.egnyte.com/dl/bkbu9M1bKY)
* [Intel Driven Defense](https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf)
* [IR Stages](https://www.secureworks.com/blog/incident-response-life-cycle-phases-for-effective-ir)
* [NIST IR Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
* [Framework for Improving Critical Infrastructure](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)
|
