Incident Response Terminology

• Event: Observable occurrence
• Hazard: Precondition that could lead to an event
• Incident: Adverse occurrence or policy violation

CIRT (Cyber Incident Response Team)

• IRT (Incident Response Team)
• CSIRT (Computer Security Incident Response Team)

Basic Incident Response Phases

1. Detection and Triage
2. Investigation
3. Containment
4. Analysis & Tracking
5. Mitigation
6. Recovery & Repair

(ISC)² Incident Response Phases

• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons Learned

SANS Incident Response Phases

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

Logging an Incident

• User-ID
• Time & Date
• Event Description
  Note:
  User's name is less important (may not be unique)

Threat Intelligence

Knowledge about current and emerging threats to help prevent or mitigate cyberattacks.
Sources:

• Cybersecurity newsletters
• Conferences
• Social media
• Dark Web research

UEBA (User and Entity Behavior Analytics)

Analyzing network activity to detect anomalous behavior.
Targets:

• Insider threats
• Compromised accounts
  Observes:
• User behavior
• Device usage
• Security events

SOAR (Security Orchestration, Automation, and Response)

Term coined by Gartner to describe tools that automate repetitive security tasks.

Benefits:

• Faster incident response
• Increased team productivity
• Improved efficiency

Software-Defined Security

Security model managed through policy-driven software.

Features:

• Automates and monitors controls like IDS, network segmentation, and access controls
• Centralized management of security infrastructure

SIEM (Security Information and Event Management)

Splunk, SolarWinds, Datadog

Function:

• Aggregates and correlates logs from multiple sources
• Helps security managers understand the IT environment and detect threats

SIEM Tuning

Reduce false positives without increasing false negatives.

Benefit:
Minimizes analyst fatigue and improves alert quality

Audit Log Reduction Tools

• Clipping Levels: Only record violations above a set threshold
• Event Filtering: Focus on significant events that require attention

Dr. Edmond Locard

Pioneer in forensic science
Locard’s Principle of Exchange:

• Criminals bring something into the scene
• Criminals leave with something from the scene
  Key Idea: Every encounter leaves a trace

Suspect Narrowing Strategy

Mnemonic: M.O.M.

• Means – Did the suspect have the tools or ability?
• Opportunity – Was the suspect present or able to commit the act?
• Motive – Did the suspect have a reason?

Hearsay

Evidence based on what the witness was told, not what they personally know.

Note:
Not normally admissible in court.

Chain-of-Custody

Chronological documentation of evidence handling.

Must Track:

• Who had the evidence
• When it was handled
• How it was protected
  Stages:
  Identification, Gathering, Protection, Access, Presentation

Interviewing

Discover what happened.

Method:

• Gather info from witnesses and victims
• Resolve conflicting stories and timelines

Interrogation

Obtain testimony or confession to be used as evidence in trial.

Expert Witness

Educates the jury on specialized topics.

Use:
Can be presented as evidence.

Evidence Admissibility Rules

Mnemonic: S.T.R.I.C.

• S: No unlawful Search & Seizure
• T: Evidence must be Trustworthy & Reliable
• R: Evidence must be Relevant to the case
• I: Proper Identification and Protection
• C: Maintain Chain of Custody

Evidence Lifecycle

1. Discovery
2. Protection
3. Recording
4. Collection and Identification
5. Analysis
6. Storage, Transportation, Preservation
7. Present in Court
8. Return to Owner

Capturing Digital Evidence

Start from volatile forms, then move to persistent forms.

Order of Volatility (OOV)

1. Live system info (RAM, process list, unsaved work, encryption keys)
2. Virtual memory (paging/swap/temp files)
3. Physical media (hard drives, DVDs, USBs, printouts)
4. Backups & networks (backup media, servers, log files, cloud storage)

Hard Drive Analysis Process

1. Install write-blocker (Forensic Disk Controller)
2. Hash the drive
3. Create forensic bit-level images
4. Hash the images to verify integrity
5. Use images for analysis

Slack Space

Disk areas with lingering data from deleted files.

Forensics Tip:
Inspect slack space for hidden data fragments.

Common Types of Evidence

• Direct/Testimony: Witness statements
• Real/Physical: Objects proving/disproving guilt
• Documentary: Records, photos, manuals
• Digital: Emails, backups, browser history
  • ⚠️ Less reliable due to tampering risks
• Demonstrative: Models, timelines, re-enactments

Types of Evidence (Legal Definitions)

• Conclusive: Irrefutable, cannot be contradicted
• Corroborative: Supports existing evidence
• Circumstantial: Implies facts without direct proof

Types of Digital Forensics

1. Media Analysis:

• Examines computers, storage devices, printers, faxes, smartphones, data, files, photos, recycle-bin, etc.

2. Software Analysis:

• Examines applications and their output
• Analyzes malware and its consequences

3. Network Analysis:

• Examines logs, ISP logs, tools used, and affected devices
• Traces email headers to locate sources

Legal Terms in Digital Forensics

• Legal Hold: Notice to preserve relevant evidence
• eDiscovery: Locating and securing electronic evidence for trial
• Search Warrant: Court order for search and seizure
• Subpoena: Legal order for witness or evidence submission
• Wire Tapping: Eavesdropping on communications (requires warrant or consent)

Categories of Computer Crime

• Financial Attacks: Fraud, credit card theft, salami attacks
• Business Attacks: Corporate espionage
• Military & Intelligence Attacks
• Hacktivist Attacks: Politically motivated hacking
• Terrorist Attacks
• Grudge Attacks
• Thrill Attacks: For fun or bragging rights
• Piracy of Intellectual Materials
• Wire & Mail Fraud

Trusted Path

A secure communication path that ensures:

1. Tamper-resistant data
2. User awareness of authenticity
   • Example: SSL/TLS encryption

Types of IDPS (Detection/Prevention)

Network-Based IDPS:

• Scans network traffic for attacks or intrusions

Host-Based IDPS:

• Scans only the host it's installed on

Alternate Names for Host-Based IDPS:

• HBSS (Host-Based Security Solution)
• ESS (Endpoint Security Solution)
• EDR (Endpoint Detection and Response)

Why Use Both Network & Host-Based IDPS?

• Defense-in-Depth (layered security)
• Host-based detects internal threats
• Network-based can't read encrypted traffic
• Devices may be taken off-site

IDPS Scanning Technologies

Signature-Based (Pattern Matching / Knowledge-Based):

• Uses known attack signatures
• Detects known threats

Behavior-Based (Anomaly-Based / Profile-Based):

• Learns normal behavior profiles
• Detects new or unknown threats
• May use AI for analysis
• Requires secure environment during learning phase

IDPS Detection Outcomes

True Postive - correctly identifies an intrusion

True Negative - correctly identifies no intrusion

False Positive - mistakenly flags legitimate traffic as intrusion

False Negative - fails to detect an actual intrusion

IDS Placement Scenarios

IDS Placement – Internet-Side of Firewall

Advantages:

• Sees most attacks unfiltered from the Internet
• Better visibility into external attack types and frequency
• Can detect misconfigured firewalls if attacks exit the network

IDS Placement – LAN-Side of Firewall

Advantages:

• Detects misconfigured firewalls if attacks enter the network
• Better detection of insider threats
• Less noise from external traffic → fewer false alarms

Honeypot / Honey-net

Fake targets designed to lure attackers

Benefits:

• Protects real network
• Observes attacker behavior
• Acts as early-warning system
  Honey-net:
  A network of multiple honeypots

Padded Cell

Sandboxed honeypot environment

Function:
Attacker is redirected here by IDS

• No harm can be done
• Used for safe observation

Backup Strategy

Recover data in case of deletion, corruption, or alteration

3-2-1 Rule:

• 3 copies of critical files
• 2 backups on different media
• 1 backup stored off-site

Backup Types

Onsite Backup:

• Stored at same location as source
• Enables rapid recovery

Offsite Backup:

• Stored at a different, remote location
• Protects against local disasters

Cloud Backup (Electronic Vaulting):

• Scalable, high availability
• Pay-as-you-go model

Backup Types & Schedule

• Normal (Full): Resets archive bit on all files
• Incremental: Backs up files changed since last backup
• Differential: Backs up files changed since last full backup
• Crash and Restore: Used for full system recovery

Example Schedule:

• Monday: Full backup (file_a, file_b)
• Tuesday: Incremental (file_c)
• Wednesday: Incremental (file_d, file_e, file_f)
• Thursday: Differential
• Friday: Crash and Restore

Archive Bit

A flag attached to each file that is turned on when the file is edited.

Used by:
Incremental and differential backups to determine which files to back up.

Backup Restoration Rules

To restore a system:

• Always need the latest full backup
• Need all incrementals since the last full backup
• Only need the last differential if using differential backups

Summary:
Latest full + last night’s + all incrementals in-between

Media Management Tips

• Encrypt backup tapes
• Physically protect tapes during transport and storage
• Track first use-date and number of uses (tapes degrade over time)

Tape Rotation Schemes

• Grandfather-Father-Son
• Tower of Hanoi
• Six Cartridge Weekly

Purpose:
Avoid overwriting important backups and maintain historical copies

File Sensitivity & CIA

• Sensitive Files: Focus on Confidentiality
• Critical Files: Focus on Integrity and Availability
• Backups support all CIA elements

Disk Check

Checking the starting and ending sectors of each partition

Tool Example:
chkdsk (Microsoft command-line utility)

RAID 0

Type: Striping
Disks: 2–32
Purpose: Performance
Fault Tolerance: ❌ Not fault-tolerant

RAID 1

Type: Mirroring
Disks: Exactly 2
Purpose: Fault tolerance
Performance: ❌ Not for performance

RAID 5

Type: Striping with Distributed Parity
Disks: Minimum 3
Purpose: Performance + Fault tolerance
Fault Tolerance: Can lose any 1 disk

RAID 6

Type: Striping with Distributed Parity
Disks: Minimum 4
Purpose: Performance + Fault tolerance
Fault Tolerance: Can lose any 2 disks

RAID 10 (1+0)

Type: Mirrored RAID 0 or Striped RAID 1
Purpose: Combines performance and fault tolerance

NAS (Network Attached Storage)

Function: Local data storage and retrieval over LAN
Protocols: SMB/CIFS
Access: Direct user access

SAN (Storage Area Network)

Function: Centralized storage for servers
Protocols: iSCSI, Fibre Channel, FCoE
Access: No direct user access; servers retrieve data

VSAN (Virtual SAN)

Function: Logical separation of a physical SAN
Analogy: Like VLANs for networks

DLP (Data Loss Prevention)

Prevent sensitive data from leaving the organization

Types:

• Network-based DLP: Scans outgoing data at the perimeter
• Host-based DLP: Prevents copying, printing, or burning sensitive data on endpoints

NAS vs SAN Overview

NAS (Network Attached Storage):

• Connected via LAN
• Used by laptops/workstations
• File-level access
• Easier to manage, lower cost

SAN (Storage Area Network):

• Connected via Fibre Channel (FC) switches
• Used by servers
• Block-level access
• Higher performance, more complex

Disaster Recovery Locations

Mirrored Site

• Full equipment
• Full data
• MINS TO HOURS

Hot Site

• Full equipment
• HOURS TO 1 DAY

Warm Site

• Some equipments
• DAYS

Cold Site

• No equipment
• WEEKS+

Reciprocal Agreement

• Also called mutual-aid agreement
• Two organizations agree to be each other's disaster recovery site

Dual Sites

• Multiple live processing centers
• Used for redundancy and fault-tolerance

Other Sites to Plan For:

1. Press Conference Site
2. Command Center Site

• Backup site should be:
  • Far enough to avoid same disaster
  • Close enough for employee access

Resource Capacity Agreement

• Pre-arranged vendor agreements
• Ensures access to resources post-disruption

Miscellaneous Planning Tips

• Use job titles in DRP, not names
• People change roles or leave the company

Call-Tree / Call-List

• You call 5 people → they each call 5 more
• Ensures rapid communication during disaster

Disaster Recovery vs. Restoration

• Recovery = Over to backup site
  (Memory trick: "recover" has "over")
• Restoration = Back to original site
  (Memory trick: "restore" has "OR" for "original")

Restoration Steps

• Confirm incident is over
• Ensure safety of return
• Document losses (photos, insurance)
• Salvage assets
• Perform repairs/replacements
• Shut down alternate site
• Conduct lessons learned/post-mortem

Checklist / Desk-Check

• Each department gets a copy of the DRP
• Run through a checklist to verify coverage of relevant points

Table-Top Review

• Representatives meet to discuss the plan
• No actual actions performed

Structured Walk-Through

• Team physically walks to response locations
• Verbally reviews each step for effectiveness

Simulation Test

• Practice drill
• Mobilize personnel to attempt reaching RTO (Recovery Time Objective)

Parallel Test

• Run operations at alternate site in parallel with production

Full-Interruption Test

• Shut down production environment
• Run live operations at alternate site

DRP Testing Frequency

• Minimum: Once per year
• Also test when significant changes are made

DRP Miscellaneous

• Update plan after major changes
• Include version numbers on each copy
• Consider setting an expiration date (e.g., 1 year)

Version Control for DRP

1. Archive obsolete plans
2. Collect old copies
3. Confirm collection (e.g., serial numbers)
4. Issue new plans
5. Destroy old plans

Failure Modes

Fail Open

• System opens access upon failure
• Prioritizes high availability
• Example: Firewall fails and allows all traffic

Fail Closed

• System blocks access upon failure
• Prioritizes confidentiality/security
• Example: Firewall fails and blocks all traffic

Fail Secure

• Fails into a pre-defined secure state
• Example: Doors lock when system fails

Fail Soft

• System enters reduced functionality
• Hibernates or saves data
• Terminates non-essential functions

Fail Safe

• Prioritizes safety of people/property
• May compromise security
• Example: Doors unlock during failure

Fail Over

• Switches to a hot backup site
• Ensures continuity of operations