CompTIA Security SY0-601 Exam: Incident Mitigation

Objective: Given an incident, apply mitigation techniques or controls to secure an environment.

Topics:
- application allow list
- application block list/deny list
- quarantine
- isolate
- containment
- segmentation
- secure orchestration, automation, and response (SOAR)
- runbook
- playbook

Applying techniques to mitigate an incident is a critical part of the incident response process. Recall from “Incident Response” that the primary phases of the incident response process. Applying mitigation techniques or controls in order to secure an environment is key to the containment, eradication, and recovery phases.

Containment and Eradication
Incident mitigation requires containment and eradication of the threat. Containment usually isn’t a long-term solution. Where initial configuration errors exist, eradication may simply involve fixing those errors. On the other hand, eradication may also be short term. The primary purpose of incident response is to reduce or prevent further damage from an incident. This usually involves reducing the attacker’s access. While not always ideal, the most immediate way to stop an incident that is still in progress is to shut down the affected systems. Shutting down systems impacts operations and so isn’t usually a viable solution, and it may not even be feasible because of the impact. It’s important to find a balance between shutting things down completely and letting the attack run rampant. This balancing act usually has operational repercussions, but shutting down systems is usually a short-term means to stop the bleeding until longer-term solutions and remediation strategies can be put in place. It is usually more appropriate and often necessary to make immediate changes to security systems, such as implementing firewall, router, and endpoint configuration changes.

There are a number of ways an incident can be mitigated, including the following:
- Blocking unauthorized access
- Quarantining, cleaning, and removing malware
- Blocking sources such as email, websites, and IP addresses
- Approving source IP addresses and services that should be allowed
- Blocking ports, services, and applications
- Modifying data loss prevention (DLP) scanning to look at outbound files for larger data sizes
- Redirecting URLs
- Isolating workstations and networked systems

The following sections cover various technologies that are useful in mitigating threats and how they can be used to help mitigate the impact of an incident.
The Security+ exam requires you to draw on knowledge from multiple guides on Fatskills for this objective. In addition to being familiar with the content covered in this guide, you need to be familiar with related content covered in Part III, “Implementation.”

Quarantining
Anti-malware endpoint solutions should be applied on endpoints, including servers. Ideally if a machine becomes infected, it should be isolated from the rest of the machines by being removed from the network. Most anti-malware solutions used today are fairly effective. Even so, new malware types or zero-day threats may get through. In addition, users might disable security software if they are able to do so because it interferes with programs that are currently installed on the machine. As a result, it may be necessary to isolate a system and ensure that the machine is scanned. An important function provided by anti-malware solutions is the ability to quarantine infected files. Quarantining a file does not delete it or clean it. Rather, quarantining involves moving a file to a managed and safe location so that it does not affect anyone else or spread.

Malware usually seeks to exploit a vulnerability. This means there are three basic types of systems during such an incident:
- Infected systems
- Patched systems
- Unpatched systems
Whereas infected systems should be isolated and malicious files quarantined, unpatched systems should be attended to in parallel. You essentially need to inoculate them against the malware by ensuring that endpoint security solutions are updated and patching the systems if a patch is available.

Configuration Changes
When systems can’t be shut down, the impact of an attack can often be mitigated through temporary configuration changes. In addition to firewall and application configuration changes, which are discussed shortly, the following changes can mitigate an incident:
- Content filtering/URL filtering: Content filtering is particularly useful for limiting email and web content from known sources. During an attack, filters may need to be adjusted to limit further damage. For example, emails with certain known characteristics can be blocked, based on the subject, the sender, the body, or the attachment.
- Certificate revocation: Certificates ensure trusted secure communication between clients and servers. However, to mitigate an attack in which the attacker has a trusted certificate or an upstream trusted authority has been compromised, revocation of the certificate or trust may be needed.
- DLP: Data loss prevention rules can be adjusted to prevent data from being exfiltrated.

Firewalls
Firewalls act as gatekeepers for hosts and networks. Firewalls are not implemented to completely isolate computers and networks. While they do block access, allowing proper access is a key function. As a result, firewalls provide a point of entry. During an incident, modifying the rules on a firewall can have a huge impact on ensuring that damage is mitigated. Firewalls can be configured to block, for example, certain locations and ports. They can also be very specific, such as blocking access from a particular host. Configuration changes on a firewall can be particularly helpful in mitigating several types of attacks, such as phishing attacks, session hijacking, and exposed hosts. General good practices should be followed on the initial configuration of a firewall rule set. However, mitigating an incident may require more precision or loosening of the rule set.

Keep in mind the following regarding firewall rules:
- Rules can be inbound, outbound, or both.
- Rules can include services, which specify the type of traffic or port number.
- Rules can be set to allow or deny.
- Rules can be wildcarded.
- Rules can be set based on priority.

Firewall configurations usually start by blocking all traffic by default and then allowing only specific traffic in and out. Over time, however, a firewall may become quite porous, despite efforts to have limited access. Correctly configuring a firewall can keep the firewall functioning well. A Layer 4 network firewall rule allows you to control the following components:
- Permission
- Traffic protocol
- Source IP address
- Destination IP address
- Destination port

You can be very specific with the rules, which makes mitigating incidents with firewall configuration changes effective. For example, consider malware in an environment that is communicating outbound on port 80 to a specific command and control server. On one hand, a simple firewall rule change to block outbound port 80 would be effective, but it would also block all web traffic. A rule could be implemented, for example, to block port 80 traffic (or even all traffic) to the particular IP address of the command and control server or to a range of IP addresses.
Remember that firewalls also play an important role in segmentation, such as isolating the protected network from the public network through a DMZ. Depending on the incident, further configuration changes may be needed to limit access into or out of the DMZ or to deploy additional segmentation capabilities. A virtual local area network (VLAN) can also be created to limit access and reduce the attack surface. A VLAN logically unites network nodes into the same broadcast domain, regardless of their physical attachment to the network. VLANs provide logical separation of a physical network.

Application Control
Recall the difference between allow lists and block lists. Application allow lists don’t attempt to block unwanted applications and servers as application block/deny lists do. Applications allowed or approved lists permit only known good applications, allowing only specific programs to be executed; any program that is not specifically approved is blocked.

In application allow lists, an organization approves software applications that are permitted to be used on assets. Only those approved applications can be run. The primary purpose of allow lists is to protect resources from harmful applications.

For example, in Microsoft environments, AppLocker can be used to allow applications based on the following three conditions:
- Publisher, for digitally signed files
- Path, which identifies an application by its location
- File hash, which uses a system-computed cryptographic hash

AppLocker rules merely allow or prevent an application from launching. They have no control over how an application behaves after it is launched.
Application allow lists explicitly defines the applications allowed to be run and is useful in preventing users and attackers from executing unauthorized applications.
As with many other control technologies, false positives can result when applications are updated or new applications are installed. Application allow list information thus needs to stay updated. The administrative and maintenance overhead associated with complex solutions is therefore higher, as is the overhead when a allow list is not automated.
When security is a concern, application allow lists are a better option than block/deny lists because it allows organizations to maintain strict control over the apps employees are approved to use.
Block list/deny lists are generally done to reduce security-related issues, particularly where bad actors are known. During an incident, an otherwise allowable destination or application can be denied. Many mobile device management (MDM) systems employ the use of allow or deny lists. If an MDM system prohibits the use of a certain application, the end user will not be able to use it. This could be an effective approach, for example, if a previously allowed application now presents an attack vector.

Other configuration changes that may be required include application segmentation and containerization. These methods are often used in conjunction with mobile management as a way to apply policies to mobile devices. They provide an authenticated, encrypted area of the mobile device that can be used to separate sensitive corporate information from the user’s personal use of the device.

Additional benefits of containerization are capabilities to do the following:

Secure Orchestration, Automation, and Response (SOAR)
Secure orchestration, automation, and response (SOAR) is a technology stack consisting of orchestration and automation along with threat intelligence and incident response. Essentially, the platform ingests data from various sources and then applies workflows that can be integrated across multiple systems into specific actions. Orchestration is the process of ingesting and combining the different sources of data and coordinating the workflows. Many workflows still require manual steps, but many other steps can be automated. This automation allows systems to take specific actions without human interaction.

SOAR systems combine data, people, technology, and process to do the following:
- Prioritize and manage security operations activities
- Formalize incident response steps for consistency to ensure that best practices are followed
- Automate responses for quick containment

SOAR systems can support a number of different use cases. As related to incident mitigation, SOAR systems can use incident-related data to map operational playbooks into a digital format to automate workflows and response.
The idea of automating playbooks is to provide efficient and consistent response to incidents. A playbook provides manual orchestration of incident response. For example, specific incidents and threats have their own playbooks. As a result, the response that an organization takes is formalized in a step-by-step procedure.
The incident response plans covered in here provide general governance over incident response, whereas playbooks provide more meaningful steps for specific incident types. An incident response playbook provides specific guidance based on the incident and is similar to a runbook used by IT operations for reference for routine procedures administrators perform.
A SOAR platform is valuable for incident mitigation because it helps in automating data gathering and response. Specific technical response techniques can be automated for the most severe vulnerabilities and threats, such as automatically patching systems or making firewall rule configuration changes.

A SOAR system can assist with orchestration and automation in a number of ways, including the following:
- Updating and revoking certificates: Queries from a certificate management system can identify expiring certificates. This data can then be mapped to user information in a directory system. Then an email is automatically sent to the user to take the proper actions. Finally, the SOAR system can later check to ensure that proper action was taken and, if not, continue escalation automatically.
- Dealing with malicious network traffic: Aggregated threat alerts enriched with additional data can then take automated actions. This could include, for example, closing specific ports on specific host-based firewalls only. It could also include IP address or domain blocking at the network-based firewall or updating of content and URL filters.
- Preventing data loss: Based on specific DLP alerts, SOAR can help automate notifications and combine an alert with additional data to understand the threat. This can include, for example, isolating the host and blocking the data path or informing the cloud application security solution to remove a shared link to a sensitive file.

Quiz questions:

1. Your administrators remotely access web servers in the DMZ only from the internal network over SSH. However, these servers have come under attack via SSH from the IP address 93.184.216.34. Which of the following should you do to stop this attack? A. Configure a rule to block outbound SSH requests to 93.184.216.34 B. Shut down the SSH service on all web servers C. Add a rule to block inbound requests on port 22 D. Add a rule to block port 21 inbound requests from 93.184.216.34

2. Your organization was recently the victim of a large-scale phishing attack. Your manager has tasked you with automating response to quickly notify users and, if feasible, automatically block outbound requests to the attacker’s web page. Which of the following will accomplish this goal? A. Email the users to warn them of the phishing attack B. Update URL filters to block the site the phishing attack points to C. Email the users to warn them of the phishing attack and send an email to the security administrator to have him configure a URL filter to block the site that the phishing attack points to D. Implement SOAR or workflows to trigger emails to users and to use threat intelligence to automatically configure URL filters to block the attacker’s site

3. Which of the following are benefits of application allow lists? (Select two.) A. Prevents users and attackers from executing unauthorized applications B. Allows end users to freely use any application that has not been explicitly denied C. Allows organizations to maintain strict control over applications employees can use D. Blocks specific applications from being executed

Answer 1: C. Because your administrators access the servers from the internal network, you don’t need to worry about preventing valid access on SSH port 22 from the outside. As a result, you should just close all inbound requests. Answer B wouldn’t allow the administrators to access the systems even internally. The port for SSH is 22 and not port 21, which is FTP. Answers A, B, and D are incorrect.
Answer 2: D. A SOAR platform provides orchestration and automation across systems and would accomplish the goal of automatically providing these functions when tied in with the other systems. Answers A and B are only partial solutions, and answer C doesn’t achieve the goal of automation.
Answer 3: A and C. An application allow list describes what applications can be launched. It thus prevents the execution of unauthorized applications, which are all applications that are not explicitly allowed. Answers B and D describe the explicit block as a result of block/deny list and are incorrect answer choices.