Clearly explain any four applications of data analytics in ethical hacking or

digitalforensics

Intelligent risk management

To improve your cybersecurity efforts, your tools must be backed by intelligent

risk-management insights that Big Data experts can easily interpret. The key
purpose of using these automation tools should be to make the data available to
analysts more easily and quickly. This approach will allow your experts to source,
categorize, and handle security threats without delay.

Threat visualization

Big Data analytics programs can help you foresee the class and intensity of
cybersecurity threats. You can weigh the complexity of a possible attack by
evaluating data sources and patterns. These tools also allow you to use current and
historical data to get statistical understandings of which trends are acceptable and
which are not.

Predictive models

Intelligent Big Data analytics enables experts to build a predictive model that can
issue an alert as soon as it sees an entry point for a cybersecurity attack. Machine
learning and artificial intelligence can play a major role in developing such a
mechanism. Analytics-based solutions enable you to predict and gear up for
possible events in your process.

Stay secure and ahead of hackers with penetration testing

Infrastructure penetration testing will give you insight for your business database
and process and help keep hackers at bay. Penetration testing is a simulated
malware attack against your computer systems and network to check for
exploitable vulnerabilities. It is like a mock-drill exercise to check the capabilities
of your process and existing analytics solutions. Penetration testing has become an
essential step to protect IT infrastructure and business data.

Bottom line

Big Data analytics solutions, backed by machine learning and artificial

intelligence, give hope that businesses and processes can be kept secure in the face
of a cybersecurity breach and hacking. Employing the power of Big Data, you can
improve your data-management techniques and cyberthreat-detection mechanisms.

Monitoring and improving your approach can bulletproof your business. Periodic
penetration tests can help ensure that your analytics program is working perfectly
and efficiently.

1. Explain the incident response methodology

What is incident response?

Incident response (IR) is a structured methodology for handling security incidents,

breaches, and cyber threats. A well-defined incident response plan (IRP) allows
you to effectively identify, minimize the damage, and reduce the cost of a cyber-
attack, while finding and fixing the cause to prevent future attacks.

During a cybersecurity incident, security teams face many unknowns and a frenzy
of activity. In such a hectic environment, they may fail to follow proper incident
response procedures to effectively limit the damage. This is important because a
security incident can be a high-pressure situation, and your IR team must
immediately focus on the critical tasks at hand. Clear thinking and swiftly taking
pre-planned incident response steps during a security incident can prevent many
unnecessary business impacts and reputational damage.

You can help your team perform a complete, rapid and effective response to a
cyber security incident by having a comprehensive incident response plan in place.
In addition, completing an incident response plan checklist and developing and
deploying an IR policy can help before you have fully developed your IR plan.

Why should you immediately report a cybersecurity incident?

When a cybersecurity incident is confirmed by security analysts, it is important to

inform relevant parties as soon as possible. Privacy laws such as GDPR and
California’s CCPA require public notification, and in some cases personal
notification to data subjects, in the event of a data breach.

Depending on the severity of the breach, legal, press and executive management
should be involved. In many cases, other departments such as customer service,
finance or IT need to take immediate action. Your incident response plan should
clearly state, depending on the type and severity of the breach, who should be
informed. The plan should include full contact details and how to communicate
with each relevant party, to save time in the aftermath of an attack.

What are the 6 steps of incident response?

The first priority when implementing incident response cyber security is to prepare
in advance by putting a concrete IR plan in place. Your incident response
methodology should be battle-tested before a significant attack or data breach
occurs. It should address the following response phases as defined by NIST
Computer Security Incident Handling Guide (SP 800-61).

 Preparation – Planning in advance how to handle and prevent security

incidents
 Detection and Analysis – Encompasses everything from monitoring
potential attack vectors, to looking for signs of an incident, to prioritization
 Containment, Eradication, and Recovery – Developing a containment
strategy, identifying, and mitigating the hosts and systems under attack, and
having a plan for recovery
 Post-Incident Activity – Reviewing lessons learned and having a plan for
evidence retention

Figure 1 – The NIST recommended phases for responding to a cybersecurity

incident
Building on the outlined NIST phases, here are specific incident response steps to
take once a critical security event has been detected:

1. Assemble your team

It’s critical to have the right people with the right skills, along with associated
tribal knowledge. Appoint a team leader who will have overall responsibility for
responding to the incident. This person should have a direct line of communication
with management so that important decisions—such as taking key systems offline
if necessary—can be made quickly.

In smaller organizations, or where a threat isn’t severe, your SOC team or managed
security consultants may be sufficient to handle an incident. But for the more
serious incidents, you should include other relevant areas of the company such as
corporate communications and human resources.

If you have built a Security Incident Response Team (CSIRT), now is the time to
activate your team, bringing in the entire range of pre-designated technical and
non-technical specialists.

If a breach could result in litigation, or requires public notification and

remediation, you should notify your legal department immediately.

2. Detect and ascertain the source.

The IR team you’ve assembled should first work to identify the cause of the
breach, and then ensure that it’s contained.

Security teams will become aware that an incident is occurring or has occurred
from a very wide variety of indicators, including:

 Users, system administrators, network administrators, security staff, and

others from within your organization reporting signs of a security incident
 SIEMs or other security products generating alerts based on analysis of log
data
 File integrity checking software, using hashing algorithms to detect when
important files have been altered
 Anti-malware programs
 Logs (including audit-related data), which should be systematically reviewed
to look at anomalous and suspicious activity with:
 o Users
o External storage
o Real-time memory
o Network devices
o Operating systems
o Cloud services
o Applications

3. Contain and recover

A security incident is analogous to a forest fire. Once you’ve detected an incident

and its source, you need to contain the damage. This may involve disabling
network access for computers known to be infected by viruses or other malware
(so they can be quarantined) and installing security patches to resolve malware
issues or network vulnerabilities. You may also need to reset passwords for users
with accounts that were breached, or block accounts of insiders that may have
caused the incident. Additionally, your team should back up all affected systems to
preserve their current state for later forensics.

Next, move to any needed service restoration, which includes two critical steps:

1. Perform system/network validation and testing to certify all systems as

operational.
2. Recertify any component that was compromised as both operational and
secure.

Ensure your long-term containment strategy includes not only returning all systems
to production to allow for standard business operation, but also locking down or
purging user accounts and backdoors that enabled the intrusion.

4. Assess the damage and severity

Until the smoke clears it can be difficult to grasp the severity of an incident and the
extent of damage it has caused. For example, did it result from an external attack
on servers that could shut down critical business components such as an e-
commerce or reservation systems? Or, for example, did a web application layer
intrusion perform a SQL Injection attack to execute malicious SQL statements on a
web application’s database or potentially use a web server as a pathway to steal
data from or control critical backend systems? If critical systems are involved,
escalate the incident and activate your CSIRT or response team immediately.

In general, look at the cause of the incident. In cases where there was a successful
external attacker or malicious insider, consider the event as more severe and
respond accordingly. At the right time, review the pros and cons of launching a
full-fledged cyber attribution investigation.

5. Begin the notification process

A data breach is a security incident in which sensitive, protected or confidential

data is copied, transmitted, viewed, stolen or used by an individual unauthorized
person. Privacy laws such as GDPR and California’s CCPA require public
notification in the event of such a data breach. Notify affected parties so they can
protect themselves from identity theft or other fallout from the disclosure of
confidential personal or financial data. See Exabeam’s blog on how to create a
breach notification letter in advance of a security incident.

6. Start now to prevent the same type of incident in the future

Once a security incident has been stabilized, examine lessons learned to prevent
recurrences of similar incidents. This might include patching server vulnerabilities,
training employees on how to avoid phishing scams, or rolling out technologies to
better monitor insider threats. Fixing security flaws or vulnerabilities found during
your post-incident activities is a given.

Also, review lessons learned from the incident and implement appropriate changes
to your security policies with training for staff and employees. For example, if the
attack resulted from an unwitting employee opening an Excel file as an email
attachment, implement a company-wide policy and training on how to recognize
and respond to a phishing email.

Lastly, update your security incident response plan to reflect all of these
preventative measures.

Every organization will have different incident response steps based on their
unique IT environment and business needs. Study industry guides such as those
published by NIST to ensure your IR planning includes all the necessary incident
response steps to protect your organization when a cybersecurity incident occurs.
Conclusion

An incident response methodology enables organizations to define response

countermeasures in advance. There is a wide range of approaches to IR. The
majority of security professionals agree with the six incident response steps
recommended by NIST, including preparation, detection and analysis,
containment, eradication, recovery, and post-incident audits.

When it comes to preparation, many organizations leverage a combination of

assessment checklists, detailed incident response plans, summarized and actionable
incident response playbooks, as well as policies that can automate some of the
processes. While well-planned, an incident response methodology should remain
flexible, allowing for continuous improvement.

1. Give case studies to distinguish the 3 classifications of hackers from

each other.

“White hat” hackers

Sometimes referred to as ethical hackers, or plain old network security specialists,

these are the good guys. Whether it’s selling what they find to hardware and
software vendors in “bug bounty” programs or working as full-time technicians,
white hat hackers are just interested in making an honest buck.

Linus Torvalds is a great example of a white hat hacker. After years of

experimenting with the operating system on his computer, he finally released
Linux, a secure open-source operating system.

“Black hat” hackers

Closer to the definition that most people outside the IT world know and use, black
hat hackers create programs and campaigns solely for causing damage. This may
be anything from stealing information using malware to forcefully shutting down
networks using denial-of-service attacks.

Kevin Mitnick was the most infamous black hat hacker in the world. During the
1990s, Mitnick went on a two and half year hacking spree where he committed
wire fraud and stole millions of dollars of data from telecom companies and the
National Defense warning system.
“Gray hat” hackers

Whether someone is a security specialist or a cybercriminal, the majority of their

work is usually conducted over the internet. This anonymity affords them
opportunities to try their hand at both white hat and black hat hacking.

For example, Marcus Hutchins is a known gray hat hacker. He’s most famous for
testing the WannaCry ransomware until he found a way to stop it.

During the day, Hutchins works for the Kryptos Logic cybersecurity firm, but the
US government believes he spent his free time creating the Kronos banking
malware. He has been arrested and branded a “gray hat” hacker.

The world of cybersecurity is far more complicated than the stylized hacking in
Hollywood movies. Internet-based warfare is not as simple as good guys vs. bad
guys, and it certainly doesn’t give small businesses a pass. If you need a team of
experienced professionals to help you tackle the complexities of modern
cybersecurity, call us today.