CompTIA Security+ (SY0-601): Incident Response & Forensics

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper response to those security events

• Incident Response Manager

• Security Analyst

• Triage Analyst

• Forensic Analyst

• Threat Researcher

• Cross-functional Support

Signals that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs

nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

Only a portion of actual network traffic (not technically a flow)
Lower resource requirements
Usually embedded in the infrastructure
Relatively accurate statistics

Internet Protocol Flow Information Export:
Newer netflow-based standard (evolved from Netflow v9)
Flexible data support
Templates are used to describe data

IETF standardization for how IPflow information gets formatted and transferred from an exporter to a collector

Identification
Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

Collection
Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

Analysis
Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Reporting
Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Legal Hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur
A computer or server could be seized as evidence

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

Send crafted frames
Modify all IP, TCP, UDP, & ICMP values

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

Can be used for Banner Grabbing; used for shell connections as well

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

Client URL
Retrieve data using a URL (web pages, FTP, emails, databases)
Grabs raw data (search, parse, automate)

A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

Gather OSINT

Scrape info from Google/Bing

List people on LinkedIn

DNS brute force

VPN, chat, mail

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Combines many recon tools into a single framework
Dnsenum, metasploit, nmap, theHarvester, & more
Both non-intrusive and very intrusive scanning options
Another tool that can cause problems (brute force, server scanning)

Utility that is used to create an exploitation website that can perform open port scans in a more stealth-like manner

Stealth because you will appear as the web server, and not yourself

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

An open source software for automating analysis of suspicious files

A sandbox for malware
A virtualized environment (Windows/Linux/macOS/Android)
Track & trace
API calls, network traffic, memory analysis

A command-line utility for outputting the first ten lines of a file provided to it

A command-line utility for outputting the last ten lines of a file provided to it

A command-line utility for outputting the contents of a file to the screen

A command-line utility for searching plain-text data sets for lines that match a regular expression or pattern

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end

A toolkit & crypto library for SSL/TLS

Create X.509 certificates

Manage CSRs and CRLs

Message digests

Encryption/decryption

A command line utility that allows you to capture and analyze network traffic going through your system

A suite of free open source utilities for editing and replaying previously captured network traffic

Test security devices
Check IPS signatures & firewall rules

Test & tune IPflow/NetFlow devices
Send hundreds of thousands of traffic flows per second

Evaluate the performance of security devices
Test throughput & flows per second

A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics

A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

Extract many different data times
Downloads, browser cache/history, emails, databases, etc

A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing

Browser Exploitation Framework:
A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context

A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols

An open source password security auditing and password recovery tool available for many operating systems

Preparation

Identification

Containment

Eradication

Recovery

Lesson Learned

Talking through a drill occurring instead of physically acting it out
Talk through a simulated disaster

Include responders (a step beyond a tabletop exercise)

Test processes/procedures before an event
Walk through each step
Involve all groups
Reference actual response materials

Testing a simulated event

Example: Phishing
Create a phishing email attack for your organization and see who falls for it
If someone fell for it, they need additional training

Keeping an ongoing relationship with IT customers (internal/external)
IT would not exist without the stakeholder

Most of this happens prior to an incident & continues after

Continuity of Operations Planning:
An alternative in case technology fails
Manual transactions, paper receipts, phone calls for transaction approvals

Backup your data (how much? where?)
Lifecycle of data, purging old data

Regulatory compliance
A certain amount of data backup may be required

Differentiate by type & application

The time zone determines how time is displayed
Document local device settings
Different file systems use different timestamp formats
Record the time offset form the OS

(From most to least volatile)

CPU registers, CPU cache

Router table, ARP cache, process table, kernel stats, memory

Temporary file systems

Disk

Remote logging & monitoring data

Physical configuration, network topology

Archival media

Protect against accidental changes during transmission
Simple integrity check
Not designed to replace a hash

Documentation of authenticity
Chain of custody for data handling
Blockchain tech

Collect, prepare, review, interpret, & produce electronic documents
Gathering details & providing to legal authorities
Works together with digital forensics

Proof of data integrity & origin
You said it (or did it), you can’t deny it

MAC (Message Authentication Code)
Two parties verify non-repudiation
Digital signature (non-repudiation is publicly verified)