Professional Documents
Culture Documents
Mar 15, 2020
Mar 15, 2020
and Risk
Management
CISC 6920
James Doyle
Mar 15, 2020 Log Analysis, Timeline Analysis IRCF 8,9,10 Submit Gap Analysis on Apr
Incident Triage Scenario Distributed 4- Will Select some for
Lab- Tor/Grey & Dark Web Present
Student Presentations
Apr 5, 2020 Incident Response LM- Cyber Kill Chain Submit Scenario PPT-
Lab Axiom, Cloud FINAL NEXT CLASS
Student Presentations
Apr 26, 2020 Final Class- Conclude on materials and Submit Practical
labs.
FINAL IN CLASS
Student Presentations
Where are we?
• We have Finished Harkins, “MRIS”
• For IRCF, You should have finished up to Chapter 10.
We will not do further readings from this text.
• Should have read- All on Blackboard:
– NIST 800-61,r2. & 800-53 r4
– SANS Articles: “IR Team”
– SANS Article: IR Investigation
– SANS Article Creating & Managing IR team
– SANS Incident Handlers Handbook
– IBM 2019 Cost of Breach
– Deloitte Cost of Breach
– Verizon 2019 DBIR (2020 not released yet)
– For Next Class: LM Cyber Kill Chain
Today’s Agenda
• Scenario Distribution
• Lecture on Chapters from IRCF
• Tor Demo- Practice at home
• Discuss write blockers
https://www.bing.com/videos/search?q=tableau+writeblockers&&view=detail&mid=EE4963F2D7FE9CE2F577EE4963F2D7FE
9CE2F577&&FORM=VRDGAR&ru=%2Fvideos%2Fsearch%3Fq%3Dtableau%2Bwriteblockers%26qpvt%3Dtableau%2Bwrite
blockers%26FORM%3DVDRE
During the Incident Response handling, there are a consistent set of activities for gathering
information, coordinating activities, assessing results and communicating to involved or affected
parties. The following phases are utilized:
Alert & Eradicate &
Triage Contain Recover Report Closure
Scope Mitigate
Phase Description
Alert & Scope • Confirm receipt of a potential cyber incident, determine whether it is a cyber incident, determine its severity,
assign to a Primary Incident Responder and if needed, engage Subject Matter Experts (SMEs) or create a
Security Incident Response Team (SIRT)
Investigate • Determine extent of compromise; if the incident involves a data breach, then the Legal and/or the Chief
Privacy Officer will direct actions based on the privacy plan
Report • Document the incident; make required notifications in the case of a data breach to relevant parties including
affected person(s), regulatory and governmental agencies, and law enforcement as needed
Lesson Learned • Improve future security posture by learning from previous experiences
Please note that the above 7 phases are based off the NIST SP800-61r2
publication
Incident Response Process
(Corporate Security Incident Response Team)
- Notify client
- Notify
regulators
- - Detect Incident
Remediate
- Analyze long Resolution & - Identify source of
Detection identified
term effects Reporting
- - Log incident
Analyze
- Reduce false
lessons
learned positive
- Determine scope
- Assemble Response
Digital
Cyber Incident Assessment -
Team
Collect & sort facts
Forensics Analysis Response Process (Initial response)
- Engage digital
forensics process -
- Determine
Collect evidence
- scope
Engage 3rd party Analysis -
Containment Assemble
(investigate incident) Response
- Team
Technology - Collect &
containment
- sort facts
Process
containment
- Procedure
containment
Collecting the facts
• The initial facts about an event are all an investigation has
to get started—so it’s a good idea to get them right.
• It’s also important to gather additional information about
those facts so you can establish context
• Also, a time that an event occurred is less useful if you
don’t know the corresponding time zone.
• Without that context, it’s easy to jump to the wrong
conclusions about what an event means.
• Investigation communication must be conducted out of
band
– Investigation integrity
– Privacy concerns
Time and Data Types
• Incident Summary
– Date and time incident was reported
– Date and time incident was detected
– Reported severity based on certain variables
• Contact information of the person
documenting this information.
• Contact information of the person who
reported and who detected the incident
• Nature of the incident and its type (i.e.
malware, internal compromise etc..)
– Select a common taxonomy for incident
reporting
Detection Summary Checklist
Triaging an Incident
DNS calls
File size
Portable
Executable
(DLL)
Compilation
Check for time stamp
matching
MD5
Network IOC
Several leading practices, standards and guidelines exist in the industry. Below are a number of additional
information sources for consideration:
CISC 6920
James Doyle
Skill Sets Required for Incident Response
• Ability to retrieve
The LAW
• Identify Sources
• Identify parameters (volume, days kept,
time stamps)
• Consider integrity by hashing original
files. Acquire and preserve, work off a
copy.
• Normalize the logs- UTC to current
location, or location target was in.
• Filter and analyze- sometimes Excel is
your filtering tool.
Logs as Evidence
• Information in Logs:
– System Events
– Audit records
– Application Events
– Command History
– User activity
• Possible correlations:
– Username
– IP address
– Port
– Hostname
Other Logs
• Unix/Linux
• Firewall
– Connection attempts
– Failed connections
– Audit events
– IP address
– Network
– Connection type (tcp, http, etc)
– Ports accessed or attempted
Router Logs
• Audit log
• Connection log
• Connection size
• NAT information
• IP
• Host
• Port
• Network
HTTP or Proxy Logs
• User Activity
• Websites visited
• User agent (browser)
• IP address
• Hostname
• IP address
VPN logs
• Username
• IP Address
DNS logs
• User activity
Investigating Logs Methods