CSIT302 Cybersecurity

Week 2 – Incident Response Process

/Cybersecurity Kill Chain

Lecturer: Dr Zuoxia Yu
Email: [email protected]
Office: 3.116

1
Outline
• Incident Response Process
• Threat Life Cycle Management
• Cybersecurity Kill Chain

2
 Introduction of Incident Response Process
• What is incident?
A computer security incident is a violation or imminent threat of
computer security policies, acceptable use policies or standard security
practices.*
• Examples of incidents include
ØDistributed Denial-of-Service (DDoS) attack Security Posture
P
ØPhishing and social engineering D
E
R R
O E
ØRansomware T
E
T S
E P
ØMalicious Insider Threats C
T
C O
T N
I
I S
O
O E
N
N

*Computer Security Incident Handling Guide. Publication 800-61R2 from NIST. https://csrc.nist.rip/external/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf3
Introduction of Incident Response Process
• IR process
ØDetection: how to handle security incidents.
ØResponse: how to rapidly respond to them.
ØPost Incident: how to use the information Security Posture
learned from the current incident to prevent D
P
R R
the future incidents. E
T
O E
T S
• Many companies have an IR process in E
C
E
C
P
O
place, but they fail to constantly review it T
I
T N
I S
to incorporate lessons learned from O
N
O E
previous incidents. N

4
Introduction of IR Process
• An example of IR process

5
Introduction of IR Process
• At point (7), the IR process
Øtakes over the incidence case:
Ødocuments every single step of the process, and
Øincorporates the lessons learned with the aim of enhancing the overall
security posture, after the incident is resolved.
• The process may vary according to the company, industry segment,
and standard.
• No IR process in place à Bad Security posture
à Waste of human resources

6
Introduction of IR Process
• For the successful IR Process:
ØAll IT Personnel should be trained to know how to handle a security incident.
ØAll Users should be trained to know the core fundamentals about security.
ØAn Integration between the help desk system and the incident response
team.
ØGood sensors in places. For example, Network sensors + Host sensors for
quick and comprehensive detection.
ØIR process must be compliant with the laws and the industry’s regulations.

7
Creating an IR Process
• Foundational areas of the incident response process:

8
Creating an IR Process
• Objective (i.e. to answer the question):
ØWhat’s the purpose of this process?
ØIt is important to define clearly the purpose of process.
ØEveryone is aware of what this process is trying to accomplish.
• Scope :
ØTo whom does this process apply?
ØA company-wide scope vs a departmental scope.
• Define/Terminology:
ØEach company may have a different perception of a security incident.
ØDefine what constitutes a security incident and give examples.
ØCreate their own glossary using a clearly defined terminology.

9
Creating an IR Process
• Roles and responsibilities:
ØWho has the authority to confiscate a computer in order to perform further
investigation?
ØDefine the users or groups that have this level of authority.
ØLet the entire company be aware of this.
• Priorities/Severity level:
ØFunctional impact of the incident in the business
ØType of information affected by the incident
ØRecoverability
• Additionally, interaction with third parties, partners and customers is
needed to be defined.

10
Incident Response Team
• Incident response team covers the fundamental areas in IR process
ØIt varies according to the company size, budge and purpose.
ØIt requires a personnel who has a technically broad knowledge, but have deep
knowledge in some other areas.
ØThe budget for IR team must cover the acquisition of proper tools and
hardware and training programs for the employees in the company.
• Outsourcing on IR Team
ØFinding proper people who have different skill sets is sometimes difficult. à
Outsourcing part of the IR team can be one of the solution.
ØWhen it is outsourced, well defined Service-level-agreement (SLA) that
meets the severity levels is essential.

11
Incident life cycle
• Incident life cycle

12
Incident life cycle
• Preparation phase
ØImplementation of security controls that were created based on the initial risk
assessment.
Øimplementation of other security controls such as endpoint protection,
malware protection and network security.
ØThe preparation phase is not static à This phase will receive input from post-
incident activity.
• Detection and Containment phases
ØProcesses of handling an incident
ØThey could have multiple interactions

13
Handling an incident
• Detection system
Ømust be aware of the attack vectors.
Ømust be able to dynamically learn more about new threats and new
behaviours.
Øtrigger an alert if a suspicious activity is encountered.
• End users
Øhave important roles in identifying and reporting security incident.
Øshould know the procedure how to create incident ticket.
ØThe security awareness training is required.

14
Handling an incident
• Manual information gathering is often required to identifying an
incident.
ØData gathering must be done in compliance with the company's policy.
ØIn scenarios where you need to bring the data to a court of law, you need to
guarantee the data's integrity.

15
Handling an incident
• The combination and correlation of multiple logs to Identifying IoC:
ØEndpoint protection and operating system logs: Phishing email, lateral
movement
ØServer logs and network captures: Unauthorized or malicious process
ØThe firewall log and the network capture: Data extraction and submission

16
Handling an incident
• To detect threats more quickly and reduce false positives, the
followings are required:
ØThe leveraging of security intelligence and advanced analytics
ØThe Integrated monitoring system
• Detection and analysis are sometimes done almost in parallel
ØAn attack is still taking place when it is detected
ØAlso, the system requires a rapid response

17
Handling an incident
• Establish what's normal across all systems and networks
ØYou can't determine what's abnormal if you don't know what's normal
• Sometimes, the user cannot reproduce the issue. To mitigate
scenarios like this, make sure the following is in place:
ØSystem profile
ØNetwork profile/baseline
ØLog-retention policy
ØClock synchronization across all systems (e.g. using Network Time Protocol
(NTP))
• Instruct the user to contact support when the issue is currently
happening and provide the environment to the user to capture data.

18
Post-incident activity
• Documenting Lesson Learned
ØIt is one of the most valuable pieces of information that you have in the post-
incident activity phase.
ØIt helps you to keep refining the process through the identification of gaps in
the current process and areas of improvement.
ØThis documentation must be very detailed, with the full timeline of the
incident,
ØThe steps that were taken to resolve the problem, what happened during
each step, and how the issue was finally resolved outlined in depth.

19
Post-incident activity
• The lesson learned will include the answers of the following:
ØWho identified the security issue? A user or the detection system?
ØWas the incident opened with the right priority?
ØDid the security operations team perform the initial assessment correctly?
ØWas the data analysis done correctly?
ØWas the containment done correctly?
ØIs there anything that could be improved at this point?
ØHow long did it take to resolve this incident?
• Evidence retention
ØAll the artifacts should be stored according to the company's retention policy.
ØThe evidence must be kept intact until legal actions are completely settled

20
Incident response in the cloud
• A shared responsibility between the cloud provider and the company
that is contracting the service

SaaS

PaaS Company’s Cloud’s

Responsibility Responsibility
IaaS

PaaS (Platform as a Service) provides a platform allowing customers to develop, run, and
manage applications such as OS and middleware.

21
Incident response in the cloud
• For the IaaS Model:
ØCustomers have full control of the virtual machine and have complete access to all
logs provided by the operating system.
ØCloud Provider has the information of the underlying network infrastructure and
hypervisor logs.
ØCustomers should review the cloud provider policy before requesting any data.
• For the SaaS model:
Øthe vast majority of the information relevant to an incident response is in possession
of the cloud provider. à contact the cloud provider directly, or open an incident via
a portal.
ØCustomers review the SLA to better understand the rules of engagement in an
incident response scenario.

22
Updating your IR process to include cloud
• IR life cycle must include cloud-computing-related aspects
• Preparation
Øneeds to update the contact list to include the cloud provider contact
information, on-call process, and so on.
• Detection
Øinclude the cloud provider solution for detection in order to assist you during
the investigation
• Containment
ØRevisit the cloud provider capabilities to isolate an incident (e.g, isolate
compromised VM for the others)

23
Outline
• Incident Response Process
• Threat Life Cycle Management
• Cybersecurity Kill Chain

24
Threat life cycle management
• The Detection and Containment of IR can be more specified by Threat
Life Cycle management.
• An investment in threat life cycle management can enable an
organization to stop attacks just as they happen.
• New technologies have been adopted, bringing new vulnerabilities
and widening the surface area that cybercriminals can attack.
ØE.g. Internet of Things (IoT)
• 84% of all attacks left evidence in the log data à appropriate tools
and mindset, these attacks could have been mitigated early enough
to prevent any damage.
25
Threat life cycle management
• 6 Phases of threat life Forensic data collection
cycle management
Discovery

Qualification

Investigation

Neutralization

Recovery

26
Threat life cycle management
• Forensic data collection
ØThe threats come through the seven domains of IT. The more of the IT
infrastructure the organization can see, the more threats it can detect.
ü Seven Domains of typical IT infrastructure: User Domain, Workstation Domain, LAN
Domain, LAN-to-WAN Domain, Remote Access Domain, WAN Domain, and
System/Application Domain
ØCollection of security event and alarm data
ØCollection of log and machine data
ØCollection of forensic sensor data

27
Threat life cycle management
• Discovery phase
ØSearch analytics
ü Carrying out software-aided analytics.
ü review reports and identify any known or reported exceptions from network and
antivirus security tools.
ü Labour-intensive à It should not be sole analytics method.
Ømachine analytics
ü Purely done by machines/software.
ü Autonomously scan large amounts of data and give brief and simplified results to people
using machine learning.

28
Threat life cycle management
• Qualification phase
ØThreats are assessed to find out
ü their potential impact
ü urgency of resolution
ü How to mitigate the threats
ØInefficient qualification may lead to true positives being missed and false
positives being included.
ØFalse positives are a big challenge. à Waste of resources against non-existent
threats
Øa sensitive phase in the threat management process

29
Threat life cycle management
• Investigation phase
ØThe qualified threats are fully investigated to determine whether or not they
have caused a security incident.
Øa threat might have done in the organization before it was identified by the
security tools à looks at any potential damage.
Øcontinuous access to forensic data and intelligence about a large amount of
threats. (mostly automated)
• Neutralization phase
Øeliminate or reduce the impact of an identified threat.
ØAutomated process to ensure a higher throughput of deleting threats, and to
ease information sharing and collaboration in the organisation.

30
Threat life cycle management
• Recovery Phase
ØThe phase comes after the all threats are neutralized and risks are put under
control.
ØThe organization to a position is restored prior to being attacked by threats
ü Changes caused by the attacker or for the recover are needed to be backtracked
ØAutomated recovery tools that can be used to return systems to a backed-up
state.
ØEnsure that no backdoors are introduced or are left behind

31
Outline
• Incident Response Process
• Threat Life Cycle Management
• Cybersecurity Kill Chain

32
Cybersecurity Kill chain
• Kill chain
ØThe term was originally used as a military concept related to the structure of
an attack; consisting of the followings:
ü target identification
ü force dispatch to target
ü decision and order to attack the target
ü the destruction of the target.
• Cybersecurity kill chain
ØLockheed Martin adapted this concept to the cybersecurity, using it as a
method for modelling intrusions on a computer network.

33
Cybersecurity Kill Chain
• Most cyber attackers use a series of similar phases
ØThe skilled attackers operate on well-structured and scheduled plans to
remain their intrusion undetected until the time is right.
ØTo understand how each phase works and the tolls that are taken on each
phase. Those attacks are often permitted in the following steps:
ü External reconnaissance (or information gathering)
ü Compromising the system
ü Lateral movement
ü Privilege escalation
ü Concluding the mission

34
External reconnaissance
• The attackers in external reconnaissance phase,
Øharvests as much information as possible to find vulnerabilities
Ødecides on the exploitation techniques that are suitable for each
vulnerabilities
• The information that the attacker gathers:
ØIt is from outside the target's network and systems.
ØIt includes the target's supply chain, obsolete device disposal, and employee
social media activities.
ØAnyone in an organization can be targeted, including suppliers and customers.

35
External reconnaissance
• Two commonly used techniques to get an entry point of the
organisation’s network:
ØPhishing: attackers send the target some carefully crafted emails to cause
them to reveal secret information or open a network to attacks.
ü Phishing emails are usually linked to a malware installation
ü They claim to be from reputable institutions.
ØSocial Engineering: attackers closely follow targets, collecting information
about them
ü This happens mostly through social media

36
Compromising
• Once either of these or another technique is used, the attacker will
find a point of entrance. (i.e. compromise the system) such as
through stolen passwords or malware infection.
• Stolen passwords will give the attacker direct access to computers,
servers, or devices within the internal network of an organization.
• Malware can be used to infect even more computers or servers, thus
bringing them under the command of the hacker.

37
Lateral movement
• Lateral movement phase involves the use of various scanning tools to
find loopholes that can be exploited to stage an attack.
• Popular scanning tools (Framework):
ØMetasploit and Kali Linux: Linux-based hacking framework. It is made up of
numerous hacking tools and frameworks that have been made to effect
different types of attacks.
• Popular scanning tools (for password):
ØJohn the Ripper, THC Hydra and Cain and Abel: Those tools support brute
force or dictionary attacks on passwords.

38
Lateral movement
• Popular scanning tools (for Network):
ØWireshark: Very popular tool among both hackers and pen testers to capture
the data packets in the network.
ØNmap: NMap is a free and open source network mapping tool.
ØAircrack-ng: a suite of tools that is used for wireless hacking. The suite
includes attacks such as FMS, KoreK, and PTW.
ü The FMS attack is used to attack keys that have been encrypted using RC4.
ü KoreK is used to attack Wi-Fi networks that are secured with WEP-encrypted passwords.
ü PTW is used to hack through WEP- and WPA-secured Wi-Fi networks.
ØKismet: Wireless network sniffer and intrusion detection system.
ØNikto: a Linux-based website vulnerability scanner that hackers use to identify
any exploitable loopholes in organizational websites.

39
Access and privilege escalation
• In order to achieve the freedom of movement without being
detected, an attacker needs to perform privilege escalation.
• Vertical privilege escalation
ØAttacker moves from one account to another that has a higher level of
authority
ØTools used to escalate privileges
• Horizontal privilege escalation
ØAttacker uses the account that has the same level of authority, but elevates its
privileges
ØUser account used to escalate privileges

40
Access and privilege escalation
• In vertical privilege escalation,
ØThe attacker gets access rights and privileges of high level authority such as
administrator and a super user.
ØThe attacker can run any unauthorized code (e.g., malwares and
ransomwares) through the privileges it acquires.
ØIt is complex operation. It may need some kernel-level operations to elevate
their access rights.
ØBuffer overflow is widely used for vertical privilege escalation.
ØEternalBlue, which is a vulnerability that is used for WannaCry, is also based
on buffer overflow.

41
Access and privilege escalation
• In horizontal privilege escalation,
ØAn attacker uses the same privileges gained from the initial access.
ØA normal user is erroneously able to access the account of another user.
ØHorizontal privilege occurs when an attacker is able to access protected
resources using a normal user account.
ØThis is normally done through session and cookie theft, cross-site scripting,
guessing weak passwords, and logging keystrokes.
ØAs a result of this escalation
ü the attacker normally has well-established remote access entry points into a target
system.
ü The attacker might also have access to the accounts of several users.
ü The attacker knows how to avoid detection from security tools that the target might
have.

42
Concluding the Mission
• Exfiltration
ØThe attacker extracts sensitive data (e.g., organisation’s digital property) from
an organization.
• Sustainment
ØThe hackers may decide to remain silent even after it exfiltrated all valuable
information for the further actions.
• Assault
ØThe hacker permanently damage the data and software, disable or alter the
functioning of the victim's hardware.

43