Module 28: Digital Forensics and Incident Analysis and Response Answers

Explanation: A chain of custody refers to the proper accounting of evidence collected about an incident that is used as part of an investigation. The chain of custody should include the location of all evidence, the identifying information of all evidence such as serial numbers and hostnames, identifying information about all persons handing the evidence, and the time and date that the evidence was collected.

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

• Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
• Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
• Delivery – The weapon is transmitted to the target using a delivery vector.
• Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
• Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
• Command and Control (CnC) – The threat actor establish command and control (CnC) with the target system.
• Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Explanation: The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

Explanation: The following actions can help identify an attacking host during a security incident:

• Use incident databases to research related activity.
• Validate the IP address of the threat actor to determine if it is a viable one.
• Use an Internet search engine to gain additional information about the attack.
• Monitor the communication channels that some threat actors use, such as IRC.

Explanation: The MITRE framework is a global knowledge base of threat actor behavior. It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

Explanation: NIST describes the digital forensics process as involving the following four steps:

• Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
• Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
• Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented.
• Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

Explanation: The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Among other measures, conducting employee awareness training and email testing and auditing endpoints to forensically determine the origin of an exploit can help block future exploitations of systems.

Explanation: The Diamond Model of intrusion contains four parts:

• Adversary – the parties responsible for the intrusion
• Capability – a tool or technique that the adversary uses to attack the victim
• Infrastructure – the network path or paths that the adversaries use to establish and maintain command and control over their capabilities
• Victim – the target of the attack

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the policy element is to detail how incidents should be handled based on the mission and functions of an organization.

Explanation: NIST describes the digital forensics process as involving the following four steps:

• Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
• Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
• Analysis – drawing conclusions from the data. Salient features such as people, places, times, events, and so on should be documented.
• Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

Explanation: The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying what threat actors must complete to accomplish their goals.

Explanation: To recover infected user workstations, use clean and recent backups or rebuild the PCs with installation media if no backups are available or they have been compromised. Also, fully update and patch the operating system and installed software of all hosts. All users are encouraged to change their passwords for the workstation or workstations they use. Rebuilding DHCP servers is needed only if they are affected by the incident.Also not all devices need to change the name and password configuration setting unless they are affected by the incident.

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

• Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
• Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
• Delivery – The weapon is transmitted to the target using a delivery vector.
• Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
• Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
• Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
• Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Explanation: Threat attribution refers to determining the individual, organization, or nation responsible for a successful intrusion or attack incident. The security investigation team correlates all the evidence in order to identify commonalities between tactics, techniques, and procedures (TPPs) for known and unknown threat actors.