3.1 Explain concepts related to attack methodology frameworks.

Cyber Kill Chain

Description

• Developed by Lockheed Martin, this framework outlines the steps attackers follow to achieve their goals. Understanding these steps helps in identifying and disrupting attacks at various stages.

Steps

1. Reconnaissance:
   • Gathering information about the target (e.g., IP addresses, employee data).
   • Defensive Actions: Monitor logs for scanning activities and social engineering attempts.

2. Weaponization:
   • Creating a payload (e.g., malware, exploit) to use in the attack.
   • Defensive Actions: Analyze malware in sandbox environments.

3. Delivery:
   • Transmitting the payload to the target (e.g., phishing emails, USB drives).
   • Defensive Actions: Implement email filters and content inspection.

4. Exploitation:
   • Executing the exploit to breach the target system.
   • Defensive Actions: Patch systems and deploy intrusion prevention systems (IPS).

5. Installation:
   • Installing malicious code (e.g., backdoors, rootkits) on the target.
   • Defensive Actions: Use endpoint detection and response (EDR) tools.

6. Command and Control (C2):
   • Establishing a communication channel between the attacker and the compromised system.
   • Defensive Actions: Monitor network traffic for unusual outbound connections.

7. Actions on Objectives:
   • Achieving the attacker's goals (e.g., data exfiltration, destruction).
   • Defensive Actions: Implement data loss prevention (DLP) systems.

Diamond Model of Intrusion Analysis

Description

• A framework for analyzing and visualizing cyber intrusions using four core components.

Core Components

1. Adversary:
   • The entity carrying out the attack.
   • Example: Advanced Persistent Threat (APT) groups or cybercriminals.

2. Infrastructure:
   • The tools, servers, and infrastructure used by the attacker.
   • Example: C2 servers, exploit kits, phishing infrastructure.

3. Victim:
   • The target of the attack.
   • Example: An organization, individual, or system.

4. Capability:
   • The methods and techniques used by the adversary.
   • Example: Malware, zero-day exploits, social engineering.

Defensive Application

• Map relationships between components to identify patterns and predict future attacks.

• Example: Linking multiple incidents to the same adversary by analyzing infrastructure and techniques.

MITRE ATT&CK Framework

Description

• A comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs).

Structure

1. Tactics:
   • Goals attackers aim to achieve (e.g., Initial Access, Persistence).

2. Techniques:
   • Methods used to achieve those goals (e.g., Spear Phishing, Credential Dumping).

3. Procedures:
   • Specific implementations of techniques.

Use Cases

• Threat Hunting:
  • Identify gaps in defenses by mapping current detections to MITRE ATT&CK techniques.

• Incident Response:
  • Use the framework to understand the attacker’s actions and predict next steps.

Example

• Tactic: Credential Access.

• Technique: Brute Force.

• Procedure: Using tools like Hydra or Medusa to guess passwords.

Open Source Security Testing Methodology Manual (OSSTMM)

Description

• A methodology for performing security testing and analysis, focusing on operational security.

Key Sections

1. Information Security:
   • Evaluating data confidentiality, integrity, and availability.

2. Human Security:
   • Assessing security awareness and social engineering vulnerabilities.

3. Physical Security:
   • Testing access controls and physical barriers.

Benefits

• Provides a structured approach to testing security across multiple domains.

• Ensures comprehensive assessments by covering technical, operational, and human factors.

Use Cases

• Conducting penetration tests to uncover vulnerabilities.

• Developing detailed security reports for compliance.

OWASP Testing Guide

Description

• A practical guide to testing web applications for security vulnerabilities, developed by the Open Web Application Security Project (OWASP).

Key Areas

1. Input Validation Testing:
   • Check for improper input handling to prevent attacks like SQL Injection and XSS.

2. Authentication Testing:
   • Evaluate mechanisms like password policies, MFA, and session management.

3. Authorization Testing:
   • Verify access controls to prevent privilege escalation.

4. Session Management Testing:
   • Test for vulnerabilities in session cookies, timeouts, and session hijacking.

5. Cryptography:
   • Check for proper use of encryption algorithms and secure transport (e.g., TLS).

Example Testing Scenarios

• Detecting weak passwords by attempting brute-force attacks.

• Identifying missing or insecure HTTP headers like Content-Security-Policy.

Tools

• OWASP ZAP, Burp Suite, Nikto.

3.2 Given a scenario, perform incident response activities.

Detection and Analysis

Indicators of Compromise (IoCs)

• Definition: Artifacts or evidence that indicate malicious activity in a system or network.

• Examples:
  • Unusual network traffic patterns (e.g., communication with known malicious IPs).
  • Suspicious files or processes (e.g., malware hashes, rogue executables).
  • System log anomalies (e.g., repeated failed login attempts).

• Actionable Steps:
  • Use threat intelligence feeds to identify known IoCs.
  • Deploy tools like EDR (Endpoint Detection and Response) to monitor systems.

Evidence Acquisition

Chain of Custody

• Definition: A documented process that tracks the handling and storage of evidence to ensure its integrity.

• Best Practices:
  • Maintain a log of who handled the evidence, when, and for what purpose.
  • Use tamper-proof bags or tools for physical evidence storage.
  • Example Chain of Custody Log:

    Date         Handler           Action
    2024-12-28   John Smith        Acquired forensic image of laptop.

Validating Data Integrity

• Definition: Ensuring that evidence remains unaltered.

• Tools:
  • Use hashing algorithms (e.g., SHA-256) to verify data integrity.
  • Example Command:

    sha256sum evidence.img

Preservation

• Definition: Protecting evidence from tampering or alteration.

• Techniques:
  • Isolate affected systems to prevent further changes.
  • Take forensic snapshots or memory dumps for volatile data.

Legal Hold

• Definition: A process to preserve all relevant data for potential legal or regulatory proceedings.

• Best Practices:
  • Work with legal teams to identify data subject to preservation.
  • Archive logs and evidence in a secure, immutable storage system.

Data and Log Analysis

Definition

• Analyzing collected logs and data to identify patterns, anomalies, and malicious activities.

Key Logs to Analyze

• System Logs: Failed logins, unauthorized access attempts.

• Network Logs: Traffic patterns, DNS queries to malicious domains.

• Application Logs: Unexpected API calls, failed transactions.

Tools

• SIEM (e.g., Splunk, Elastic Stack): Correlates and analyzes logs across systems.

• Packet Analyzers (e.g., Wireshark): Examines network traffic for anomalies.

• Example:
  • Use Wireshark to filter malicious traffic:

    ip.addr == 192.168.1.100 && tcp.port == 4444

Containment, Eradication, and Recovery

Scope

• Definition: Determine the extent of the compromise.

• Steps:
  • Identify affected systems, users, and data.
  • Use network mapping tools (e.g., Nmap) to understand the spread.

Impact

• Definition: Assess the damage caused by the incident.

• Considerations:
  • Business continuity disruption.
  • Data theft or corruption.
  • Legal and regulatory implications.

Isolation

• Definition: Separate compromised systems to prevent the spread of the attack.

• Techniques:
  • Quarantine infected endpoints.
  • Disable compromised user accounts.
  • Apply network segmentation to restrict lateral movement.
  • Example Command:

    iptables -A INPUT -s 192.168.1.101 -j DROP

Remediation

• Definition: Remove the root cause of the incident.

• Steps:
  • Apply patches for exploited vulnerabilities.
  • Revoke compromised credentials.
  • Review and update firewall rules.

Re-imaging

• Definition: Restore systems to a secure state by reinstalling their operating systems and applications.

• Best Practices:
  • Use validated clean images for reinstallation.
  • Apply the latest patches and configurations before reconnecting to the network.

Compensating Controls

• Definition: Temporary measures implemented to reduce risk until full remediation is achieved.

• Examples:
  • Deploying a Web Application Firewall (WAF) to block malicious traffic.
  • Increasing logging and monitoring for suspicious activities.

Example Incident Response Workflow

1. Detection and Initial Analysis
   • IoC Identified: Unusual outbound traffic to malicious-domain.com.
   • Actions: Isolate the affected endpoint and acquire logs.

2. Evidence Acquisition
   • Capture a forensic image of the system.
   • Hash evidence to ensure integrity.

3. Containment
   • Block the malicious domain at the firewall.
   • Quarantine the compromised machine.

4. Eradication
   • Remove malware and malicious scripts.
   • Patch vulnerable software exploited in the attack.

5. Recovery
   • Re-image the compromised system.
   • Restore data from backups and validate its integrity.

6. Post-Incident Actions
   • Conduct a root cause analysis.
   • Update policies to prevent recurrence (e.g., stricter patch management).

3.3 Explain the preparation and post-incident activity phases of the incident management life cycle.

Preparation

The preparation phase focuses on readiness to handle potential incidents effectively. It involves developing strategies, acquiring resources, and training personnel.

Incident Response Plan (IRP)

• Definition: A formal document outlining procedures for detecting, responding to, and recovering from incidents.

• Key Components:
  • Roles and responsibilities (e.g., incident handler, forensic analyst).
  • Communication plan, including internal and external notifications.
  • Steps for escalation and prioritization.

• Example: Specify how to handle ransomware attacks, including isolating affected systems and notifying legal teams.

Tools

• Definition: Tools and software essential for detecting and responding to incidents.

• Examples:
  • SIEM Tools: Splunk, ELK Stack for log analysis.
  • Forensic Tools: EnCase, FTK for evidence acquisition.
  • EDR Tools: CrowdStrike, Carbon Black for endpoint monitoring.

Playbooks

• Definition: Predefined, step-by-step procedures for handling specific incident types.

• Examples:
  • Ransomware Playbook: Isolate affected systems, disable network shares, engage incident response team.
  • Phishing Playbook: Block malicious domains, reset affected accounts, implement MFA.

Tabletop Exercises

• Definition: Scenario-based exercises to simulate incident handling in a controlled environment.

• Purpose:
  • Test the effectiveness of the IRP and playbooks.
  • Identify gaps in preparedness.

• Example: Simulate a DDoS attack to test coordination between IT and network teams.

Training

• Definition: Regular education sessions to ensure team members are prepared to handle incidents.

• Focus Areas:
  • Recognizing phishing emails.
  • Using forensic tools.
  • Following communication protocols.

• Example: Conduct workshops on detecting and mitigating SQL injection attacks.

Business Continuity (BC) and Disaster Recovery (DR)

• Business Continuity:

  Ensures critical business functions can continue during an incident.

  • Example: Redirecting customer service calls to an alternate location during a system outage.

• Disaster Recovery:

  Focuses on restoring IT systems and data after an incident.

  • Example: Recovering from ransomware by restoring encrypted files from backups.

Best Practices:

• Regularly test BC/DR plans through mock scenarios.

• Maintain geographically dispersed backups to ensure data availability.

Post-Incident Activity

Post-incident activities focus on analyzing the incident, understanding its root causes, and improving processes to prevent recurrence.

Forensic Analysis

• Definition: The collection and examination of digital evidence to determine the nature and scope of the incident.

• Steps:
  • Capture disk images and memory dumps.
  • Analyze logs and network traffic.
  • Identify the initial entry point and tools used by the attacker.

• Example: Using EnCase to recover deleted files and uncover data exfiltration paths.

Root Cause Analysis (RCA)

• Definition: Identifying the underlying cause of the incident to prevent future occurrences.

• Steps:
  • Trace the timeline of the attack.
  • Identify vulnerabilities exploited (e.g., unpatched software).
  • Assess whether existing controls failed.

• Example: Determine that a phishing email led to credential theft, enabling lateral movement.

Lessons Learned

• Definition: A formal review of the incident to identify improvement areas.

• Key Questions:
  • What worked well during the response?
  • What were the challenges or gaps?
  • How can processes, tools, or training be improved?

• Output:
  • Update incident response playbooks and IRP.
  • Implement additional security measures, such as MFA or enhanced logging.

• Example: After a ransomware attack, add regular user training on phishing awareness to the security program.

Incident Management Life Cycle Overview

Example Scenario: Ransomware Incident

Preparation Phase:

• IRP includes a ransomware playbook.

• Backup systems are tested and stored offsite.

During Incident:

• Detection: Unusual file encryption detected via EDR tool.

• Analysis: Logs show a compromised admin account initiating encryption commands.

• Containment: Isolate affected endpoints and disable admin account.

• Eradication: Remove malware and patch exploited vulnerabilities.

• Recovery: Restore files from the latest backup.

Post-Incident Activities:

• Conduct forensic analysis to identify how credentials were stolen.

• Add additional controls, such as MFA for admin accounts.

• Update the ransomware playbook based on lessons learned.