1
Q
What is the overall purpose of responding to attacks on industrial networks?
A
To minimize the consequences of an attack and restore normal operation.
2
Q
Which main response measures are listed at the start of Chapter 7?
A
Incident response, network forensics, contextualization, and recovery.
3
Q
What is incident response in the context of industrial security?
A
The process by which an organization prepares for and handles a security incident such as a cyberattack.
4
Q
What does incident response include besides handling the attack itself?
A
It also includes managing the fallout and consequences of the incident.
5
Q
What is the overarching goal of responding to a security incident in industrial networks?
A
Return to normal operation as quickly as possible.
6
Q
Why is quick return to normal operation especially important in industrial networks?
A
Because availability is one of the most important security goals in industrial environments.
7
Q
Why should organizations generally not try to evict an incident immediately?
A
Immediate eviction can destroy evidence and make forensic analysis harder.
8
Q
Why can immediate eviction be strategically harmful?
A
Because additional hidden layers of the incident may still be present in the system.
9
Q
Why should systems generally not be powered down immediately during an incident?
A
Because volatile and valuable forensic data could be lost.
10
Q
What should be analyzed before altering the state of compromised systems?
A
All available system and component logs should be analyzed.
11
Q
Why should disk images be cloned before deeper investigation?
A
To preserve the original state for later forensic analysis.
12
Q
Why might reverse engineering malware be necessary during incident response?
A
To understand what the malware does, how it entered the system, and what damage it may have caused.
13
Q
What is a security incident?
A
An occurrence of a security-related event that violates or threatens to violate security policies, acceptable use policies, or standard security practices.
14
Q
What is a general incident?
A
An occurrence of an event.
15
Q
What makes a security incident different from a normal event?
A
It is security-related and involves an actual or imminent policy violation or threat.
16
Q
Give an example of a security incident in an industrial network.
A
Executing malicious code on a system.
17
Q
Give another example of a security incident in an industrial network.
A
Impaired or disrupted availability of industrial systems or equipment.
18
Q
What industrial-program changes are explicitly named as security incidents?
A
Unauthorized changes to a PLC or HMI program.
19
Q
What equipment-related example is named as a security incident?
A
Loss or theft of equipment storing process-related data.
20
Q
Which network-wide attack is explicitly listed as a security incident example?
A
A distributed denial-of-service attack.
21
Q
What operations-related example of a security incident is given?
A
Interference with the proper operation of industrial systems.
22
Q
What login-related example is given as a possible security incident?
A
Excessive failed login attempts.
23
Q
What undesirable human reaction often appears early during a security incident according to the lecture?
A
Disorientation and actionism.
24
Q
What harmful question often appears too early during a security incident?
A
The question of guilt or who is to blame.
25
Why is focusing too early on blame counterproductive?
Because it delays structured problem solving and slows resolution.
26
What should replace actionism during incident handling?
Ordered crisis management.
27
What is the practical goal of organized incident handling shown in the lecture graphic?
Reduce the time needed to solve the problem.
28
What are key questions incident responders should ask first?
What happened, what indicators exist, what data leaked, which systems are affected, what can or must be done, and which tools were used.
29
What are the main goals of an incident response process?
Limit damage, keep recovery time and costs low, and constrain collateral damage.
30
Why does an organization need an incident response plan?
It helps prepare for incidents and provides clear procedures for handling them.
31
What should an incident response plan define explicitly?
What counts as an incident and what does not.
32
What kind of guidance should an incident response plan provide?
Clear, guided processes and procedures to follow in case of a security incident.
33
Why is an incident response plan especially important in OT environments?
Because ad hoc decisions during an attack can endanger availability and safety.
34
What is an incident response team?
A central contact point for anyone who discovers or suspects an incident.
35
What does an incident response team do?
It analyzes incident data, determines impact, limits damage, and restores normal services.
36
Why is 24/7 availability often important for an incident response team?
Because security incidents can happen at any time and may need immediate handling.
37
What are two organizational models for incident response teams?
Central vs. distributed and employed vs. partially outsourced.
38
What does the lecture say the success of an incident response team depends on?
Cooperation both within and outside the organization.
39
Why is cooperation outside the own organization important for incident response?
Because vendors, service providers, and external experts may be needed to analyze or mitigate incidents.
40
What are the four major phases of incident response?
Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-incident Activity.
41
What is the first incident response phase?
Preparation.
42
What is the second incident response phase?
Detection and Analysis.
43
What is the third incident response phase?
Containment, Eradication, and Recovery.
44
What is the fourth incident response phase?
Post-incident Activity.
45
Why is incident response presented as phases?
Because effective response requires a structured process rather than improvised actions.
46
What does the preparation phase include?
Developing the incident response plan, building the team, acquiring tools and resources, and implementing prevention measures.
47
What human preparation task is emphasized in the preparation phase?
Establishing and training the incident response team.
48
What communication-related resources are needed in preparation?
Communication equipment and communication processes for team members.
49
What investigation tools are explicitly named for preparation?
Forensic software, protocol analyzers, and a forensic workstation.
50
What analysis resources are explicitly listed for preparation?
Current baselines, used ports and protocols, asset inventories, and cryptographic hashes of critical files.
51
What mitigation resources are explicitly named for preparation?
Approved system images and clean operating systems and applications for restoration.
52
Why are cryptographic hashes of critical files useful in preparation?
They help later verify file integrity during incident analysis.
53
Why are asset inventories useful during incident response?
They help identify affected systems and understand what belongs in the environment.
54
How is preparation linked to prevention?
Preparation also includes attempting to reduce the number of incidents through preventive measures.
55
Which preventive themes from earlier chapters are referenced in preparation?
Risk assessment, host and network security, and user awareness and training.
56
What is the purpose of the Detection and Analysis phase?
To identify potential incidents, analyze them, validate them, and determine their scope and priority.
57
What kinds of measures typically trigger the Detection and Analysis phase?
Detective measures such as IDS alerts.
58
Why does efficient incident analysis require specialized knowledge?
Because both IT and OT expertise are needed to interpret incident-related data correctly.
59
What is a precursor?
A sign that an incident may likely occur in the future.
60
What is an indicator?
A sign that an incident may have occurred already or is occurring now.
61
Give an example of a precursor from the lecture.
Log entries hinting at vulnerability scanners.
62
Give another example of a precursor from the lecture.
Announcements of vulnerabilities in used software.
63
Give a third example of a precursor from the lecture.
Targeted threats.
64
Give an example of an indicator from the lecture.
A specific IDS sensor alert.
65
Give another example of an indicator from the lecture.
Detected malware.
66
What audit-log symptom is listed as an indicator?
Missing records in audit logs.
67
What login-related symptom is listed as an indicator?
Failed login attempts.
68
What flow-related symptom is listed as an indicator?
Unusual traffic flows.
69
Why is the distinction between precursor and indicator important?
Because it separates future risk signals from signs of an ongoing or completed incident.
70
What is meant by validation of a suspected incident?
Checking whether observed signs really correspond to an actual incident.
71
Why is quick initial analysis important?
Because it determines incident scope and supports prioritization.
72
Which technical scope questions should quick initial analysis answer?
Which networks, systems, and applications are affected.
73
Which origin question should quick initial analysis answer?
Who or what originated the incident.
74
Which mechanism question should quick initial analysis answer?
How the incident is occurring, such as through which attack tools or vulnerabilities.
75
Why should initial analysis provide enough information for prioritization?
Because containment and deeper analysis must be ordered according to impact and urgency.
76
What three prioritization dimensions are explicitly named?
Functional impact, information impact, and recoverability.
77
What is functional impact in incident prioritization?
The effect of the incident on operations and services.
78
What is information impact in incident prioritization?
The effect on confidentiality, integrity, or sensitive data.
79
What is recoverability in incident prioritization?
How difficult and costly it is to restore normal operation.
80
What must be documented during detection and analysis?
Response actions, issue tracking, and gathered evidence.
81
Why is action logging during incident response important?
It preserves a clear history of what was done and supports both coordination and later review.
82
Why is containment important in incident response?
It prevents the incident from overwhelming resources or causing more damage.
83
What is one strategic benefit of containment?
It buys time to develop a tailored remediation strategy.
84
What kinds of decisions may be required during containment?
Whether to shut down systems, disconnect them, or disable functions.
85
Why is containment difficult in industrial networks?
Because it can itself damage service availability or the physical process.
86
What should be considered when selecting a containment strategy?
Potential damage or theft of resources, evidence preservation, service availability, required time and resources, effectiveness, and duration of the solution.
87
Why must evidence preservation be considered during containment?
Because containment actions can destroy forensic traces.
88
Why must service availability be considered during containment?
Because containment can disrupt connectivity and services in a production environment.
89
Why must the implementation effort of containment be considered?
Because some strategies take too long or require unavailable resources.
90
Why must the effectiveness of containment be evaluated?
Because some strategies only partially contain the incident.
91
Why must the duration of the containment solution be considered?
Because some solutions are only emergency workarounds while others are permanent.
92
What warning does the lecture explicitly give about containment?
Containment may trigger additional damage.
93
Why should evidence be gathered as soon as possible?
Because later response actions may change or destroy it.
94
What is chain of custody?
A documented record showing how evidence was collected, handled, transferred, and protected over time.
95
Why is chain of custody important?
It helps preserve evidence integrity and later legal admissibility.
96
What should be collected before major changes such as eradication or recovery?
Evidence and logs.
97
What is eradication in incident response?
Eliminating the components of the incident.
98
Give an example of eradication from the lecture.
Deleting malware.
99
Give another example of eradication from the lecture.
Disabling breached accounts.
100
What vulnerability-related task belongs to eradication?
Identifying and mitigating all vulnerabilities that were exploited.
101
Why is eradication not just deleting obvious malware?
Because all exploited weaknesses must also be addressed to prevent reinfection or repeated compromise.
102
What is recovery in incident response?
Restoring systems to normal operation after containment and eradication.
103
Give an example of recovery from the lecture.
Restore from backups.
104
Give another example of recovery from the lecture.
Rebuild machines.
105
Give a third example of recovery from the lecture.
Reset credentials.
106
What additional step does recovery include besides restoring systems?
Validation of proper and normal functionality.
107
Why is validation important during recovery?
Because systems must be confirmed to operate correctly and safely before full return to service.
108
Why does the lecture recommend a phased and long-term recovery approach?
Because recovery changes should improve overall security and help prevent future incidents.
109
What is the purpose of post-incident activity?
To learn from the incident, improve future response, and retain relevant evidence and metrics.
110
What is the central concept of the post-incident phase?
Lessons learned.
111
Why are lessons learned important?
They improve the incident response process and incident response plan.
112
What should be reviewed during lessons learned?
The activity log, precursors and indicators, changes needed for similar incidents, actions to prevent similar incidents, and need for additional tools or resources.
113
Why should organizations retain incident data after the incident?
To analyze trends such as cost, response time, and frequency of incidents.
114
What example incident metrics are explicitly mentioned?
Number of incidents handled, time per incident, and objective and subjective assessment of each incident.
115
What determines how long evidence should be retained?
Possibility of prosecution, regulations governing data retention, and cost.
116
Why should incident response plans be exercised?
To identify weak areas and train the response team.
117
Why can incident-response exercises be combined with security assessments?
Because both help reveal weaknesses in procedures and defenses.
118
Why might partial testing be useful before a full exercise?
It provides training without the disruption risk of a full test.
119
What should exercises mimic?
Real-world scenarios, including worst-case scenarios.
120
Who should be covered by incident-response exercises?
All staff who would be involved in a real incident response.
121
Why should exercises be held periodically?
Because procedures, staff, facilities, equipment, and the threat landscape change over time.
122
What is the summary of incident response given in the lecture?
It prepares for and handles security incidents, is often triggered by detective measures, is carried out via a plan and a team, and aims to restore normal operation while constraining damage.
123
What usually triggers the start of incident response according to the lecture summary?
Detective security measures such as an IDS.
124
What is the main trade-off highlighted in the incident response summary?
Containment and recovery can themselves cause collateral damage.
125
What is forensics in the context of Chapter 7?
The systematic investigation of criminal acts using evidence found in computers and digital storage media related to security incidents.
126
What fundamental questions should forensics help answer?
Who, what, where, when, with what, how, and why.
127
What is contextualization in Chapter 7?
Putting found evidence into context by augmenting it with additional data.
128
Why is contextualization useful?
Because evidence alone may be incomplete, and extra context can reveal actors, locations, or related campaigns.
129
What kinds of additional context are explicitly mentioned?
Actors involved, geographical and network locations of activity, and similar malware strains.
130
What is digital forensics?
The science of investigating and recovering information from digital devices.
131
What is computer forensics?
The identification, preservation, recovery, and analysis of digital information from a computing device.
132
What is network forensics?
Monitoring and analysis of network traffic for anomalous traffic types and for intrusion-detection-related investigation.
133
What is forensic data analysis?
Examination of data structures to discover patterns of activity.
134
What can forensic evidence reveal about an attack?
Its origin, effects, and detailed sequence of events.
135
How can forensic evidence improve security beyond the current incident?
It helps identify attackers, vulnerabilities, and affected devices and can inform future defenses.
136
Why can forensic evidence have legal value?
Because it may serve as admissible evidence in court or other formal proceedings.
137
Is forensic analysis usually proactive or reactive?
It is typically reactive.
138
When is forensics usually performed?
After an incident and possibly after incident response actions begin.
139
What is the main task of forensic work according to the lecture?
Collect and evaluate data.
140
What three basic questions guide forensic data collection?
What has been recorded, what of it is relevant, and how can it be secured without modification.
141
Why does forensics compete with incident response?
Because responders want to reduce damage and restore systems quickly, while forensics wants to preserve evidence carefully.
142
How are forensics and incident response still connected?
Incident response teams also rely on forensic methods.
143
Why should security measures be adapted after forensic analysis?
Because forensic findings reveal weaknesses and attack paths that should inform improved defenses.
144
What are the five high-level steps of forensic investigation?
Preservation, Acquisition, Examination, Analysis, and Reporting.
145
What is preservation in forensic investigation?
Collecting evidence sources and maintaining their integrity.
146
What is acquisition in forensic investigation?
Extracting evidentiary data from collected sources, often as a forensic image file.
147
What is examination in forensic investigation?
Parsing acquired data into readable objects or output.
148
What is analysis in forensic investigation?
Interpreting recovered information to determine what story the evidence tells.
149
What is reporting in forensic investigation?
Documenting all investigation procedures and conclusions.
150
Why is preservation the first forensic step?
Because evidence must remain intact and trustworthy before deeper processing occurs.
151
Why is reporting an essential forensic step?
Because procedures and conclusions must be documented clearly and defensibly.
152
What is network forensics in a nutshell?
Monitoring and analyzing network traffic for forensic purposes.
153
What four types of network-based evidence are listed in the lecture?
Full content data, session data, alert data, and statistical data.
154
What is full content data in network forensics?
Every single piece of information passing across a network preserved as packet capture.
155
What is session data in network forensics?
Aggregated traffic metadata, usually grouped into flows or conversations between hosts.
156
What is alert data in network forensics?
Alerts or events generated by security devices such as SIEM systems or intrusion detection systems.
157
What is statistical data in network forensics?
Metadata such as conversation start and end times, numbers of services and protocols, outliers, and average packet size or rate.
158
Why is full content data theoretically ideal for forensics?
Because it preserves all information in every captured packet.
159
Why is full content data hard to realize in practice?
Because storage, capturing, and processing capabilities are limited, especially in large or high-speed networks.
160
What is one simple but risky way to reduce storage needs in full-content collection?
Sampling monitored traffic.
161
Why is sampling risky in network forensics?
Because unsampled information is lost and rare events may be missed.
162
Why do vantage points matter in packet capture?
Because different observation points see different parts of the traffic and affect later analysis quality.
163
What is the main idea of session data collection?
Capture metadata and statistics for flows instead of storing every packet in full.
164
How is a flow typically defined for session-data collection?
By the 5-tuple of source IP, destination IP, source port, destination port, and protocol.
165
What information may be included in a flow record?
Flow start and end time, number of packets and bytes, and special flags.
166
What is a flow exporter?
A component that creates flow records.
167
What is a flow collector?
A component that receives, stores, and preprocesses flow records.
168
Which flow protocols are explicitly mentioned?
NetFlow and IPFIX.
169
Why is session data cheaper than full packet capture?
Because it stores summarized metadata instead of every packet payload.
170
What is the trade-off of session data compared to full content data?
It is more scalable but preserves less detail.
171
How does forensic analysis differ from intrusion detection?
Intrusion detection performs automatic near-real-time analysis, while forensic analysis is retrospective and often manual.
172
Why are IDS alerts often the starting point for forensic investigation?
Because they indicate suspicious events that should be examined in depth afterward.
173
What does the lecture mean by forensic analysis as an end-to-end concept?
Tracking all elements of an attack, including how it began, what intermediate systems were used, and who was attacked.
174
What is meant by locating evidence in forensic analysis?
Searching on devices used during the attack to learn more about the attack and attacker.
175
What is event analysis in forensic work?
Correlating and contextualizing collected events and data from many sources to derive the full picture.
176
What are good forensics practices meant to ensure?
That obtained evidence remains trustworthy and admissible.
177
What is the first major good-forensics practice emphasized?
Preservation of evidence integrity.
178
How can evidence integrity be preserved according to the lecture?
Avoid altering the original device or data, disconnect from the Internet, and maintain strict chain of custody.
179
What is the second major good-forensics practice emphasized?
Documentation of all procedures.
180
Why must investigators understand their own tools and methodology?
So they can explain how evidence integrity was preserved throughout the investigation.
181
What is the third major good-forensics practice emphasized?
The investigation must remain within scope.
182
What does staying within scope mean in forensic investigations?
Only access devices and data for which there is permission under corporate policy and legal boundaries.
183
What is the purpose of contextualization in incident handling?
To augment evidence with further contextual data that improves understanding of the incident.
184
Why can contextualization be extremely powerful?
Because it can connect isolated evidence to actors, campaigns, infrastructure, or geographic patterns.
185
What network-related artifacts can be used for contextualization?
Domain names and IP addresses.
186
What contextual sources are listed for domain names or IP addresses?
Routing information, geolocation, passive DNS, sandbox reports, and WHOIS history.
187
What binary-related artifacts can be used for contextualization?
Binary or malware samples and file hashes.
188
What contextual sources are listed for malware samples or file hashes?
Online virus scanners with heuristic detection and sandbox reports.
189
What actor-related contextual information is mentioned?
Information on APT groups, operations, and threat actors.
190
What risk is associated with extending context?
The analyst may leave traces such as the queried data itself, source IP, or user agent.
191
Why does contextualization itself require operational caution?
Because external lookups can reveal that an investigation is taking place.
192
What is the lecture’s summary of forensics and contextualization?
Forensics retrospectively analyzes incidents to build a comprehensive picture for better security and possible prosecution, while contextualization augments evidence with additional data such as actor and malware information.
193
Why is evidence integrity described as being of utmost importance?
Because evidence must remain trustworthy and admissible, especially for court proceedings.
194
What can contextualization help identify besides the immediate technical artifact?
Actors involved, their locations, and similar malware campaigns.
195
What is the key takeaway of Chapter 7 about security incidents?
Security incidents are occurrences of security-related events and are often alerted by detective approaches.
196
What is the key takeaway of Chapter 7 about incident response?
It is a plan-driven process for handling incidents and returning to normal operation while constraining damage.
197
What is the key takeaway of Chapter 7 about forensics?
It complements incident response by analyzing incidents after the fact to improve security and potentially enable prosecution.
198
How do incident response and forensics complement each other?
Incident response focuses on limiting damage and restoring service, while forensics reconstructs what happened and preserves evidence.
199
Why should response not be separated from later improvement work?
Because lessons learned and forensic findings should feed back into stronger security measures.
Industrial Network Security
flashcards
Decks in class (6)
# Cards
