Incident Response and Advanced ForensicsIncident Response and Advanced Forensics

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Courses Incident Response and Advanced Forensics Incident Response and Advanced Forensics

This topic contains 15 replies, has 4 voices, and was last updated by  cybermo 2 years, 9 months ago.

Viewing 16 posts - 1 through 16 (of 16 total)
  • Author
  • #77827


    New courses on Cybrary are going to be offered – Check it out:



    Legal Considerations

    – Illegal actions may render any evidence inadmissible for future legal proceedings.

    – Worse, illegal actions may pose a greater liability to the organization than the incident.

    – Hackbacks: Unauthorized access to information systems or destruction of an information system are violations of federal law, even if you are attempting to recover or delete data which has been stolen from your organization.


    – The Fourth Amendment of the U.S. Constitution provides, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath of affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

    – The ultimate goal of this provision is to protect people’s right to privacy and freedom from arbitrary governmental intrusions. Private intrusions not acting in the color of governmental authority are exempted from Fourth Amendment.


    · Two-Step Process

    · To have standing to claim protection under the Fourth Amendment, one must first demonstrate an expectation of privacy, which is not merely a subjective expectation in mind but an expectation that society is prepared to recognized as reasonable under the circumstances.

    – Government can limit or eliminate reasonable expectation
    O’ Conner v. Ortega, 480 U.S. 709 (1987).

    – If no reasonable expectation exists, no warran is required.

    – When in doubt… seek legal advice


    – Sec. 103. Methods of Notice to Individuals

    A business entity shall be in compliance with section 101 if it provides both:

    – (1) Individual Notice – Notice to individuals by one of the following means:
    · Written notification to the last known home mailing address of the individual in the records of the business entity.
    · Telephone notice to the individual personally; or
    · e-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (section 7001 of title 15, United States Code).

    – (2) Media Notice – If the number of residents of a State whose sensitive personally identifiable information was, or is reasonably believed to have been accessed or acquired by an unauthorized person exceeds 5,000, notice to media reasonably calculated to reach such individuals, such as major media outlets serving a State or jurisdiction.


    – Any business entity shall notify an entity designated by the Secretary of Homeland Security to receive reports and information about information security incidents, threats, and vulnerabilities, and such agency shall promptly notify and provide that same information to the United States Secret Service, the Federal Bureau of Investigation, and the Commission for civil law enforcement purposes, and shall make it available as appropriate to other federal agencies for law enforcement, national security, or computer security purposes, if:

    – (1) – the number of individuals whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000;

    – (2) – the security breach involves a database, networked or integrated databases, or other data system containing the sensitive personally identifiable information of more than 500,000 individuals nation wide;

    – (3) – the security breach involves databases owned by the Federal Government; or

    – (4) – the security breach involves primarily sensitive personally identifiable information of individuals known to the business entity to be employees and contractors of the Federal Government involved in national security or law enforcement.




    – “Knowing is half the battle.”
    – Aids in threat identification.
    – Provides threat warning.
    – Builds relationships.
    – Protects the public and other organizations.


    Paul Rouk

    Thanks for the note about the new “Incident Response and Advanced Forensics” class. Do they ever advertise new classes on the home page for Cybrary? If so, I always miss the announcement and usually find out about a new class because someone mentions it in the forums.



    Greetings Paul,

    Thank you for the question, is a very good one,

    Minutes after the mention of this course through this forum, I found this article written by Tatianna in one side of it and by Dean Pompilio on the other, staff member and subject matter expert, respectively, as you already would know; it appears to be written two weeks before of my announcement, although not of the upload of the video presentation on youtube, at least by public audience in last edition.

    Your Incident Response Refresher

    Anyway, I think that is a very good idea check this twitter account so often as one wants discover the last chance to improve in the field of cybersecurity, @cybraryit; I’m finding a lot of announcements here, too.

    Best regards.


    Paul Rouk

    Thanks for the info. I had glanced at the Cybrary blog before, but didn’t realize that was where they were posting system announcements. Their blog messages are posted under the “Explore” menu.



    The Humans Behind Cyber Security Incidents

    Who causes Cyber Incidents?

    – Nation States
    – Negligent/Unaware Employees
    – Insider Threats
    – Business Partners
    – Criminals
    – Terrorists
    – Competition
    – Hacktivists

    Why is Incident Response Necessary?

    – The Justice Department has declared that China’s espionage activities are so wide in scale that they constitute a national security emergency, as China targets almost every sector in U.S. business.

    – According to 60 Minutes, this activity is costing U.S. companies hundreds of billions of dollars in losses and more than 2 million jobs.

    – Center for Strategic and International Studies (CSIS) estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion – or almost 1 percent of global income.

    – CSIS estimated that the United States lost about $100 billion in 2013.

    What is the Purpose of Cyber Incident Response?

    – Determine if an incident occurred
    – Stop the threat
    – Determine how it occurred
    – Mitigate/Minimize damage caused by the threat
    – Counter the threat
    – Prevent the threat from recurring/spreading






    You’re welcome

    Intrusion Detection Systems/Intrusion Prevention Systems
    – IPS Proactive system that will stop an attack in progress

    – IDS Reactive system that will document an attack or notify an admin
    – Most systems today are IDS/IPS

    Violation Analysis

    First stpet of any incident response should always include violation analysis
    Has an actual security incident transpired, or do we simply have abnormal system activity?
    Is this event malicious or accidental?
    Is it internal/external?
    What is the scope of the incident?
    Intrusion Detection Systems
    · Software is used to monitor a network segment or an individual computer
    · Used to detect attacks and other malicious activity
    · Dynamic in nature
    · The two main types:
    – Network-based (packet sniffer + analysis engine)
    – Host-based (local host only)
    Protocol Analyzers (Sniffers) and Intrusion Detection Systems
    · Promiscuous mode: take all the traffic on certain selectec networks you could reach through your own systems
    · Switching can affect the Packet Capture. Solution is PORTSPAN

    Types of IDS
    – Network-based IDS
    · Monitor traffic on a network segment
    · Computer or network appliance with NIC in promiscuous mode
    · Sensors communicate with a central management console
    – Host-based IDS
    · Small agent programs that reside on individual computer
    · Detects suspicious activity on one system, not a network segment
    – IDS Components:
    · Sensors
    · Analysis engine
    · Management console
    Sensor Placement
    – In front of firewalls to discover attacks being launched
    – Behind firewalls to find out about intruders who have gotten through
    – On the internal network to detect internal attacks
    Analysis Engine Methods
    Pattern Matching
    · Rule-Based Intrusion Detection
    · Signature-Based Intrusion Detection
    · Knowledge-Based Intrusion Detection
    Profile Comparison
    · Statistical-Based Intrusion Detection
    · Anomaly-Based Intrusion Detection
    · Behavior-Based Intrusion Detection

    Types of IDS
    Signature-based-MOST COMMON
    – IDS has a database of signatures, which are patterns of previously identified attacks
    – Cannot identify new attacks
    – Database needs continual updates
    – Compares audit files, logs, and network behavior, and develops and maintains profiles of normal behavior
    – Better defense against new attacks
    – Creates many false positives

    IDS Response Options
    · Page or e-mail administrator
    · Log event
    · Send reset packets to the attacker’s connections
    · Change a firewall or router ACL to block an IP address or range
    · Reconfigure router or firewall to block protocol being used for attack
    IDS Issues
    – May not be able to process all packets on large networks
    · Missed packets may contain actual attacks
    · IDS vendors are moving more and more to hardware-based systems
    – Cannot analyze encrypted data

    – Switch-based networks make it harder to pick up all packets
    – A lot of false alams
    – Not an answer to all prayers
    · firewalls, anti-virus software, policies, and other security controls are still important



    Control Remote Access

    – Disable remote access to the organization’s system when an employee or contractor separates from the organization.

    · Be sure to disable access to VPN service, application servers, email, network infrastructure devices, and remote management software.

    · Be sure to close all open sessions as well. In addition, collect all company-owned equipment, including multifactor authentication tokens, such as RSA SecureID tokens or smart cards.

    – Include mobile devices, with a listing of their features, as part of the enterprise risk assessment.

    – Prohibit or limit the use of personally owned devices.

    · If personally owned equipment, such as a laptop or home computer is permitted to access the corporate network, it should only be allowed to do so through an application gateway. This will limit what applications are available to an untrusted connection.

    – Prohibit decives with cameras in sensitive areas.

    – Implement a central management system for mobile devices.

    – Monitor and control remote access to the corporate infrastructure.

    · VPN tunnels should terminate at the furthest perimeter device and in front of an IDS and firewall packet inspection and network access control. In addition, IP traffic-flow capture and analysis behind the VPN concentrator will allow collection of network traffic statistics to help discover any outsider.






    The privacy purpose of the security and privacy assessment reports is to convey the results of the security and privacy control assessments to appropriate organizational officials. The security assessment report is included in the security authorization package along the security plan (including an updated risk assessment) and the plan of action and milestones to provide authorizing officials with the information necessary to make risk-based decisions. #(on whether to place an information system into operation or continue its operation).



    Policy Enforcement

    – Ensure that senior management advocates, enforces, and complies with all organizational policies. Policies that do not have management buy-in will fail and not be enforced equally.

    · Management must also comply with policies. If management does not do so, subordinates will see this as a sign that the policies do not matter or they are being help to a different standard than management. Your organization should consider exceptions to policies in this light as well.

    – Ensure that management briefs all employees on all policies and procedures. Employees, contractors, and trusted business partners should sign acceptable-use policies upon their hiring and once every year thereafter or when a significant change occurs. This is also an opportunity for your organization and employees, contractors, or trusted business partners to reaffirm any non-disclosure agreements.

    – Ensure that management makes policies for all departments within your organization easily accessible to all employees. Posting policies on your organization’s internal website can facilitate widespread dissemination of documents and ensure that eveyone has the latest copy.


    – Develop and implement an enterprise-wide training program that discusses various topics related to insider threat. The training program must have the support of senior management to be effective.

    · Management must be seen participating in the course and must no be exempt from it, which other employees could see as a lack of support and an unequal enforcement of policies.

    – Train all new employees and contractors in security awareness, including insider threat, before giving them access to any computer systems daily, such as janitorial and maintenance staff. These users may require a special training program that covers security scenarios they may encounter, such as social engineering and sensitive documents left out in the open.

    – Train employees continuously. However, training does not always need to be classroom instruction. Posters, newsletters, alert emails, and brown-bag lunch programs are all effective training methods. Your organization should consider implementing one or more of these programs to increase security awareness.

    – Establish an anonymous, confidential mechanism for reporting security incidents. Encourage employees to report security issues and consider incentives to reporting by rewarding those which do. The information security team can conduct periodic inspections by walking through areas within your organization, including workspaces, and identifying security concerns.

    Hiring Practices

    – Ensure that potential employees have undergone a thorough background investigation, which at a minimum should include a criminal background and credit check.

    – Encourage employees to report suspicious behavior to appropriate personnel for further investigation.

    – Investigate and document all issues of suspicious or disruptive behavior.

    – Enforce policies and procedures consistently for all employees.

    – Consider offering an EAP. These programs can help employees to report with many personal issues and confidentially.

    Removing negative influence

    – Enhance monitoring of employees with an impending or ongoing personnel issue, in accordance with organizational policy and laws.

    – Enable additional auditing and monitoring controls outlined in policies and procedures.

    – Regularly review audit logs to detect activities outside of the employee’s normal scope of work.

    – Limit access to these log files to those with a need to know.

    – All levels of management must regularly communicate organizational changes to all employees. This allows for a more transparent organization, and employees can better plan for their future.

    Know yourself

    – Conduct a physical asset inventory. Identify asset owners’ assets and functions. Also identify the type of data on the system.

    – Understand what data your organization processes by speaking with data owners and users from across your organization.

    – Identify and document the software configurations of all assets.

    – Prioritize assets and data to determine the high-value targets.










Viewing 16 posts - 1 through 16 (of 16 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?