Unit5 - Subjective Questions

The NIST Computer Security Incident Handling Guide (SP 800-61) defines the Incident Response Lifecycle in four main phases:

1. Preparation:

   • Establishing an incident response capability.
   • Creating policies, procedures, and training the team.
   • Acquiring necessary tools (hardware/software) for investigation.

2. Detection and Analysis:

   • Monitoring systems for precursors and indicators.
   • Analyzing data to determine if an incident has occurred.
   • Triage and prioritization of the incident.

3. Containment, Eradication, and Recovery:

   • Containment: Stopping the spread of the attack (e.g., disconnecting a server, blocking an IP).
   • Eradication: Removing the root cause (e.g., deleting malware, disabling breached accounts).
   • Recovery: Restoring systems to normal operation and monitoring for remediation validation.

4. Post-Incident Activity:

   • Conducting a 'Lessons Learned' meeting.
   • Improving security measures based on findings.
   • Retaining evidence for potential legal action.

Digital Forensics is the practice of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally admissible. It involves the scientific examination of data held on or retrieved from computer storage media.

Standard Process Model:

1. Identification: Identifying potential evidence sources (laptops, servers, logs).
2. Preservation: Securing the scene and ensuring data is not altered (e.g., using Write Blockers).
3. Collection: Acquiring data using forensic imaging techniques to create bit-for-bit copies.
4. Examination: Processing the data to extract visible and hidden information (recovering deleted files).
5. Analysis: correlating the findings to draw conclusions about the incident.
6. Reporting: Documenting the methodology, findings, and conclusions in a non-technical format for legal or management review.

Chain of Custody refers to the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Critical Importance:

• Admissibility: In a court of law, evidence is only admissible if its integrity can be proven. A broken chain suggests the evidence could have been tampered with.
• Integrity: It proves that the evidence collected at the crime scene is the exact same evidence presented in court.
• Accountability: It tracks exactly who handled the evidence, when, and for what purpose, preventing unauthorized access.

1. Application Logs:

   • Generated by software applications (e.g., Web servers like Apache/IIS, Database servers like SQL).
   • Provide details on user activities, error messages, and transaction records relevant to the specific application.

2. Operating System (OS) Logs:

   • Windows Event Logs: Security (logins), System (driver failures), and Application logs.
   • Linux/Unix Syslogs: Records system messages, authentication attempts (/var/log/auth.log), and kernel activities.

3. Network Device Logs:

   • Generated by firewalls, routers, and switches.
   • Include Allow/Deny decisions, source/destination IPs, port numbers, and protocol types (e.g., NetFlow data).

SIEM is a solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.

Core Functions:

1. Data Aggregation: Collecting logs from networks, security devices, servers, and databases.
2. Correlation: Linking events from different sources to detect patterns of attack (e.g., 5 failed logins on a server followed by a successful login via VPN).
3. Alerting: Notifying analysts immediately when a potential security issue is detected.
4. Retention: Storing historical data for compliance and forensic investigations.

Indicators of Compromise (IoCs) are pieces of forensic data that identify potentially malicious activity.

Common Malware IoCs:

• File Hashes: Known malicious MD5, SHA1, or SHA256 hashes ().
• Unusual Outbound Network Traffic: Malware "phoning home" to a Command and Control (C2) server.
• Registry Key Changes: Modifications to the Windows Registry to ensure persistence (e.g., Run keys).
• Filename Anomalies: Misspelled system filenames (e.g., svch0st.exe instead of svchost.exe) or files in unusual directories (e.g., executables in the AppData folder).
• Increased CPU/Memory Usage: Sudden spikes indicating cryptomining or intense background processing.

Network Beaconing is a type of traffic pattern where a compromised internal device attempts to communicate with an external attacker-controlled system (Command and Control / C2 server) at regular intervals.

Characteristics:

• Regularity: The communication happens on a strict timing schedule (e.g., every 5 minutes) or introduces "jitter" (randomized delays) to hide.
• Purpose: Used by malware to check for new commands, exfiltrate data, or signal that the host is still infected.
• Detection: Analysts look for long-duration flows with small packet sizes occurring at mathematical intervals in firewall or proxy logs.

A DDoS attack aims to overwhelm a system's resources to make it unavailable to legitimate users.

Key Indicators:

1. Traffic Spike: An unusually massive surge in requests coming from multiple IP addresses simultaneously.
2. Slow Performance: Drastic slowdown in server response times or network speeds.
3. 503 Errors: Service Unavailable errors appearing frequently in web server logs.
4. Source Anomaly: Traffic originating from unusual geographic locations or a single type of device/User-Agent.
5. Resource Exhaustion: Firewall or server logs showing exhaustion of bandwidth, CPU, or connection limits (e.g., SYN flood filling the connection table).

Physical attack indicators suggest that security has been breached via physical access to the premises or hardware.

Examples:

• Tailgating/Piggybacking: Unauthorized individuals following authorized personnel through secure doors.
• Missing Devices: Laptops, hard drives, or backup tapes disappearing from secure areas.
• Tampered Hardware: USB keystroke loggers found attached to the back of workstations.
• Lock Picking/Forced Entry: Signs of damage on server room doors or cabinets.
• Rogue Wireless Access Points: Unidentified Wi-Fi devices found hidden under desks or in conference rooms plugged into the corporate network.

1. SQL Injection (SQLi) Indicators:

• Log Patterns: Presence of SQL syntax in URL parameters or form inputs found in web logs. Examples: ' OR 1=1, UNION SELECT, --, or ;.
• Database Errors: Application returning verbose database error messages to the user.

2. Cross-Site Scripting (XSS) Indicators:

• Script Tags: Input fields or URLs containing HTML script tags like <script>, javascript:, or onload=.
• Encoded Characters: Excessive use of URL encoding (e.g., %3Cscript%3E) attempting to bypass filters.
• Pop-ups: Users reporting unexpected alert boxes appearing on legitimate web pages.

A CSIRT is a concrete organizational entity (i.e., one or more staff) assigned the responsibility for coordinating and supporting the response to a computer security event or incident.

Key Roles:

• Incident Handler: Manages the lifecycle of the incident (triage, coordination).
• Technical Analyst: Performs forensic analysis, malware reverse engineering, and log review.
• Communicator/PR: Manages internal and external communications (stakeholders, media, law enforcement).
• Legal Advisor: Ensures response actions comply with laws and regulations.
• Management: Authorization of critical decisions (e.g., shutting down a production server).

Order of Volatility refers to the order in which data should be collected based on how transient (temporary) it is. Data that is lost when power is removed must be collected first.

Typical Order (RFC 3227):

1. CPU Cache, Registers, System RAM: Most volatile; contains encryption keys, running processes, and network connections.
2. Routing Table, ARP Cache, Process Table, Kernel Statistics: Network state and memory mapping.
3. Temporary File Systems: Swap space/page files.
4. Disk: Hard drive data (persistent).
5. Remote Logging and Monitoring Data: Logs stored on central servers.
6. Physical Configuration/Topology: Network diagrams and archival media.

Importance: Capturing data out of order (e.g., shutting down a PC before dumping RAM) results in the permanent loss of critical evidence that cannot be recovered from the hard drive.

SIEM (Security Information and Event Management):

• Focuses on visibility.
• Collects logs, correlates data, and raises alerts.
• "Tell me something is wrong."

SOAR (Security Orchestration, Automation, and Response):

• Focuses on action.
• Integrates tools to define workflows and automate responses.
• "Do something about the alert."

Relationship: SOAR often ingests alerts from a SIEM. While a SIEM might alert on a phishing email, a SOAR playbook can automatically delete that email from all user inboxes and block the sender's IP on the firewall without human intervention.

False Positive (Type I Error):

• The monitoring system generates an alert for malicious activity, but the activity is actually benign (legitimate).
• Consequence: Alarm fatigue for analysts; wasted time.

False Negative (Type II Error):

• Malicious activity occurs, but the monitoring system fails to detect it or generate an alert.
• Consequence: A breach occurs and goes unnoticed.

Comparison:
False Negatives are more dangerous. While False Positives reduce efficiency, False Negatives mean an attacker is inside the network causing damage without the security team's knowledge.

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow.

Data Content: Unlike a full packet capture (PCAP) that stores the payload, NetFlow stores "metadata" about the connection:

• Source and Destination IP.
• Source and Destination Ports.
• Protocol (TCP/UDP).
• Amount of data transferred (Bytes/Packets).
• Start and End timestamps.

Utility:

• It acts like a "phone bill" for network traffic (who called whom, how long, when).
• Essential for analyzing high-volume traffic where full packet capture is storage-prohibitive.
• Used to detect DoS attacks, data exfiltration sizes, and unauthorized lateral movement.

Isolation:

• Involves completely disconnecting the infected system from the network.
• Method: Unplugging the network cable or disabling the virtual network adapter.
• Use Case: When a system is confirmed to be infected with a worm or ransomware that spreads rapidly.

Segmentation:

• Involves moving the compromised system to a restricted VLAN or subnet (Sandbox) where it can still be accessed by investigators but cannot access the wider corporate network or internet.
• Use Case: When the team needs to monitor the malware's behavior (beacons) or keep the system live for memory forensics without risking the rest of the network.

Social Engineering relies on psychological manipulation rather than technical hacking.

Indicators:

1. Urgency/Fear: Emails demanding immediate action (e.g., "Your account will be deleted in 1 hour").
2. Mismatched URLs: Hyperlinks where the text says one thing (e.g., paypal.com) but the actual link goes elsewhere (e.g., paypa1-support.net).
3. Unusual Requests: requests for passwords, gift cards, or wire transfers, especially from "executives" (CEO Fraud).
4. Generic Greetings: "Dear Customer" instead of using the recipient's name.
5. Suspicious Attachments: Unexpected invoices or shipping documents (e.g., .zip, .exe, or .docm files).

While the equation is a conceptual model for calculating risk, Logs play a crucial role in managing these variables, specifically in the Threat and Impact domains:

1. Threat Visibility: You cannot calculate Risk if the 'Threat' variable is unknown. Logs provide the visibility required to identify active threats (e.g., brute force attempts in auth logs).
2. Impact Assessment: When an incident occurs, logs allow analysts to determine the scope (Impact). Without logs, one must assume the worst-case scenario (maximum impact).
3. Vulnerability Mitigation: Logs can highlight exploited vulnerabilities (e.g., error logs showing successful SQL injection), prompting patching.

Therefore, robust logging reduces the uncertainty in risk calculation and allows for faster incident response, effectively lowering the overall Risk by minimizing the time a Threat acts upon a system.

Post-Incident Activity (often called Lessons Learned) is the final phase of IR where the team reviews the incident to prevent recurrence.

Key Activities:

• Root Cause Analysis: Determining exactly how the breach happened.
• Metric Calculation: Measuring Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
• Report Generation: Documenting the incident for stakeholders.
• Process Improvement: Updating policies or firewall rules based on gaps found.

Why Neglected?

• Burnout: Teams are exhausted after the high stress of containment and recovery.
• Business Pressure: There is a rush to return to "business as usual" immediately.
• Lack of Tangible Output: Unlike fixing a server, writing a report doesn't feel like "real work" to some technical staff.