Incidence Response Handling

AITI-KACE, CAPT
March, 2022
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Incident Response
Establishing an Incident Response Capability
• Incident response aims to limit the impact of
the attack, assess the damage caused, and
implement recovery procedures.
• Incident Response involves the methods,
policies, and procedures that are used by an
organization to respond to a cyber attack.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Incident Response
Responding to Attacks

Different attack vectors requires different response strategies.

Common attack vectors:
• External/Removable Media: An attack executed from removable media (e.g., flash drive,
CD) or a peripheral device.
• Attrition: An attack that employs brute force methods to compromise, degrade, or destroy
systems, networks, or services.
• Web: An attack executed from a website or web-based application.

• Email: An attack executed via an email message or attachment.

• Loss or Theft of Equipment: The loss or theft of a computing device or media used by the
organization, such as a laptop or smartphone.
• Improper Usage: Any incident resulting from violation of an organization’s acceptable usage
policies by an authorized user, excluding the above categories. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Incident Response
NIST Incident Response Life Cycle
• NIST defines four steps in the incident response process life cycle:
• Preparation - The members of the CSIRT are trained in how to respond to an incident.
• Detection and Analysis – CSIRT quickly identifies, analyzes, and validates an incident.
• Containment, Eradication, and Recovery – CSIRT implements procedures to contain
the threat, eradicate the impact on organizational assets, and use backups to restore data
and software.
• Post-Incident Activities – CSIRT documents how the incident was handled, recommends
changes for future response, and specifies how to avoid a reoccurrence.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Incident Response
Preparation
• The preparation phase is when the CSIRT is created and trained. The tools and assets that
will be needed by the team to investigate incidents are acquired and deployed.
• The examples of actions in the preparation phase are as follows:
• Facilities to host the response team and the SOC are created.
• Risk assessments are used to implement controls that will limit the number of incidents.
• User security awareness training materials are developed.
• Necessary hardware and software for incident analysis and mitigation is acquired.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Incident Response
Detection and Analysis
Defining what constitutes an incidence.

• Profile network and systems to draw baselines

• Define normal and anomaly traffic

• Create a log/alert retention policy

• Understand the sources of precursors and indicators

• Create processes to effectively prioritize security incidents

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Incident Response
Detection and Analysis
• Sources of indicators
• Alerts
• IDS/IPS
• SIEMs
• Antivirus/ anti-malware
• Logs
• OS/application/network/system logs.
• Network flows (e.g., ntop with nprobe and nfdump with nfcapd).
• Publicly available information on exploits and vulnerabilities, including, CERT, SCAP,
exploit-db, Mitre Att&ck etc.
• People from within or outside the organization. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Incident Response
Containment, Eradication, and Recovery
• After determining the validity of the incident through detection and analysis, it must be
contained.
• Containment Strategy: For every type of incident, a containment strategy should be
created and enforced depending on some conditions.
• Evidence: During an incident, evidence must be gathered to resolve it. It is required for
subsequent investigation by authorities.
• Attacker Identification: Identifying attackers will minimize the impact on critical business
assets and services.
 The containment, eradication, and recovery phase includes the following activities:

• Evidence gathering and handling

• Identifying the attacking and infected hosts.
• Choosing a containment strategy to effectively contain and eradicate the attack,
as well as to successfully recover from it © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Incident Response
Containment, Eradication, and Recovery
NIST Special Publication 800-61 also defines the following criteria for determining the
appropriate containment, eradication, and recovery strategy:

• The potential damage to and theft of resources

• The need for evidence preservation.
• Service availability

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Incident Response
Post-Incident Activities
• It is important to periodically meet with all the parties involved to discuss the events that took
place and the actions of all of the individuals while handling the incident.
Lessons-based hardening:
• The organization should hold a “lessons learned” meeting to:
• Review the effectiveness of the incident handling process.
• Identify necessary hardening needed for existing security controls and practices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Fighters in the War Against Cybercrime
Elements of a SOC
• To use a formalized, structured, and disciplined
approach for defending against cyber threats,
organizations typically use the services of
professionals from a Security Operations Center
(SOC).
• SOCs provide a broad range of services, from
monitoring and management, to comprehensive
threat solutions and customized hosted security.
• SOCs can be wholly in-house, owned and operated
by a business, or elements of a SOC can be
contracted out to security vendors, such as
Cisco’s Managed Security Services.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Fighters in the War Against Cybercrime
People in the SOC
SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

Tiers Responsibilities
Tier 1 Alert Analyst Monitor incoming alerts, verify that a true incident has occurred, and
forward tickets to Tier 2, if necessary.
Tier 2 Incident Responder Responsible for deep investigation of incidents and advise remediation or
action to be taken.
Tier 3 Threat Hunter Experts in network, endpoint, threat intelligence, malware reverse
engineering and tracing the processes of the malware to determine its
impact and how it can be removed. They are also deeply involved in
hunting for potential threats and implementing threat detection tools. Threat
hunters search for cyber threats that are present in the network but have
not yet been detected.
SOC Manager Manages all the resources of the SOC and serves as the point of contact
for the larger organization or customer.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Fighters in the War Against Cybercrime
Technologies in the SOC: SIEM
• An SOC needs a Security
Information and Event
Management (SIEM) system to
understand the data that firewalls,
network appliances, intrusion
detection systems, and other
devices generate.
• SIEM systems collect and filter
data, and detect, classify, analyze
and investigate threats. They may
also manage resources to
implement preventive measures
and address future threats.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Sources of Alerts
Security Onion
 Security Onion is an open-source suite of
Network Security Monitoring (NSM) tools that
run on an Ubuntu Linux distribution.

 Some components of Security Onion are

owned and maintained by corporations, such as
Cisco and Riverbend Technologies, but are
made available as open source.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Sources of Alerts
Intrusion Detection and Prevention
 Signature-based IDS

Signature-based IDS, which is also known as knowledge-based IDS, consist of rules or patterns of
known malicious traffic being searched for. Once a match to a signature is found, an alert is sent to
your administrator.

 Anomaly-based IDS

Anomaly-based IDS, also known as behaviour-based IDS, intrusion is detected based on baselines
rather than signatures. Focus is on unusual activity that deviates from statistical averages of previous
activities or previously seen activity. For example, if a user always logs into the network from London
and accesses engineering files, if the same user logs in from Tokyo and looks at HR files this is a red
flag.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Evaluating Alerts
Detection Tools for Collecting Alert Data
• Security Onion contains many
components. It is an
integrated environment which
is designed to simplify the
deployment of a
comprehensive NSM solution.
• The figure illustrates the way
in which components of the
Security Onion work together.

A Security Onion Architecture

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Evaluating Alerts
Detection Tools for Collecting Alert Data (Contd.)
The following table lists the detection tools of the Security Onion:
Components Description
CapME This is a web application that allows viewing of pcap transcripts rendered with the tcpflow or
Zeek tools.
Snort This is a Network Intrusion Detection System (NIDS). It is an important source of alert data
that is indexed in the Sguil analysis tool. Snort uses signature-based approach.
Zeek Formerly known as Bro. This is a NIDS that uses more of a behavior-based approach to
intrusion detection.
OSSEC This is a host-based intrusion detection system (HIDS) that is integrated into Security
Onion.
Wazuh It is a full-featured solution that provides a broad spectrum of endpoint protection
mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection,
configuration assessment, and incident response.
Suricata This is a NIDS that uses a signature-based approach. It can also be used for inline intrusion
prevention.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Evaluating Alerts
Analysis Tools
Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs
into a single platform through the following tools:
• Sguil: This provides a high-level console for investigating security alerts from a wide variety of
sources. Sguil serves as a starting point in the investigation of security alerts. Many data
sources are available by pivoting directly from Sguil to other tools.
• Kibana: It is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM
data and provides flexible visualizations of that data. It is possible to pivot from Sguil directly
into Kibana to see contextualized displays.
• Wireshark: It is a packet capture application that is integrated into the Security Onion suit. It
can be opened directly from other tools and display full packet captures relevant to an analysis.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Sources of Alerts
Rules and Alerts
 Alerts can come from a number of sources:
• NIDS - Snort, Zeek and Suricata
• HIDS – OSSEC/Wazuh
• Asset management and monitoring - Passive Asset Detection System (PADS)
• HTTP, DNS, and TCP transactions - Recorded by Bro and pcaps
• Syslog messages - Multiple sources

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Sources of Alerts
Alert Generation
 Alerts are generated in Security Onion by Sguil Window
many sources including Snort, Bro, Suricata,
and OSSEC, among others.
 Sguil provides a console that integrates alerts
from multiple sources into a timestamped
queue.
 Alerts will generally include the following five-
tuples information:
• SrcIP - the source IP address for the event.
• SPort - the source (local) Layer 4 port for the
event.
• DstIP - the destination IP for the event.
• DPort - the destination Layer 4 port for the
event.
• Pr - the IP protocol number for the event.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Sources of Alerts
Snort Rule Structure
 Snort rules consist of the rule header and
rule options.
• Rule header contains the action, protocol,
addressing, and port information
• Rule options include the text message
that identifies the alert also metadata
about the alert.
 Snort rules come from a variety of
sources including Emerging Threats
(ET), SourceFire, and Cisco Talos.
 PulledPork is a Security Onion
component that can download new rules
automatically from snort.org.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
 Overview of Alert Evaluation
The Need for Alert Evaluation
• The threat landscape is constantly changing as new vulnerabilities and threats are discovered.
As user and organizational needs change, so also does the attack surface.
• Threat actors have learned how to quickly vary features of their exploits in order to evade
detection.
• It is better to have alerts that are
sometimes generated by innocent traffic,
than it is to have rules that miss malicious
traffic.
• It is necessary to have skilled cybersecurity
analysts investigate alerts to determine if
an exploit has actually occurred.
• Tier 1 cybersecurity analysts will work
through queues of alerts in a tool like Sguil,
pivoting to tools like Zeek, Wireshark, and
Kibana to verify that an alert represents an Primary Tools for the Tier 1
actual exploit. Cybersecurity Analyst
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Overview of Alert Evaluation
Evaluating Alerts
 Alerts can be classified as follows:
• True Positive: The alert has been verified to be an actual security incident.
• False Positive: The alert does not indicate an actual security incident.
• True Negative: No security incident has occurred.
• False Negative: An undetected incident has occurred.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Investigating Network Data
Working in Sguil
 In Security Onion, the first place that a
cybersecurity analyst will go to verify
alerts is Sguil.
 Sguil automatically correlates similar
alerts into a single line and provides a
way to view correlated events
represented by that line.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Investigating Network Data
Pivoting from Sguil
 Sguil provides the ability to “pivot”
the investigation to other tools such
as Kibana, Wireshark, or Bro.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Sources of Alerts
Packet Monitoring Techniques
Network Taps
 A network tap is typically a passive splitting device implemented inline between a device of interest
and the network. A tap forwards all traffic including physical layer errors to an analysis device.

 Taps are also typically fail-safe, which means if it fails or loses power, traffic between the firewall and
internal router is not affected.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Sources of Alerts
Packet Monitoring Techniques
Port Mirroring
 A feature that allows a switch to make duplicate copies of traffic passing through a switch, and then
send data out a port with a network monitor attached.

 The original traffic is forwarded in the usual manner.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Sources of Alerts
Packet Monitoring Techniques
Port Mirroring

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Sources of Alerts
Security Onion Network Setup

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29