Threats, Vulnerabilities, and Incident

Response
Username: cyberadmin
Password: @UdacityLearning#1

As a security professional, your job will consist of answering the following questions on a
regular basis:

● [THREATS] What are the greatest cyber threats I should be concerned about?
● [VULNERABILITIES] How can I find and fix security issues that cyber threat actors
may take advantage of?
● [INCIDENT RESPONSE] If I am faced with a security incident or potential breach,
how can I respond?

Keeping up with Threats:

● Hackers execute an attack every 39 seconds, or 2,244 daily. - University of
Maryland

Keeping up with Vulnerabilities:

● 134 million credit cards were exposed costing Heartland Payment Systems over
$145 million in compensation for fraud payments alone

Keeping up with Incident Response:

● It takes an average of 206 days to identify a breach and it takes about 314 days to
contain a breach -

Stakeholders
When it comes to threats, vulnerabilities, and incident response, there are a variety of
stakeholders involved both within the company and outside of the company. Examples of
key stakeholders include:
● Management
● Security Professionals
● IT Support
● Human Resources
● Legal Teams
● External Groups (e.g. law enforcement)
Do's and Don'ts
Identifying threats, finding and fixing vulnerabilities, and preparing to respond to incidents
are ongoing tasks that are relevant every day when working in a cyber security team. Here
are key do's and don'ts to remember as you acquire these useful skillsets:

Do's
● Use the skills you learn to proactively identify business threats
● Conduct approved vulnerability tests
● Lawfully respond to and investigate incidents
● Uphold the highest moral standards as a security professional

Dont's
● Abuse the skills you learn by conducting unauthorized security testing against
systems or assets in personal or professional settings

History of Threats, Vulnerabilities, and

Incident Response

Threats have been around for as long as human beings have been on this earth, and much
longer. For example:
● Millions of years ago, meteors were a detrimental threat to dinosaurs.
● Thousands of years ago, wildcats were a detrimental threat to cavemen and
cavewomen.
● Hundreds of years ago, thieves were a detrimental threat to banks.
● Today, digital threats can be detrimental to human beings when not adequately
addressed.
The bottomline is that threats are constantly evolving, and adapting is a never-ending
process.

Assessing Threats

In this lesson you'll learn to:

● Explain the relationship between threats, threat actors, vulnerabilities, and exploits
● Utilize event context to identify potential threat actor motivations
● Identify security threats applicable to important organizational assets
● Use standard frameworks to assess threats, identify risks, and prioritize

Cyber security is ultimately about managing and prioritizing risks. A standard risk
management process involves three key steps:
● Identifying
● Assessing
● Mitigating risks
Identifying risks involves understanding the threats the company faces. Threat assessment
sets the foundation and is one of the first required steps in the risk management process.

Threats
In life, you deal with identifying and prioritizing hundreds of threats every single day.
It's a basic human instinct we all have.

As you consider each threat, you may ask questions like:

● Which threat should I care about the most?
● Which threat poses the greatest risk?
● How can I mitigate the threat?
This is a threat assessment and you do it daily.
Threat Assessment Fundamentals
• Threat assessment: Process of formally evaluating the degree of threat to an
information system or enterprise and describing the nature of the threat.

• Threat: Any circumstance or event with the potential to adversely impact

organizational operations (including mission, functions, image, or reputation),
organizational assets, or individuals through an information system via unauthorized
access, destruction, disclosure, modification of information, and/or denial of service.
Also, the potential for a threat source to successfully exploit a particular information
system vulnerability.

I leave for work in the morning and locking my front door is a security control that I
use to keep bad things out. But let's say I accidentally left my back window open
Contrary to what most people believe, the window being open is not a threat, this is a
vulnerability. It's a gap in my home system.

But just because a window is open doesn't mean there's a breach just yet. There
would need to be someone or something ready to take advantage of the window
being open, and in other words, exploits the gap in order to make this an issue.

The threat assessment process includes three key steps:

● Identify which threats are relevant to the organization.
● Assess the threat and how it might apply to or impact the organization.
● Prioritize which threats matter most based on what is important to the
organization.
The ultimate goal of a threat assessment is to begin answering the following
questions:
● What are the relevant threats that could impact the organization's information
technology assets?
● Which threats represent the gravest danger to the company?
● Which threats have the greatest likelihood of leading to a successful negative
outcome?
● Is the organization prepared to mitigate the threats? If not, what actions
should be taken to mitigate the threat?

• Vulnerability: Weakness in an information system, system security procedures,

internal controls, or implementation that could be exploited or triggered by a threat
source.
• Exploit: A code, tool, or mechanism that takes advantage of a vulnerability in a
system in an attempt to breach security.
• Attack: Any kind of malicious activity that attempts to collect, disrupt, deny,
degrade, or destroy information system resources or the information itself.

• Attack surface: The set of points on the boundary of a system, a system element,
or an environment where an attacker can try to enter, cause an effect on, or extract
data from, that system, system element, or environment
Threat and Attack Types
A threat can be intentional, unintentional, or otherwise a circumstance, capability,
action, or event. Understanding the various threat types is fundamental as this is
how you begin to brainstorm and identify threats that may apply to the company.

Remember the example of the window that someone left open, a thief planning to
climb it’s intentional, a snake seeking shelter could be a unintentional threat. If it
starts thunder storming and water drenches you new computer that happens to be
sitting on the desk next to the window it’s a circumstance threat

Intentional Attacks Against Technology

• Denial of Service (DoS): Attacks that prevent authorized access to resources

create delays in access, usually done by sending fake web traffic, for example, to
overwhelm the resource.
• Distributed Denial of Service (DDoS): A denial of service technique that
leverages several hosts to send traffic to the target host and overwhelm the
resource.
• Password Attacks: Also known as password cracking, these attacks are used to
recover passwords or authentication credentials.
• Spoofing: Impersonating a user or device by using a fake IP address to send a
message and trick the user into trusting the fake sender.
• Man in the Middle: Intercepting a connection between two devices off users, and
potentially changing the messages being sent.
• Malware: Software that includes malicious code that is harmful to computer
resources.
• Ransomware: A variant of malware that encrypts the victim's data, and threatens
to hold the decryption key and data hostage until a payment is made.
• Zero-day is a flaw in software that is very new. It may refer to the software flaw or
an attack method that has zero days between the date the flaw is discovered and the
date of the first attack.

Intentional Attacks Against Humans

Social Engineering: An attempt to trick someone into revealing information (e.g., a
password) that can be used to attack systems or networks.

Examples of Social Engineering Tactics:

• Phishing: A technique for attempting to acquire sensitive data, such as bank

account numbers, through a fraudulent solicitation in email or on a website, in which
the perpetrator masquerades as a legitimate business or reputable person.
• Vishing: Phishing executed via voice call.
• Smishing: Phishing executed via SMS or text message.
• Spear phishing: A colloquial term that can be used to describe any highly targeted
phishing attack.
• Whaling: A specific kind of phishing that targets high-ranking members of
organizations.

Unintentional Threats
Natural Disasters
• Fire
• Flood
• Earthquake
• Lightning
• Landslide or Mudslide
• Tornados or Severe Windstorms
• Hurricanes, Typhoons, and Tropical Depressions
• Tsunami
• Electrostatic Discharge (ESD)
• Dust Contamination
Human Error
• Social engineering victims
• Security unaware employees (sharing a password, leaving a computer unattended,
etc.)
Threat Actors and Motivations
Behind every attack is a human being with a reason. Understanding the culprit and
their motivation can help security professionals better defend against attacks.

Threat actors can be categorized as internal or external.

External Threat Actors and Motivations

● Cybercriminals are financially motivated individuals who carry out attacks
mainly for monetary reasons.
● Cyber terrorists are defined as: "Individuals or groups who use violent or
"virtually" debilitating means to further ideological goals stemming from
domestic influences, such as those of a political, religious, social, racial, or
environmental nature." Source: (https://www.fbi.gov/investigate/terrorism)
● Nation-state actors are attackers who sabotage military or critical
infrastructure. Other variations include espionage and cyber warfare.
● Hacktivists are groups who carry out attacks to advance political or social
causes.
● Script kiddies are curious newbies with minimal cyber skills who are just
playing around or launching beginner attacks.
Internal Threats Actors and Motivations
A significant portion of breaches stems from internal employees and contractors
within a company. Here are common internal threats actors and typical motivations:
● Criminal insiders are individuals who steal from their employers or engage in
other unauthorized activities that cause harm. They are usually financially
motivated.
● Oblivious insiders are naive individuals who fall for social engineering
attacks or engage in other unintentional activities that expose the company to
risks.
● Third-party insiders are individuals who may not work directly for the
company but have authorized access as a vendor or partner working with the
organization.
● Disgruntled insiders are employees who are unhappy with the organization
and seek to retaliate often through digital resources and exploitation.
● Terminated insiders are individuals who are no longer with the company but
steal data as they are leaving or still have access after their separation from
the company.

Remember that in threat assessment, a lot of the work is hypothesizing and building
theories based on research. There are a lot of variables and sometimes unclear
answers, and that’s okay. Also, some threat actors try to use obvious motivations as
smoke screens for a hidden agenda.

Organizing and Executing Threat

Assessments
The assessments follow a standard process that includes identifying, analyzing, and
prioritizing threats. Why is it important? well because enables security professionals
to prevent, detect, and respond to attacks
Identify
The process consists of a combination of brainstorming and using available
resources to discover threats both proactively or reactively. Typical activities included
in this phase are:

● Threat Detection: The ability to detect threats proactively or reactively in an

environment.
● Threat Hunting: Proactively combing through networks to find advanced and
undetected threats that may bypass typical security controls and detection
technology.
● Threat Actor Discovery: Leverage threat intelligence and other information
sources to identify potential threat actors that may impact your business.

Analyze
During the analysis phase, you’ll gather detail and information about the threats
you’ve identified and understand how they might apply to your organization. Typical
activities included in this phase are:
● Threat Intelligence Gathering: Threat information that has been aggregated,
transformed, analyzed, interpreted, or enriched to provide the necessary
context for decision-making processes.
● Threat Profiling and Modeling: Analytical insights into trends, technologies,
or tactics of an adversarial nature affecting information systems security.
● Threat Scenario Development: A set of discrete threat events, associated
with a specific threat source or multiple threat sources, partially ordered in
time.

Prioritize
During the final step of prioritization, you consider the variables that matter to the
company to determine the most significant threats. Typical activities included in this
phase are impact assessment and application of context. As you prioritize the threats
based on impact and additional context, you may ask questions like:

● What’s the likelihood that this threat will impact our business?
● How can this threat impact the business?
● What controls are in place to mitigate the impact, if any?
Introduction to MITRE Cyber Prep Framework
The MITRE Cyber Prep 2.0 framework is a threat-oriented approach that allows an
organization to define and articulate its threat assumptions, and to develop
organization-appropriate, tailored strategic elements. The framework focuses on
advanced threats. This can serve as a basis for profiling threats. The framework
considers threats based on 3 main characteristics: Intent, Target, and Capabilities.

Intent
● Goal: At what scope or in what arena do the adversary operate? Depending
on their goals, an adversary can operate against a subset of the
organization’s systems (e.g., its external-facing services); the organization’s
operations; the organization’s associates (customers, users, or partners); the
organization’s critical infrastructure or industry sector; or the nation. Example
goals here are tied back to the threat actors and motivations learned in this
lesson.
● Consequence: How much of an impact would successful achievement of
adversary goals have? How much disruption would adversary activities
cause?
● Limited or near-term: Will have little or no impact on critical mission
operations. Consequences can be handled within an operational planning or
funding cycle (e.g., within a business quarter) or within the duration of a
mission operation.
● Extensive or mid-term: Will have a significant impact on critical mission
operations, the organization, or its associates. Consequences require
remediation or mitigation efforts that extend across operational planning or
funding cycles.
 ● Severe or long-term: Will have an extremely significant, potentially
catastrophic impact on mission operations, the organization, or its associates.
Consequences are of duration or extent that must be considered by strategic
planning.
● Timeframe: In what timeframe does the adversary operate? Will the
adversary’s activities be periodic or episodic, or will the adversary commit to a
sustained effort against the organization?

Target
Expanding on the goal of the attack, who or what is the target? The organization
might also consider whether it could be an indirect target. Which of our customers or
partners could be high-value targets for an adversary?

Capability
What are the likely capabilities and resources of the adversary? Are they minimal,
causing the adversary to employ existing, known, malware? Or are they significant,
allowing the adversary the benefit of being able to create their own malware, threat
vectors, and possibly introduce vulnerabilities into the organization?
A Threat Profile Notes look like this:
Holly potentially associated with Threat Group Leviathan

● Goals and Intent: Fraud, theft of intellectual property, espionage

● Consequences: Financial impact, loss of IP, reputational impact, and more
● Target: Threat group in the past has targeted the maritime industry, as well as
governments, universities, and more. Be mindful of potential partners they
may be using the company as a stepping stone to target.
● Capabilities: Threat group is state-sponsored and backed by China.
● Tactics: Spearphishing, backdoors, credential theft, and more.
● Timeframe: Undetermined

https://attack.mitre.org/groups/

Finding Security Vulnerabilities

Vulnerability is our security holes or weaknesses.

Examples include:
● missing updates
● software flaws
● improper error handling
● and much more!

Two near identical login error messages

Understanding Attack Methods
There are 7 common steps in the Cyber Attack Process, first articulated by Lockheed
Martin as the cyber attack kill chain:
● Reconnaissance: The threat actor conducts research to find as much
information as possible on the targets they want to attack, including
vulnerabilities and weaknesses.
● Weaponization: The threat actor creates or acquires the arsenal for the
attack, such as malware.
● Delivery: The weapon is launched against the target and the operation
begins.
● Exploitation: The threat actor must take advantage of the vulnerability to gain
access.
● Installation: The threat actor might install a backdoor or create ways to keep
their access for the attack.
● Command and control: The threat actor enables remote control and
manipulation of the target.
● Action on objectives: The threat actor accomplishes their mission and
completes the attack goal.

Lockheed Martin as the “kill chain” now used across the industry as a standard
(https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
)
MITRE's attack framework is created to document common tactics, techniques, and
procedures threats used against various enterprise systems.

https://attack.mitre.org
https://attack.mitre.org/mitigations/M1013/
Understanding Testing Methods and Tools
This process of identifying gaps is a foundational part of the overall vulnerability
management process.

Scope: Determine, conceptually what you want to test. For example, you can target
a certain data center looking for a specific set of issues, a specific application, or
other reasons.
Identify: Pinpoint the specific host, network, application, or other resource targets.
Here you may identify specific IP addresses or URLs for example.
Scan: Configure and run the scan or test against the identified target. Here you are
using various tools and methods, such as vulnerability scanning software, to find the
issues.

Host and network vulnerability scans are used to find vulnerabilities on servers,
desktops, mobile devices, etc. within a network. Active vulnerability scanning is used
for traffic and actions to identify vulnerabilities. Passive scanning listens on the
system and identifies issues in server and client software.

Application vulnerability scans target security within code and its operation. The
dynamic application scans test functionality while the program is executing
operations, while static scans test functionality without running any code.
Penetration testing is another level of actively trying to see if you can essentially
break security. Penetration tests can target networks, hosts, people, and physical
assets. When you make major changes to network configurations such as firewalls
and routing changes...mistakes can happen that allow intruders in. Here you should
recommend conducting a penetration test to discover those issues before the bad
guys do.

Vulnerability Scanning
Nessus, the tools used in this class, for example, is an open-source scanner that
uses the Common Vulnerabilities and Exposures (CVE) model to find issues and
efficiently conduct further research and analysis on the findings.

To run a scan, you'll need to identify the target you want to scan and establish what
kinds of security issues you are seeking to find. There are also other factors to take
into consideration such as what type of results report you'd like to see or what ports
you want to include in the test. There are hundreds of configurations that can be
changed to fine-tune a scan and the options will vary from scanning tool to scanning
tool.
Scan walkthrough here

Penetration Testing
Penetration testing, also known as pen testing, is a method of vulnerability discovery
where ethical hackers target a resource to determine whether vulnerabilities can be
exploited to compromise an environment or asset.

In this setion we'll focus on password attacks as an example.

Red Team vs Blue Team

Penetration tests include two sides that are categorized as teams. One side is the
offensive team (red team) who are pretending to be the “bad” actors launching
attacks. The other is the defensive team (blue team) who is acting as the “good” side
trying to prevent attacks.
Typically, the less knowledge the penetration tester has, the more realistic the
simulation is because attacks don’t usually know everything about a network they
are targeting in the beginning.

● White box testing: A test methodology that assumes explicit and substantial
knowledge of the internal structure and implementation detail of the
assessment object.
● Black box testing: A test methodology that assumes no knowledge of the
internal structure and implementation detail of the assessment object.
● Gray box testing: A test methodology that assumes some knowledge of the
internal structure and implementation detail of the assessment object.

Penetration Test Example: Password Cracking using

Dictionary Attack Mode
Password cracking is the process of guessing, recovering, or reverse calculating a
secret password stored in a computer system or transmitted over a network. It’s like
picking a lock on a virtual door.

• Brute Force Attack - The attacker tries every possible password combination until
one works.

• Dictionary password attack – The attacker uses a dictionary list of common user
passwords in a hashed format, and compares it to a password hash list "stolen" from
a system. For example the MD5 hash for password123 is
482c811da5d5b4bc6d497ffa98491e38. If that string is found in the system password
file, it means that a user has their password set to "password123".
• Social engineering password - Attackers who pretend to be employees try to get
access to systems information by asking other employees for their usernames and
passwords. Once they successfully get the credentials from the employees, they'll try
to use the information to gain access to the company's systems.

Weak passwords can be cracked in a matter of seconds using password cracking

technology like HashCat (open source). Within HashCat, there are four components
of basic attack:

(hash type) (attack mode) (hash file) (dictionary file)

Example Command
To crack a password using a dictionary attack type, for example, you may specify
this command -m 0 -a 0 hash.txt file.txt which translates into the following
arguments:
● Hash type: - m 0
● Attack mode: -a 0
● Hash file: hash.txt
● Dictionary file: file.dict
Translated example of command: -m 0 -a 0 hash.txt file.dict
● -m 0 represents the hash type MD5
● -a 0 represents to dictionary attack mode
● -hash.txt and secret.dict represent the target files

https://hashcat.net/hashcat/
The syntax for additional hash types can be found here:
https://hashcat.net/wiki/doku.php?id=example_hashes

If you’d like to learn more about HashCAT, here’s a good intro video
https://www.youtube.com/watch?v=EfqJCKWtGiU
The bottom line is that planning a penetration test at the right time and with the right
rules is important. In between, leverage vulnerability scanning and manual testing to
continue finding issues with less potential impact.

Additional Resource
Most Popular Tool for Penetration Testing Metasploit:
https://metasploit.help.rapid7.com/docs

There are some cases in which penetration testing works well, such as to
periodically check for security gaps or testing security after major network changes.
However, there are also times when penetration testing may not be the best answer,
or extra precautions should be taken

Fixing Security Vulnerabilities

System vulnerabilities need to be fixed to stop from being exploited by threats.
Security patches and other fixes can be put in place to mitigate vulnerabilities. You
may find thousands of security gaps and realize that all cannot be fixed at once.

Remediation Planning Fundamentals

Remediation planning helps security professionals understand and prioritize which
vulnerabilities matter most.

The vulnerability remediation process includes five main steps:

● Validate: Confirm that vulnerabilities are valid and remove any false positives.
● Prioritize: Rank vulnerabilities based on risk and other factors that help signify
what should be addressed first.
● Remediate: Work with appropriate resources to fix the issues.
● Retest: Rescan or retest to confirm that the vulnerability has been fixed and
that other gaps were not exposed in the process.
● Close: Document the closure of the vulnerability.
Severity
Ratings are based on the significance of vulnerability and common severity levels
are Critical, High, Medium, and Low.

Without a standard, the same vulnerability could be defined as critical in one place,
while its medium severity in another place. CVSS was created to address this.

The Common Vulnerability Scoring System (CVSS) provides a consistent way to

score findings that can then be translated into a qualitative rating such as low,
medium, high, and critical.

This can help companies accurately evaluate and prioritize findings within their
vulnerability management processes.

Scoring consists of three metric groups

● Base – access vector, access complexity, impact to CIA, etc.

● Temporal – exploitability, available remediation measure, vuln report
confidence
● Environmental – collateral damage, target distribution, CIA impact

the calculator https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Researching and Validating Findings
To prioritize the findings, you have to
1) understand the risk level
2) validate false positives
3) fine tune scan configurations, and more.

● False negative: An instance in which a security tool intended to detect a

particular threat fails to do so. For example, there is a fire present, but the fire
alarm does not sound.
● False positive: An alert that incorrectly indicates that a vulnerability is present.
For example, there is no fire present, but a fire alarm is going off.

● True positive: An alert that rightfully indicates a vulnerability is present. For

example, there is a fire present and the fire alarm rightfully sounds.
Researching Vulnerabilities
We can starts by CVE web page and write CVE-id or related word with the
vulnerability.
To learn more, visit the CVE getting started page for beginner tips:
https://cve.mitre.org/about/getting_started.html

If we are using Nessus tool and it finds a vulnerability we can see more information
and details in the right

Prioritizing Findings
Once the false positives are gone and you have a clean list you must focus on.
Prior steps to group findings into remediation categories based on variables like:
● Severity level
● Budget
● Time and effort to remediate
● Cost-benefit analysis
● Regulatory requirements
General tips for prioritizing findings:
● Severity: The higher the severity level, the more urgent it may be to fix the
issue. For example, “critical” severity issues generally should be prioritized
before those rated at “high” severity.
● Cost-benefit analysis: The cost to fix the vulnerability should not be more
than the potential negative impact of the vulnerability exposure.
● Corporate considerations: Unique factors, such as regulatory compliance
implications must be taken into account. For example, if failing to fix a
vulnerability will lead the company to fail an audit or land in legal trouble the
team may choose to prioritize fixing those findings.

Standardizing prioritization process:

Establishing a standard prioritization process can help make the remediation process
clean and consistent. Through service level agreements, an organization can outline
parameters regarding how to approach remediation. For example, a rule might be
that any critical issues need to be fixed within 30 days of discovery, while low
severity issues can wait 90 days.

Manual verification is used to remove false positives.

Recommending Remediation Strategies
Information on the fix can be found in the scan report and through CVE research

There are things that it doesn’t make sense to fix or that you can’t fix right away and
need a long-term plan. This is remediation strategy option matter as well.

There are three main paths of action for remediation:

● Avoid the vulnerability: The gap can be avoided by fixing the issue, adding
controls to mitigate potential impact, or eliminating the asset. If the
recommended strategy is the fix the issue, a rescan should be conducted
afterward to ensure that the issue has indeed been fixed and that other new
vulnerabilities were not exposed in the process.
● Accept the vulnerability: The gap can be accepted by documenting the risk
and gaining authorization from an accountable individual. For example, if the
cost to fix an issue is greater than the potential vulnerability impact, you may
consider accepting the issue.
● Transfer the vulnerability: The gap can be transferred to other entities via
insurance or vendor support options.

Companies usually do not have the resources to address every finding right away. In
the remediation strategy, a final recommendation should be selected, documented,
and tracked for every vulnerability.

Preparing for Inevitable Attacks

By the end of this lesson you’ll be able to:

● Explain the relationship between incident response, disaster recovery and
business continuity
● Distinguish events from incidents and recognize indicators of compromise
● Explain the incident response lifecycle
 ● Recognize the key incident response team roles and core components of an
incident response plan

How you respond to attacks can make or break your company's reputation, financial
posture, compliance status, and more.

Contingency Planning Fundamentals

Contingency Planning is the process of preparing a company to detect, react to, and
recover from threats to assets. The main goal is to bring the company back to a state
of normal operations following a disruptive event.

Business Impact analysis is the first step in contingency planning

There are 3 key parts to contingency planning:

Incident Response: The process of detecting and responding to limit consequences
of a malicious, unintentional, or circumstantial cyber attack against an organization’s
information systems(s).
Business Continuity: A predetermined process that describes how an
organization’s mission/business processes will be sustained during and after a
significant disruption.
Disaster Recovery: A predetermined process that details how critical applications
and processes will be restored to normal operations at the primary business site in
the event of a major hardware or software failure or destruction of facilities.
Incident Response Life Cycle
Though the details and nature of incidents may vary, all typically follow a standard response
process organized in several phases:
● Preparation
● Detection and analysis
● Containment
● Eradication and recovery
● Post-incident activity

Preparation: involves building and training an incident response team. It also includes
gathering the right tools and resources to adequately respond to incidents. During
preparation, the organization works to mitigate risk and reduce the number of incidents that
may occur by implementing security controls as well.

Detection and analysis: This step is critical because in reality, it can take companies days,
months, and sometimes years to detect an incident. Based on the severity of the incident,
the organization can mitigate impact by containing and addressing the incident and
ultimately recovering from it.

Containment and Eradication and recovery: During this phase, sometimes it creates a
loop between containment and detection and analysis. For example, with the way malware
can spread quickly, you may find that as you remove it and work to recover in one area, it
gets discovered in another and the process starts again. After the incident is contained and
recovery is well underway or complete, the organization creates reports that include
information on the cause and financial impact of the incident, as well as lessons learned and
steps the company can take to avoid future incidence.
Internal team members
● Management
● Information Assurance
● IT Support:
● Legal Department
● Public Affairs and Media Relations
● Human Resources
● Business Continuity Planning
● Physical Security and Facilities Management

cyber security staff: The main planning in orchestration responsibility typically lies on this
team, for example, who manage the cyber security incident detection technology and other
resources.
The management team: establishes incident response policy, budget and staffing, which
are fundamental pieces in the incident response team process.
IT support: may also be needed during certain stages of incident handling. For example, to
change firewall rules in the middle of an incident.
Legal experts: can help, especially in an incident where there might be legal ramifications,
including evidence collection, prosecution of a suspect or other matters.
Digital forensics: experts are also another element here.
Public affairs: depending on the magnitude and impact of the incident, you might need it
and media relations resources to inform the media and by extension, the public.
HR: involvement if, for example, you're dealing with a malicious insider who needs to be
reprimanded or potentially terminated.
For example,
Internet service provider: if you're experiencing a denial of service incident where
you are being flooded with fake traffic, you may contact your ISP to block that traffic
and slow or stop the incident.
Law enforcement: if you're dealing with cyber terrorist, you may need to get law
enforcement or the FBI involved.
Vendor: if you're dealing with a this zero-day exploit you may work with your vendor
or your support team to address the issue.

there are trusted information sharing organizations that incident response teams
participate in so that they can learn from each other about the latest attack attempts
and trends. The incident response team should document all of this contact
information

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Execise:
You just received an alert that a critical server on your network is receiving traffic
from various IP addresses and no longer has the capacity to handle the number of
requests coming through – they are almost ten times the amount of normal traffic.
Which actions relate to each phase of the incident response lifecycle?

Preparation
● Monitor networks for unusual activity daily
● Document your infrastructure
● Establish an inventory of your critical assets and processes
● Test DDoS response plan
● Implement an incident response policy that all employees must read
● Implement a security strategy
Detection and Analysis
● Confirm that a distributed denial-of-service attack is occurring
● Understand the logical flow of the DDoS attack and identify the infrastructure
components affected by it
● Review the logs of servers, routers, firewalls, applications, and other impacted
infrastructure
Containment, Eradication, and Recovery
● Throttle or block excessive traffic
● Contact ISP for support in blocking traffic
Post-Incident Activity
● Create a report summarizing the incident and challenges faced throughout

Incident Response Planning

The goal of the plan is to equip the company with the information and resources
needed to detect and respond to limit the consequences of malicious, unintentional,
or circumstantial cyber attacks.

Common elements of an incident response planning process include:

● Establishing roles and contact information
● Outlining notification steps
● Creating an incident procedure checklist
● Determining how to categorize and prioritize incidents
● Providing guidance on business continuity and disaster recovery triggers and
steps
● Provisions for the continuous improvement process
It’s important to distinguis what constitutes an event from an incident. All events are
not incidence, but all incidence involve events.

Event: is any observable occurrence or action that happens in an information

system. They are everyday activities that are monitored for any signs that suggest
something suspicious is happening.
Incident: is an occurrence, much like an event that actually or potentially jeopardizes
the confidentiality, integrity, or availability of a system. Typically pose an imminent
threat of violation of security policies and procedures.
Indicators of compromise (IoC): A known signal that suggests a potential event is
indeed an incident.

How do you know when you need to use the incident response plan?
The incident response plan usually gets activated when there is a credible indicator
of compromise or confirmed incident.
dormant accounts (cuentas inactivas)
Digital Forensics
Digital forensics enables security professionals to conduct investigations into
breaches whether from external or internal threat actors.
Digital forensics is the application of computer science and investigative procedures
involving the examination of digital evidence. The process includes collecting,
preserving, analyzing, and reporting on evidence. It’s relevant at all stages of the
incident response life cycle.

● Identifying – This is the practice of finding and collecting the suspected

original source or asset believed to contain evidence. (Example: The
investigator has pinpointed a suspicious IP address belonging to the laptop in
Ohio. The digital forensics investigator may have a co-worker send them the
suspected laptop for analysis.)

● Preserving – This is the practice of ensuring the integrity of the collected

evidence and preserving a "digital trail" of the data or media. (Example: It's
essential to monitor how the computer and any copies of data have been
handled since being taken from the employee, along with who had access.)
 ● Analyzing – This is the investigative portion of the process where a forensics
practitioner begins looking into the acquired asset or media data to find
evidence of the suspected crime. (Example: The investigator may look
through documents, email and chat conversations, browser website history,
hard drives, and other user activities.)

● Reporting – This is the process of creating a report of findings from the

investigation for presentation to stakeholders and, in some cases, an attorney
or jury in court. Reporting must also be tailored to the audience. In a court
case where the jury is not technically savvy, findings must be explained in
ways that are easy to understand for everyone. Failure to do so might render
even the most irrefutable evidence ineffective. (Example: A digital forensics
investigator may debrief a company's technical leaders in detail and then give
a high-level summary to the general manager.)

Which concept can best help determine if evidence has been tampered with?
tampered (manipulado)
Hashing

● Secured password techniques

● Vulnerability prioritization
● Incident response plan - Tips