Instructions:

Watch the archived webinar shown below and answer the questions listed below. Your answers should be complete, but brief. NOTE: Glossary at the end. NOTE: The webinar gets technical after slide 21stick with it. Focus on high-level, cursory understanding after that.

https://www.fireeye.com/blog/threat-research/2014/02/qa-webinar-followup-fresh-prints-malware-network-danger.html

Fresh Prints of Mal-ware: A Lively Analysis of Live Response

Original Date: August 29, 2013 ET

What questions does live response answer?

What are the stated benefits of live response? (early/later in webinar not on all one slide)

In the case study involving 10,000 systems and 30 compromised systems, how did live response help focus investigative efforts on 6 systems needing analysis? What do you think happens with other 24 systems?

When is live response NOT a good idea?

What are the basic steps to perform live response?

What are the challenges when collecting data during triage?

Why do you think What data did the attacker take? is the most frequent question clients ask live response and forensics experts?

What are some conceptual, general approaches incident responders use identify whether data was stolen and/or what data was stolen?

Why is it important to determine what lateral movement occurred?

List and briefly explain the keys to live response success outlined at the end of the webinar.

Glossary:

Backdoor: A hidden way for the bad guy to get back into a system

C2: Command and control

Compromised: Hacked

Domain controller: A server on a Windows network that authenticates users logging in

Ephemeral: Transient; does not persist

Event log (EVT log): System log on Windows that logs user, system, and application activity

Hostname: Computer name (not IP address) (e.g. BBlaptop)

Live response: Analyzing a computer while its running

Metadata: Data about data (date/time stamp of a file, rather than the content of the file)

Move laterally (lateral move, LR): Bad guy jumps to another system from one compromised system

PW dump: A program that will copy the password file on a system

RAR file: Compressed file, or archive of files (RAR format, rather than .ZIP or some other compression)

Registry: A set of files on a Windows system that stores A TON of system info

Script: Program that is quickly written, doesnt need to be compiled, and automates tasks

Shell: Command prompt interface to the operating system

Slack space: Space at the end of a file that contains data of the file that used to be stored there