ECE 6015 Digital Forensic Mid Term Study Quiz Chapter 1

Ensuring that only those who are authorized have access to specific assets and that those who are unauthorized are actively prevented from obtaining access.

Ensuring that data have not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable.

Ensuring that authorized users have timely, reliable access to resources when they are needed - networks, systems, and applications are up and running.

Patch your systems regularly

Only installed signed software updates

Source code changes virtually undetectable

What is it Governance?

What is the role of the CISO?

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

Requirement for multiple people to authenticate in order to perform certain administrative tasks.

Separation of network into separate mini-networks/segments with distinct security boundaries and protection profiles to limit ability to “pivot” from entry point.

A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.

1-10-60 Challenge To effectively combat sophisticated cyberthreats:

The time an attack goes undetected (i.e., the delta between intrusion and detection).

[blank_start]Advanced Persistent Threat (APT)[blank_end] attack uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a proloned period of time, with potentially destructive consequences.

Five Stages of an Evolving APT Attack

Stage 1: [blank_start]Gain Access[blank_end] Like a burglar forcing open a door with a crowbar, cybercriminals usually gain entry through a [blank_start]network[blank_end], an infected [blank_start]file[blank_end], junk email, or an app [blank_start]vulnerability[blank_end] to insert [blank_start]malware[blank_end] into a target network.

[blank_start]Functional Testing[blank_end]: Test cases performed to confirm the system operates as it was designed/specified and meets all functional requirements – [blank_start]Availability[blank_end] and [blank_start]Integrity[blank_end]

[blank_start]Performance/Load Testing[blank_end]: Test cases performed to confirm the system operates as it was designed/specified and meets performance requirements under a real or simulated load - [blank_start]Availability[blank_end]

[blank_start]Penetration Testing[blank_end]: Test cases performed to simulate intrusion by an intentional or unintentional cyber threat actor – Confidentiality and Availability (perhaps some Integrity)

Identify the Incident Response in the MITRE Framework

[blank_start]Preparation[blank_end]: Without good preparation, any subsequent incident response is going to be disorganized and has the potential to make the incident worse.

Preparation step include:

[blank_start]Detection[blank_end]: Process where the organization first becomes aware of a set of events that possibly indicates malicious activity. Depending on the size, an org may receive >100 million events per day.

Detection sources can include: [blank_start]Activity logs[blank_end]: A security analyst may receive an alert that a specific administrator account was in use during the time where the administrator was on vacation. [blank_start]External sources[blank_end]: An ISP or law enforcement agency may detect malicious activity originating in an organization's network and contact them and advise them of the situation. [blank_start]Internal users[blank_end]: An employee contacting the help desk and informing agent that services are no longer available, or files are suddenly encrypted

Incident response coordinator: Individual often has overall responsibility for the security of the organization's information; responsible for management of the CSIRT prior to, during, and after an incident

[blank_start]CSIRT senior analyst(s)[blank_end]: Personnel with [blank_start]extensive[blank_end] training and experience in incident response, digital forensics, network data examination

CSIRT senior analyst(s):

[blank_start]CSIRT analyst(s)[blank_end]: Personnel with CSIRT responsibilities that have [blank_start]less[blank_end] exposure or experience in incident response activities

[blank_start]Security operations center analyst[blank_end]: Analysts assigned to the 24/7 Security Operations Center (SOC) [blank_start]monitoring[blank_end] capability; serve as the point person when it comes to incident [blank_start]detection[blank_end] and alerting.

[blank_start]Organizational support personnel[blank_end]: Assist with a variety of [blank_start]non-technical[blank_end] issues that fall outside those that are addressed by the CSIRT core and technical support personnel.

Organizational support personnel include:

Devoting time and resources to implement security controls that are irrelevant to the threats the organization is trying to mitigate.

Stage 2: [blank_start]Establish Foothold[blank_end] Cybercriminals implant [blank_start]malware[blank_end] that allows the creation of a network of [blank_start]backdoors[blank_end] and tunnels used to move around in systems [blank_start]undetected[blank_end]. The malware often employs techniques like rewriting code to help hackers [blank_start]cover[blank_end] their tracks.

Stage 3: [blank_start]Deepen Access[blank_end] Once inside, hackers use techniques such as password cracking to gain access to [blank_start]administrator[blank_end] rights so they can control more of the system and get even [blank_start]greater[blank_end] levels of access.

Stage 4: [blank_start]Move Laterally[blank_end] Deeper inside the system with [blank_start]administrator[blank_end] rights, hackers can move around at will. They can also attempt to access other servers and other secure parts of the network.

Stage 5: [blank_start]Look, Learn, and Remain[blank_end] From inside system, hackers understand how it works and its vulnerabilities Harvest the information they want at will. Hackers keep this process running indefinitely or withdraw once they accomplish a specific goal. They often leave a back door open to access the system again in the future.