An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC?
An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC?
When an Indicator of Compromise (IoC) is detected, the blue team's primary responsibility is to initiate the incident response procedures. This involves activating runbooks, which contain predefined instructions and guidelines for responding to and managing the incident. The initial response aims to contain the threat and prevent further damage, ensuring a structured and effective reaction to the security event. Conducting forensics and reimaging systems are typically subsequent steps in the process after the immediate response has been initiated.
Incident is detected, now incident response has to happen. Runbook describes everyone's roles during incident response.
agreed
This is a simulation - so the blue team has to do forensics not incident response
What??? The whole point of having red team sims is to practice incident response? If your first move is forensics then the red team will own your whole network before you even know what is going on
Forensics may be necessary to understand the root cause, gather evidence, and improve future defenses. However, it typically occurs after the initial incident response steps have been taken.
After detecting an Indicator of Compromise (IoC), the blue team's primary action will be to activate runbooks for incident response. Incident response runbooks are predefined procedures and guidelines that outline the steps to be taken when specific security incidents are detected. These runbooks are essential for organizing and streamlining the response process to security incidents, including those identified through IoCs.
Runbooks = A runbook is a comprehensive document or set of documents that provides detailed instructions on how to perform routine IT operational tasks and procedures. Playbooks = A playbook is a set of predefined procedures and guidelines for responding to specific incidents or events, particularly in the context of IT security incident response. You use playbooks in incident response, not runbooks. Forensic is crucial to identification phase of incident response. You only have an IoC and no clue where it came from and what it's doing. Need to figure it out before you contain and eradicate it. Then proceed with recovery and lessons learned.
Forensics would never happen during or after a PenTest as not only do you know what the testers did as you hired them, but there are blue teams (defense), white (referees) and purple (red/blue mix) teams which are meant to work to stop and / or respond to the attack. The response to the IoC is what the blue needs to do and therefore the answer is B runbook. https://www.quora.com/Is-penetration-testing-a-part-of-cyber-forensic
Answer is definetly C. It is playbooks, not runbooks that contain the procedures to be undertaken by the Security teams for incident response to an event. First step of incident response is isolation, then comes Enumeration ( forensics ).
Read this article https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/ IOC means the system has already been breached, the most logical thing to do is to start an incident response. We can forensics later.
After detecting an Indicator of Compromise (IoC), the blue team will conduct forensics on the compromised system. Forensics analysis will enable the blue team to identify the root cause of the security incident and determine the extent of the damage. It can also help identify other compromised systems, as well as the tactics, techniques, and procedures (TTPs) used by the red team. Based on the findings, the blue team can then take appropriate steps to contain, mitigate, and remediate the incident. Reimaging the impacted workstations may be one of those steps, but it depends on the specific circumstances and the findings of the forensics analysis. Activating runbooks for incident response and conducting passive reconnaissance are also important steps, but they are not directly related to detecting and analyzing an IoC.
While you're doing your forensics work the red team is proliferating across your network and wreaking havoc. This is basic, stop the bleeding first. Then when you're sure that the breach is contained you can start your forensics work. The IoC is the trigger to activate the runbook. We're not interested in analyzing the IoC itself, we're interested that there is an IoC at all.
You must activate incidence response once you detect IoC. That's the whole point of the exercise. Blue Team Members are generally part of CIRT Team, this particular example helps the company see how their incident response is.
I thought since this is a pen test C would be right, but according to Mike Meyers B is correct. "Penetration tests are treated as an exercise between two teams. The red team is tasked with the job of performing the penetration testing. They’re the ones we more typically think of as the hacker types who use clever attacks and tools to get into other folks’ networks. Red teams emulate potential attacker techniques. But the red team is only part of the pen test exercise. Every good pen test also includes a blue team, the insider team, the defender if you will. Any good pen test isn’t just the red team against your infrastructure. Just as in a real-world attack, your inside folks, your blue team, would work actively to mitigate any attack—even one taking place in real time." Mike Meyers Security+ Cert Guide Third Edition SY0-601
Forensics is primarily done to determine who is to blame. That's not the immediate next step. You should be more concerned with understanding the compromise, and limiting it. You can do so while ensuring that evidence is preserved. This is where incident response comes in. So the correct answer should B.
After detecting an Indicator of Compromise (IoC), the blue team’s immediate response would be to activate runbooks for incident response. These runbooks contain procedures for dealing with specific types of incidents and are designed to provide an effective and rapid response to mitigate the impact of the incident. Therefore, the answer is B. Activate runbooks for incident response. Other options may be part of the overall incident response process, but they would typically occur after the initial response has been activated. For example, conducting forensics on the compromised system (option C) would usually happen after the incident response process has been initiated. Similarly, reimaging the impacted workstations (option A) might be a part of the recovery process, which would also typically occur after the initial response. Passive reconnaissance (option D) is more related to gathering information about potential threats and would not be the immediate response to an IoC detection.
incident response includes a procedure to conduct forensics
The correct answer here is "B." The blue team would respond using Runbooks which would be a standard response given to both new and seasoned employees in how to respond when an IoC (indication of compromise) has been detected. Forensics is an after-action review method and the attack needs to be prevented or stopped at this point, not analyzed. Conducting passive action will not stop the attack, and re-imaging the computers would not be useful while the attack is currently happening. You first would need to stop the attack, quarantine the affected systems, and then re-image. The only logical answer in Runbooks.
I'm going to go with what NIST says and choose C. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's CS readiness posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems. https://csrc.nist.gov/glossary/term/blue_team
From the official book of Comptia S+ "Blue team—performs the defensive role by operating monitoring and alerting" hence answers is B controls to detect and prevent the infiltration.
After detecting an Indicator of Compromise (IoC), the blue team would typically activate runbooks for incident response. Runbooks are predefined procedures or processes that guide the response actions to be taken when a security incident or compromise is detected. These runbooks outline the steps and actions to be followed, including notifying appropriate stakeholders, containing the incident, and initiating an investigation.
Answer is C. You've been compromised. There's an indicator it happened. The attack is over. It's in the past now. Whodunnit (attribution) is in the future and the evidence needs to be acquired by gathering evidence (forensics). This is straight out of law enforcement: murder/forensics/blame in that order.
Absolutely incorrect. Who says the attack is over? To continue your law enforcement analogy, if you were alerted that a murder is in progress would you start collecting evidence while was ongoing or activate a plan to try and stop the murder from happening? From a single indicator of compromise there's no way of knowing whether the attacker is currently monitoring your environment or has been long gone. Following your runbook is the best bet. Forensics is often part of the post incident activity of a runbook.