mod3C01_M03An Approach to CND AnalysisAn Approach to CND Analysislinks../C01_M03/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionTopics and Objectivesdisacnd03_011Welcome to the lesson on an approach to CND analysis. When you have completed this lesson, you will be able to identify the three phases of the recommended CND analysis methodology, the various types of data used to support CND analysis, and the various activities involved in conducting an analysis. You will also be able to identify the key pieces of information that are included in each narrative element and recognize best practices in reporting the outcome of CND analyses. There are six topics in this lesson. After completing the introduction, you will learn about the recommended CND analysis methodology. You will then examine each phase of the methodology in greater detail, starting with Phase 1, the data gathering phase, then moving on to Phase 2, the knowledge development phase, and then finishing with Phase 3, the report findings phase. Rich Media Text Description, Course: D O D Intrusion Detection System (I D S) Analysis, Part 3, Module 1: C N D Analysis: A Structured Approach to Intrusion Analysis, Lesson 3: An Approach to C N D Analysis, For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 20. Lesson title: An Approach to C N D Analysis. Topic title: Introduction. Screen title: Objectives and Topics. Five learning objectives display in support of audio. Six topics display. The first topic is titled Introduction. The second topic is titled Overview of C N D Analysis Methodology. The third topic is titled Phase 1: Data Gathering. The fourth topic is titled Phase 2: Knowledge Development. The fifth topic is titled Phase 3: Report Findings. The sixth and final topic is the Conclusion. Text displays as follows: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service, or agency for guidance on the use of these products.Overview of CND Analysis MethodologyMethodology Overviewdisacnd03_022Imagine how much different the outcome of Pat's analysis would have been had she simply followed an analysis methodology. As you learned earlier, the analysis methodology presented in this course has three phases: data gathering, knowledge development, and reporting - that work together to help you tell the story of a CND incident. The data gathering phase provides input to the overall incident analysis process by collecting data for analysis. The knowledge development phase is when the analysis occurs. This phase involves several distinct activities to develop your understanding of the event. Finally, the reporting phase provides the output of the incident analysis process by compiling the findings of the analysis into a report. At first glance, this process appears to be relatively straightforward, but it's not always that simple. This process is often cyclical, as some findings may prompt further analysis, which in turn may prompt further data gathering. Note that further data gathering may require coordination with other commands, services, or agencies, or C/S/As. Any newly obtained data must then be analyzed, thus setting off a feedback loop. Numerous iterations may be required to gather and analyze enough data to ultimately develop a comprehensive final report. Following this methodology will help you to conduct a thorough analysis that results in a solid narrative. Select Job Aid to open a printable version of the methodology diagram. Methodology Overviewdisacnd03_02_012MOREPopup 1 of 1. Popup title: MORE. Text displays as follows: Note that this methodology assumes that an incident has already been identified for further investigation and analysis. It is not an approach for preventing malicious events, but rather, it is a method of analyzing an incident starting from the moment of detection.Screen 2 of 20. Topic title: Overview of C N D Analysis Methodology. Screen title: Methodology Overview. Text displays reading Analysis Methodology. Image of methodology diagram builds in sync with audio. Phase 1 displays with title Phase 1: Data Gathering and clipboard icon. Phase 2 displays with title Phase 2: Knowledge Development and magnifying glass icon. Phase 3 displays with title Phase 3: Report and report icon. During discussion on Phase 1, descriptor text displays reading Input. Phase 1 task box displays with task title Gather Data. During discussion on Phase 2, descriptor text displays reading Analysis. Phase 2 task box displays with task titles Analyze and Correlate Data, Develop Timelines, Develop Narratives, and Develop Hypotheses. Arrow displays leading from Phase 1 tasks to Phase 2 tasks, and text displays along arrow reading Provides data for analysis. During discussion on Phase 3, descriptor text displays reading Output. Phase 3 task box displays with task title Report. Arrow displays leading from Phase 2 tasks to Phase 3 tasks, and text displays along arrow reading Provides findings for report. Arrow displays leading from left to right showing linear order of phases. Phase 2 task box is duplicated, with one box moving up and one box moving down so that task boxes are displayed in a cyclical arrangement. Arrow displays leading from Phase 3 tasks to Phase 2 tasks. Text displays along arrow reading Questions prompt further analysis. Arrow displays leading from Phase 2 tasks to Phase 1 task. Text displays along arrow reading Analysis prompts further data gathering. Callout box displays with text reading Further analysis may require coordination with other C S Ays. Images display of Job Aid icon and MORE popup button. Both become selectable. The term C S A becomes a rollover that reads command, service, agency.Phase 1: Data GatheringOverview of Phase 1disacnd03_033Earlier, you learned that a narrative seeks to answer six specific questions that is, Who, What, When, Where, Why, and How. The first phase of the methodology, the data gathering phase, is the phase that provides the details required to answer these questions. Without supporting data, any conclusions or hypotheses that you develop during your analysis are just speculation. Consider how much more informative and useful Pat's report would have been if it had answered these questions. The purpose of the data gathering phase is to gain the information required to answer the narrative questions. To ensure that you are consistent in the types of data that you have at your disposal, establish methods of gathering data, even if they are needed only occasionally. Screen 3 of 20. Topic title: Phase 1: Data Gathering. Screen title: Overview of Phase 1. Reprised image displays of five double-ewes icon. Phase 1 displays with title Phase 1: Data Gathering, descriptor text Input, clipboard icon, and task box with task title Gather Data. Reprised image of Pat displays with generic report. Text displays in support of audio.Key Indicatorsdisacnd03_044As you gather data on an incident, you will find that certain information is more likely than other information to identify, quantify, and describe a potential incident. These pieces of information are known as "key indicators," or "dirty words." To mine data related to the incident that you are investigating, you should compile a list of key indicators, or "dirty words." "Dirty word" is a forensic term describing a specific indicator that an investigator believes is relevant to a case. In terms of CND analysis, a dirty word list is a list of unique indicators such as phrases, data, IP addresses, and time stamps from alert or log data that you will find especially useful when you need to scour additional data sources to correlate data. To compile a dirty word list, start with the data gathered from the initial IDS alert or whatever prompted the analysis. As you continue to gather data, use the indicators from your dirty word list as search terms to search for correlating data, and take note of any additional indicators as you encounter them. Many types of data may be used as dirty words. Consider IP addresses of the threat actor, the victim, and any supporting IPs that may identify a source or a destination. Also consider the ports and protocols used not only during exploitation, but also during post-exploitation. The ports and protocols used to facilitate the malicious events may be the same and can often show consistent and predictable actions on the part of the threat actor. Finally, consider user names, unique payload content strings, and post-exploitation activity. Most threat actors are fairly regimented and can be predictable, so searching for key indicators can be especially helpful in uncovering additional acts by the same threat actor. Screen 4 of 20. Screen title: Key Indicators. Phase 1 task, Gather Data, and clipboard icon display. Text displays on screen reading Text displays in support of audio. The term I P becomes a rollover that reads Internet Protocol. The term C N D becomes a rollover that reads computer network defense.Types of Datadisacnd03_055As you know, Pat made a critical error when sending IDS alerts straight up the chain of command with no further investigation. The first thing she should have done is to gather additional data to provide context to the IDS alerts and determine whether the alert signified a successful intrusion. Likewise, you know that you need data to conduct a full analysis, but what kind of data do you need? And where will you find it? As a CND analyst, you have many types of data available to you from many different sources. In fact, the number of potential data sources that can be made available to you can be extensive. Like every organization performing the CND mission, your organization should have a standard set of data that is collected for every incident and a process for collecting that data. This course addresses six specific types of data that may be available to you: alert data, session/flow data, packet data, log data, asset/vulnerability data, and statistical data. Each of these is unique in the type of information it provides and the value it brings to analysis, but each is also limited in some way. Note that the data types shown here are ones that are commonly available to CND analysts. However, not all types of data are available to all tiers of analysts. In addition, you may have access to other types of data in your environment. Select each data type to learn more. Select Job Aid to open a printable job aid comparing the data types. Types of Datadisacnd03_05_015The most common type of data available to analysts is alert data. Alert data is often the initial focus of CND analysis, because it is often your first clue to a possible intrusion. Keep in mind, however, that it is only a clue. Alert data alone generally indicates either an attempted exploitation or post-exploitation activity. In the absence of additional data to provide context for the alert, it can be difficult to know whether the intrusion was successful or if it is part of a more complex widespread event. Alert DataPopup 1 of 6. Popup title: Alert Data. Reprised image displays of basic network with I D S. Large exclamation point displays to represent alert data. I D S glows red to indicate alert. Text displays in support of audio. Text displays as follows: Refer to Data Types job aid to learn more.Types of Datadisacnd03_05_025Session/flow data helps to fill the visibility gaps left by the limited scope of alert data and could have helped Pat to confirm an intrusion before reporting the flood of alert data. Originating from routers and switches, this type of data provides information about the flow of traffic through a network. It not only shows the connections that were made, but it also shows a record of conversations, including IP addresses, ports, and the volume of data transferred. Session/flow data may already be used in your organization, where you may know it as NetFlow, IPFIX, or sFlow . Session/flow data can be used to correlate alert data to help strengthen your understanding of the incident. It also shows data that an IDS may miss, such as post-exploitation activity, but it doesn't contain the same level of detail found in other data types. Session/flow data shows how much data was transferred, but it does not show what data was transferred. Session/Flow DataPopup 2 of 6. Popup title: Session/Flow Data. Icon displays representing session/flow data. Reprised image displays of basic network with gaps visible in connections. Bridges appear to close some gaps. Text displays in support of audio. Text displays as follows: Refer to Data Types job aid to learn more. The term session/flow data becomes a rollover that reads as follows: May also be known as NetFlow, IPFIX, or s Flow. The acronym I D S becomes a rollover that reads intrusion detection system.Types of Datadisacnd03_05_035Packet data is a gold mine of information! This is the data that every analyst wants access to. Whereas alert data provides snippets of network traffic, and session/flow data shows just the connections that were made and the number of bytes that were transferred, packet data, which is also known as payload data, includes everything! It shows raw network traffic in its entirety. Many analysts will not have access to full packet data, but if they do, it will likely be collected by a packet capture device and then moved to back-end storage. From there, packet captures can be accessed through a security information event management, or SIEM, system, such as ArcSight, or by using a packet analyzer, such as Wireshark. Packet data is exceptionally useful because it provides not just the number of bytes of information, but also the actual bytes, which enables you to see exactly what is contained within those bytes of data. For example, actual malware can be extracted for analysis, and exfiltrated data can be identified. Because packet data is so comprehensive, it presents significant challenges not only in terms of storing an enormous volume of data but also in terms of searching and sorting through that data. Furthermore, extreme variations in bandwidth availability and suboptimal positioning of packet capture devices can lead to dropped packets. Packet DataPopup 3 of 6. Popup title: Packet Data. Icon displays representing packet data. Reprised image displays of basic network with alert and gaps in connections visible. Alert is highlighted, and bridges display to close gaps. Text displays in support of audio. Text displays as follows: Refer to Data Types job aid to learn more. The acronym S I E M becomes a rollover that reads security information event management. The term packet-capture device becomes a rollover that reads as follows: Packet capture devices are often placed in locations similar to where I D esses are placed, such as network gateways, places where the security level changes, or at specific servers and hosts of significant importance. Types of Datadisacnd03_05_045Log data is the last major piece of the data puzzle. Although analysis doesn't usually begin here, log data is often used to correlate and further support conclusions based on the analysis of other data sources. Log data refers to independent, machine-generated records of activity taking place on a variety of network components, such as devices, appliances, hosts, and applications. Log data is valuable because it provides a fingerprint of the system and any user activity that has occurred on that system. Logs can provide a great deal of information to help you better understand what systems were involved, how the systems and people behaved, what information was accessed, who accessed it, and precisely when these activities took place. In assessing when the activities occurred, it is critical to identify what time zones are used in each of the systems involved. Be especially aware that even though a system uses one time zone, such as Eastern Standard Time, the logs could be recorded in another, such as Zulu. Like packet data, log data presents challenges in sorting and analyzing the often large amounts of data contained within the logs. Log data is also limited by the difficulty in gaining access to the logs on individual assets. Because logs exist on individual hosts and network devices that are likely to be far outside of the control and access of those monitoring activity at the network level, access to logs can be difficult at best. Your ability to retrieve logs is crucial. Establish a process in advance so that you are able to gain access to this data in a timely manner. Even if logs are accessible, analysts may run into issues with the types of data that are logged and with the ability of individual sites to retain logs. Log DataPopup 4 of 6. Popup title: Log data. Icon displays representing log data. Reprised image displays of basic network with alert, bridged gaps, and additional unbridged gaps. Bridges display to close final gaps. Text displays in support of audio. Text displays as follows: Refer to Data Types job aid to learn more. The term log becomes a rollover that reads as follows: Refers to any available log that might be relevant to security, such as operating system logs, host-based I D S logs, network logs, web server logs, D H C P logs, firewall logs, D N S logs, wireless access point logs, web application firewall logs, web application logs, database access logs. The word When becomes a rollover that reads as follows: Identify the time zones used by each system involved. Consider that even though a system uses one time zone, such as Eastern Standard Time (E S T), the logs could be recorded in another time zone, such as Zulu (U T C). The phrase access to logs becomes a rollover that reads as follows: Access may be especially difficult within the D O D, because analysts often function at different tiers of the network than those responsible for most log data. Some, but not all, logs may exist in a sim, and the logs housed within the purview of the C N D analyst will vary by organization.Types of Datadisacnd03_05_055If alert data, session data, packet data, or log data suggest that a malicious event has occurred, then your overarching goal is to determine whether the intrusion was successful. Assuming no evidence of post-exploitation, is this lack of evidence sufficient to conclude that the threat event failed? The answer is no. Just because evidence of post-exploitation is not apparent does not mean that an intrusion was not successful. The detection tools may not be sufficient, or the threat actor could be using an undocumented technique. In situations such as these, a detailed understanding of the asset's security posture and vulnerabilities could prove helpful. To this end, one thing you should do is to assess recent vulnerability data to determine whether the host is missing a patch that might leave it open to exploitation. Asset and vulnerability data provide information about system assets that can help you to identify, quantify, and rank vulnerabilities and potential threats in the environment. They also provide an assessment of the overall security posture of a system or network and can help to predict whether a given system is vulnerable to exploitation. Asset and vulnerability data are limited, however, to known vulnerabilities. If your system is susceptible to a zero-day exploit, then a vulnerability assessment is not likely to expose the weaknesses that make it so. Another limitation is that the data from a previous vulnerability assessment may be outdated. Asset/Vulnerability DataPopup 5 of 6. Popup title: Asset/Vulnerability Data. Reprised image displays of basic network with alert icon, session data icon, packet data icon, and log data icon. Image displays of adversary gaining access to network. Question text displays reading Was threat event successful? Question text displays reading Does a lack of evidence mean that the threat event failed? Lightning bolt displays striking workstation to represent vulnerability. Icon displays representing asset/vulnerability data. Text displays in support of audio. Text displays as follows: Refer to Data Types job aid to learn more. The term zero-day exploits becomes a rollover that reads as follows: Zero-day exploits target system and software vulnerabilities that have not yet been publicly disclosed.Types of Datadisacnd03_05_065 Although alert data, session/flow data, full packet data, and log data are more obviously beneficial to analysts, statistical data can also be useful to your analysis. Statistical data, which refers to all simple counters and historical data provided by network devices or information systems, can provide additional context to support your data. When assessing statistical data, look for data that is well outside the norms, as these outliers can be evidence of underlying issues. Long-term historical data may also reveal trends. For example, if a system that has been quiet for a month shows a sudden increase in activity, then this may indicate a problem. Statistical DataPopup 6 of 6. Popup title: Statistical Data. Reprised image displays of basic network with alert icon, session data icon, packet data icon, and log data icon. Icon displays representing statistical data. Text displays in support of audio. Text displays as follows: Refer to Data Types job aid to learn more. The term statistical data becomes a rollover that reads as follows: Refers to all simple counters and historical data provided by network devices or information systems.Screen 5 of 20. Screen title: Types of Data. Phase 1 task, Gather Data, and clipboard icon display. Reprised image of Pat displays with other reprised images from Lesson 1 scenario. Computer network displays, and data is shown moving through it. Text displays on screen reading What do you need? and Where will you find it? Six icons display to represent the following six data types: alert data, session/flow data, packet data, log data, asset/vulnerability data, and statistical data. Job aid icon displays. Data type icons and job aid icon become selectable as popups.Phase 2: Knowledge DevelopmentOverview of Phase 2disacnd03_066Once you have gathered the data that you will need to answer the narrative questions, it is time to analyze that data. The second phase of the methodology, the knowledge development phase, is the phase in which you will attempt to answer the narrative questions to further develop your knowledge of the incident and deepen your understanding. How will you develop this knowledge? You will start by analyzing and correlating the data you have gathered. But in order to fully tell the story of the incident, you must also develop timelines, narratives, and hypotheses to explain the incident. Screen 6 of 20. Topic title: Phase 2: Knowledge Development. Screen title: Overview of Phase 2. Reprised image displays of Phase 1 with title Phase 1: Data Gathering, descriptor text Input, clipboard icon, and task box with task title Gather Data. Reprised image displays of Phase 2 with title Phase 2: Knowledge Development, descriptor text Analysis, magnifying glass icon, and task box with task titles Analyze and Correlate Data, Develop Timelines, Develop Narratives, and Develop Hypotheses. Text displays in support of audio. Reprised image displays of five double-ewes icon. Analyze and Correlate Datadisacnd03_077The first steps of the knowledge development phase, analyzing and correlating data, are key activities in helping to bring context to the data you have gathered. As you know, an alert can indicate a possible intrusion, but without any supporting data, it can confirm very little. Likewise, session/flow data may be able to correlate and confirm what is found in the alert data by revealing network connections between victims and threat actors, but it still may not confirm the intrusion or tell you what data was transferred during the intrusion. Even though each type of data is valuable in its own way, none can stand alone to provide the information you need to fully understand what happened. In essence, an alert without supporting data is mostly just noise. By bringing together multiple data sources, data correlation brings order to that noise, painting a more complete picture of the incident and enabling you to conduct a much more reliable analysis. It does this by corroborating data, providing supporting evidence, providing context to explain data, and filling gaps left by other types of data. The dirty word list that you compiled during Phase 1 is your key to correlating data. Use your dirty word list to query all data sources. And add to it as necessary as you come across additional terms that may also be key indicators. Screen 7 of 20. Screen title: Analyze and Correlate Data. Reprised image displays of Phase 2 task, Analyze and Correlate Data, and magnifying glass icon. Reprised image displays of basic network with I D S showing activity. Word displays over I D S reading Alert. Words display over I D S reading possible intrusion. Question text displays reading How do you confirm an intrusion? Text displays in support of audio. The term Dirty Word List becomes a rollover that reads as follows: A list of unique indicators that may be relevant to an incident. Indicators may include I P addresses (threat actor addresses, victim addresses, supporting I Peas), ports and protocols used (in exploitation, in post-exploitation), user names, unique payload content strings, post-exploitation activity.Develop Timelinesdisacnd03_088The next step in the knowledge development phase is to develop a chronology of the incident by plotting data on a timeline or otherwise placing it in chronological order. Like data correlation, this step connects the information from multiple data sources to bring order to these various types of data. Developing a chronology may help you to draw associations between causes and later effects that might not be obvious otherwise. As you plot each new event on your timeline, continually analyze your chronology for any possible triggers for that event or any obvious effects that may have resulted from that event. Developing a chronology is important, not only to bring order to your data, but also to bring order to your narrative. As you develop and analyze your chronology, ask yourself questions about what happened and when. And be sure to consider the different time zones of the various systems and logs involved. Had Pat developed a timeline of the alert data available at the time, she would have likely seen that the increasing volume of alert data was in fact a sudden change. Further analysis and data correlation would then have confirmed that the unusual activity was indeed suspicious. Screen 8 of 20. Screen title: Develop Timelines. Reprised image displays of Phase 2 task, Develop Timelines, and magnifying glass icon. Image displays of generic timeline showing multiple data points. Image displays of document labeled Chronology and showing a list of items in sequence, numbered 1, 2, 3, 4, and 5. Reprised image displays of basic network. Text displays in support of audio. New data points display on timeline. Each data point on timeline is highlighted one at a time. Image displays generic chart showing a steep line labeled Alert Data.Develop Narrativesdisacnd03_099By now, you should have a pretty firm understanding of what it means to take a narrative approach to CND analysis. Although all data gathering and analysis activities up to this point should be conducted in the context of eventually telling a story, the task of actually developing the narrative occurs during the knowledge development phase. As you know, your narratives must answer six essential questions - that is, Who, What, When, Where, Why, and How. But how will you sift through all the data you've collected to get to the key information? And what else might you need to consider in telling the story of an incident? In essence, you must develop two distinct types of narratives. One tells the story of the immediate incident in full detail, providing a snapshot of the network's security status at the time of the incident. The other takes a much wider view of the network, addressing various high-level security factors that provide greater visibility into the overall security posture of the organization. Screen 9 of 20. Screen title: Develop Narratives. Reprised image displays of Phase 2 task, Develop Narratives, and magnifying glass icon. Reprised image displays of newspaper. Reprised images displays of the following data type icons: alert data, packet data, session/flow data, log data, vulnerability/asset data, and statistical data. Reprised image displays of five double-ewes icon. Image displays of detailed view of basic network with label Telling the Story. Image displays of broad view of large computer network with label The Big Picture.Developing Narratives—Telling the Storydisacnd03_1010Let's first take a closer look at the narrative questions that were introduced earlier, which should provide you with the specific details that you need. First, ask who was involved. Who were the key players? Next, ask what happened. This question addresses not only the exploitation itself, but also the events that occur after the exploitation - that is, the post-exploitation. Next, ask when the incident and any related events occurred. Use the information collected in your timeline to support your narrative. Next, ask where the incident occurred. Answers to this question may reveal physical locations, but more likely, the data you will be collecting here will include network addresses and machine names. Next, ask why the incident occurred. What was the goal of the threat actor? Was it simply reconnaissance and gathering of network or system information? Was it to pivot to more valuable targets or establish persistent access? Or might the threat actor have been trying to exfiltrate critical data? The Why question can be difficult to answer, but you can make inferences based on the information you gather. The answers to the What and How questions may also shed some light on the Why. Finally, ask how the incident occurred. This question addresses two distinct issues: exploitation and vulnerability. Your narratives should include all the relevant data to support your answers to these narrative questions. Your narrative should also include the key indicators that you used to gather your supporting data. If you find a question that you can't answer, then determine what data is missing and why. Keep in mind that narratives will never be perfect. The possibility always exists that your conclusions could be wrong, and you should be forthcoming with this uncertainty. Even the most thorough analyses may leave gaps in the data. In these cases, analysts must rely not only on the data, but also on their judgment and experience to make inferences about what happened. However, if you find yourself constantly guessing, or if the same type of information always seems to be missing, then you may have a larger security architecture issue that needs to be addressed. Select Key Players, Post-Exploitation, Exploitation Analysis, and Vulnerability Analysis to learn more. Developing Narratives—Telling the Storydisacnd03_10_0110When you are working to identify the key players in a CND incident, there are three main categories to consider: threat actors, supporting systems, and victims. The threat actors are the systems and accounts associated with the exploitation and post-exploitation side of an intrusion. The supporting systems are the systems that the threat actor may have used to facilitate the intrusion. And finally, the victims are the systems that were compromised or targeted in the intrusion. As you go about your analysis, be careful to provide only the facts that you actually know. This may include IP addresses, e-mail addresses, and machine names. Take caution in relying on this type of data, however, as IP addresses may be spoofed or may be using the address of a previously compromised victim as a relay. Furthermore, both IP addresses and e-mail addresses may change frequently. Finally, do not speculate on the threat actor's identity or country of origin unless you have credible supporting information and Intelligence has confirmed the source. Attribution to a specific actor is not only exceptionally difficult, but it is also typically beyond the scope of a CND analyst, it often involves Intelligence sources, and it should employ the skills of a fusion analyst. Key PlayersPopup 1 of 4. Popup title: Key Players. Reprised image displays of basic protected network with I D S. Text displays in support of audio. The acronym I P becomes a rollover that reads Internet Protocol. The term C and C becomes a rollover that reads command and control.Developing Narratives—Telling the Storydisacnd03_10_0210When you are working to identify precisely what took place during an incident, there are several types of post-exploitation activities to consider. Your job is to identify what happened as a result of the malicious event. For example, if the threat actor was able to execute remote commands through either Shell access or graphical user interface, or GUI, access, then you must identify what actions were performed and what types of commands were executed based on available indicators. There are several common types of post-exploitation activities to watch out for. Roll your cursor over each type to learn more. Post-ExploitationPopup 2 of 4. Popup title: Post-Exploitation. Reprised image displays of basic network with alerts visible. Text displays in support of audio. Text displays as follows: Types of Post-Exploitation Activities. Shell access. Graphical user interface (GUI) access. Malware installation. Data exfiltration. Pivoting. Sniffing. Privilege escalation. Theft of password hashes. The term Shell access becomes a rollover that reads as follows: Terminal, command-line access to a system; Very common; Provides significant access to systems. The term Graphical user interface (gooey) access becomes a rollover that reads as follows: Access through user's desktop; Provides significant access to systems; Less stable and less often used by more advanced threat actors; More likely to crash system; More likely to be noticed by the user. The term Malware installation becomes a rollover that reads as follows: The installation of malicious code to infect a host system and provide unauthorized access; The installation of additional tools, such as remote access tools (R A Tees); May turn a system into a bot; Incredibly common; General purpose. The term Data exfiltration becomes a rollover that reads as follows: The unauthorized removal or transfer of data from a computer system; Incredibly common; Significant concern within D O D; Stolen data may include simple system data, confidential or classified data, passwords, personally identifying information (P I I). The term Pivoting becomes a rollover that reads as follows: Threat actor gains initial foothold on internal system and uses that internal system to attack other systems on network; Very common. The term Sniffing becomes a rollover that reads as follows: Listening to, or sniffing, the traffic traveling between networked devices. The term Privilege escalation becomes a rollover that reads as follows: Exploitation of a vulnerability in the system to gain a higher level of authorization on a system. The term Password hashes becomes a rollover that reads as follows: A password hash is the digital fingerprint of a piece of data, to include passwords. To authenticate, a hash of the user-supplied password is compared to the stored password hash.Developing Narratives—Telling the Storydisacnd03_10_0310To completely understand the full context of a threat event, it is important to analyze all available data sources. When you are working to identify how a malicious event occurred, you must conduct an exploitation analysis to identify how the intrusion was perpetrated. There are several questions to consider. Take a moment to review them. Exploitation AnalysisPopup 3 of 4. Popup title: Exploitation Analysis. Reprised image displays of basic network with alerts visible. Text displays in support of audio. Text displays as follows: Questions to consider: How were we attacked? How did threat actor gain access? What attack vectors did the threat actor employ? Were the attack vectors internal or external? Client side or server side? Associated with the installation of malware? What were the primary and secondary attack vectors?Developing Narratives—Telling the Storydisacnd03_10_0410Without the context provided by a full analysis of all available data sources, there is no way to know why the network was susceptible to exploitation. When you are working to identify how a malicious event occurred, you must conduct a vulnerability analysis to identify how the system was vulnerable. This is the flip side of the exploitation coin after all, systems can't be exploited if they aren't already vulnerable in some way. Vulnerability analysis also includes root cause identification, which expands upon the identified attack vectors and system weaknesses by identifying the precise sets of conditions that allowed the incident to occur. Determining the root cause of an incident is critical to the overall security of your organization's network. Failing to identify the root cause of an incident may expose multiple commands and organizations to increased risk, especially in situations where they share similar configurations or defensive measures. There are several questions to consider when conducting vulnerability analysis and root cause analysis. Take a moment to review them. Vulnerability AnalysisPopup 4 of 4. Popup title: Vulnerability Analysis. Reprised image displays of basic network with alerts visible. Text displays: Vulnerability analysis seeks to identify how the system was vulnerable. Questions to consider: Why were we vulnerable? Where was the weakness in the system? Were any of the identified victims vulnerable to suggested exploitation? Could additional security controls have prevented or mitigated the effect of the incident? What was the root cause of the vulnerability? Text displays: Root cause identification seeks to identify the precise set of conditions that created the vulnerability Questions to consider: Was it due to user violation of policy? Social engineering? An unpatched system? A misconfigured security device that allowed unauthorized access to a critical system?Screen 10 of 20. Screen title: Developing NarrativesTelling the Story. Reprised image displays of Phase 2 task, Develop Narratives, and magnifying glass icon. Reprised images display of five double-ewes icon and newspaper. Reprised image displays of detailed view of basic network. Text displays in support of audio. The terms Key Players, Post-Exploitation, Exploitation Analysis, and Vulnerability Analysis become selectable as popups. The term Where? becomes a rollover that reads physical addresses, network addresses, machine names.Developing Narratives—Providing The Big Picturedisacnd03_1111With an overarching goal of improving your organization's overall security posture, your analysis should do more than just answer the narrative questions to deliver the specific details of the immediate incident. To provide the greatest value in your analyses, you need to go beyond the requirements of your position as a CND analyst and provide broader conclusions and recommendations that have wider applicability than the immediate incident. Asking additional questions during your analysis may help to provide you with additional background information to support these conclusions and recommendations. These questions can be sorted into five categories based on the type of information they elicit. First, consider incident identification. Then, consider incident response. Next, consider remediation. Then, consider prevention capabilities. And finally, consider detection capabilities. Asking, and answering, these additional questions will help to improve the overall security architecture for your command, service, or agency. Screen 11 of 20. Screen title: Developing NarrativesProviding the Big Picture. Reprised image displays of Phase 2 task, Develop Narratives, and magnifying glass icon. Reprised image displays of newspaper. Reprised image displays of broad view of large computer network with label reading The Big Picture. Text displays as follows: Additional information may cover the following: Incident identification. What brought this to our attention? How did we confirm the incident? Incident response. How can the ongoing intrusion be stopped? Did the intrusion spread? What countermeasures can be taken? Remediation. What is needed to restore systems/networks to proper working order? Prevention capabilities. How could this intrusion be prevented from occurring in the future? Detection capabilities. How could this intrusion be more quickly detected in the future?Develop Hypothesesdisacnd03_1212The final task in the knowledge development phase is to develop hypotheses. A hypothesis is an educated guess, or a theory, that presents a possible explanation for the security incident based on the data that is available. CND analysts often jump to conclusions early on in their analysis and then let their initial conclusions drive their narrative development. However, this approach is backward. You must instead base your conclusions on the data that you gathered and analyzed. As you develop your hypotheses, always ask yourself how else the incident could be explained. Also ask yourself whether the incident could have been perpetrated by an insider. And test each hypothesis to assess its viability. You need to identify the level of certainty for each hypothesis and for each part of the analysis. If after testing your hypotheses, more than one hypothesis remains viable, then develop and report on all viable hypotheses. Even if only one hypothesis seems to fit, still report on the other hypotheses that you tested. Explaining that you considered other possibilities and showing that the data did not support them shows that you considered multiple angles and gives your analysis added credibility. Finally, realize that analysts are only human and that sometimes analysts make mistakes. Screen 12 of 20. Screen title: Develop Hypotheses. Reprised image displays of Phase 2 task, Develop Hypotheses, and magnifying glass icon. Reprised image displays of basic network with the following data type icons: alert data, packet data, session/flow data, log data, vulnerability/asset data, and statistical data. Arrow displays leading from data types icon to newspaper. Arrow is labeled Analysis and Correlation. Text displays reading Is this the only possible explanation? Text displays in support of audio.
Phase 3: ReportingOverview of Phase 3disacnd03_1313Once you've gathered your data, analyzed it, and developed one or two well-supported hypotheses, you will enter the third phase of the methodology, the reporting phase. Reporting is an integral part of the methodology. Developing and disseminating a report after every event or incident serves several purposes. First, making it part of your routine helps you to establish good reporting procedures. Reporting also serves as a record of what you've done. Finally, reporting shows the value of your analysis. Do you know how you will submit your reports? Reporting formats are mandated by your organization, but reports should be submitted in writing, whether you are reporting formally or informally. Know what your organization requires, and be prepared to deliver your report in the appropriate format. Finally, do you know when you will report? Recall that this methodology can sometimes be cyclical. Therefore, reporting and notification may occur at any time throughout the incident-handling process. As you learn more about an incident and the story becomes clearer, you may be required to pass along new information or provide periodic status updates to relevant stakeholders. Status updates are particularly important if your analysis reveals an active threat event or the compromise of critical information. Screen 13 of 20. Topic title: Phase 3: Reporting. Screen title: Overview of Phase 3. Reprised image displays of methodology diagram showing Phases 1, 2, and 3. Phases 1 and 2 are highlighted in sync with associated audio. Methodology diagram disappears, and reprised image of Phase 3 displays with title Phase 3: Reporting, descriptor text Output, report icon, and task box with task title Report. Text displays in support of audio. Simplified methodology diagram displays showing cyclical nature of incident analysis.Types of Reportingdisacnd03_1414There are two official types of reporting that you will encounter in CND analysis: technical reporting and operational reporting. Technical reporting assists with the handling of incidents and provides recommendations to mitigate the operational and/or technical impact of an incident and recommendations for possible security enhancements to the STIGs. Technical reporting must include submitting an incident report to the appropriate computer network defense service provider, or CNDSP, and may also include additional reporting directly to U.S. CYBERCOM. When submitting a technical report, follow the procedures and formats outlined in Enclosure C of the CJCSM 6510.01A. This manual also addresses the proper technical reporting structure. The second type of reporting, operational reporting, provides notification to commanders at all levels about the status of their systems or networks and the operational impact of the incident on their missions. This information helps commanders to direct the incident-handling process and mitigate unnecessary negative effects on their missions. Screen 14 of 20. Screen title: Types of Reporting. Reprised image displays of Phase 3 task, Report, and report icon. Text displays in support of audio. Image displays of C J C S M sixty-five ten dot oh one A icon. The term C J C S M sixty-five ten dot oh one A becomes a rollover that reads as follows: Chairman of the Joint Chiefs of Staff Manual sixty-five ten dot oh one A: Information Assurance (I A) and Computer Network Defense (C N D) Volume 1 (Incident Handling Program).Best Practices in Reportingdisacnd03_1515Regardless of which type of reporting you are doing, there are best practices that can be applied to your reporting mechanisms. Take a moment to review them. When you are ready, select Information to be Reported and Additional Information to learn more. Best Practices in Reportingdisacnd03_15_0115Information to be reportedPopup 1 of 2. Popup title: Information to be reported. Text displays as follows: Information to be reported may include number of systems affected. Source and destination IP addresses. Source and destination ports. Hostname(s). System location. User information. Timestamps. IDS alert data, payload data, and any relevant correlating data and information. General description of the problem, event, or activity. Status: ongoing or ended, successful or unsuccessful. A preliminary impact assessment that details potential damage of the reportable event or incident. The acronym I P becomes a rollover that states Internet Protocol. The acronym I D S becomes a rollover that states intrusion detection system.Best Practices in Reportingdisacnd03_15_0215Additional informationPopup 2 of 2. Popup title: Additional information. Text displays as follows: Additional information may include description of methods used in your analysis. Explanation of how tools and procedures were selected. Recommendations for further action to support your conclusions. Forensic examination of additional data sources. Securing identified vulnerabilities. Improving existing security controls. Recommendations for improvement to policies, guidelines (such as stigs), procedures, tools, other aspects of the forensic process.Screen 15 of 20. Screen title: Best Practices in Reporting. Reprised image displays of Phase 3 task, Report, and report icon. Text displays as follows: Best practices. Use plain language. Present appropriate hypotheses. Indicate which is the most likely scenario. Present supporting data. Who, What, When, Where, Why, and How. All information to be reported. Be prepared with additional questions. Response. Remediation. Prevention capabilities. Detection capabilities. Prepare a summary page. Include important takeaways. One each for both technical and nontechnical personnel. Include additional information as necessary. Leave your ego out of your analysis. The phrases Information to be reported and Additional information become selectable as popups.Knowledge CheckKnowledge Check 1disacnd03_1616Knowledge Check1448550Tim has settled on two possible explanations for a recent network intrusion and is compiling all of his data to submit to his manager.Phase 1: Data Gathering for Statement: Tim has settled on two possible explanations for a recent network intrusion and is compiling all of his data to submit to his manager.Phase 2: Knowledge Development for Statement: Tim has settled on two possible explanations for a recent network intrusion and is compiling all of his data to submit to his manager.Phase 3: Reporting for Statement: Tim has settled on two possible explanations for a recent network intrusion and is compiling all of his data to submit to his manager.Correct. Tim is engaged in Phase 3, the Reporting phase. At this point, he has gathered and analyzed all the information he needs to support his hypotheses, and he must report to his superiors.Incorrect. Tim is engaged in Phase 3, the Reporting phase. At this point, he has gathered and analyzed all the information he needs to support his hypotheses, and he must report to his superiors.Dana received an IDS alert and must collect information so that she can determine whether an intrusion actually occurred.Phase 1: Data Gathering for Statement: Dana received an IDS alert and must collect information so that she can determine whether an intrusion actually occurred.Phase 2: Knowledge Development for Statement: Dana received an IDS alert and must collect information so that she can determine whether an intrusion actually occurred.Phase 3: Reporting for Statement: Dana received an IDS alert and must collect information so that she can determine whether an intrusion actually occurred.Correct. Dana is engaged in Phase 1, the Data Gathering phase. Alert data is limited in the information it provides, so Dana needs to gather additional data before she can begin her analysis.Incorrect. Dana is engaged in Phase 1, the Data Gathering phase. Alert data is limited in the information it provides, so Dana needs to gather additional data before she can begin her analysis.Rachel is using her “dirty word” list to scour her data sources for information that will corroborate her alert data and help her to develop a timelinePhase 1: Data Gathering for Statement: Rachel is using her “dirty word” list to scour her data sources for information that will corroborate her alert data and help her to develop a timelinePhase 2: Knowledge Development for Statement: Rachel is using her “dirty word” list to scour her data sources for information that will corroborate her alert data and help her to develop a timelinePhase 3: Reporting for Statement: Rachel is using her “dirty word” list to scour her data sources for information that will corroborate her alert data and help her to develop a timelineCorrect. Rachel is engaged in Phase 2, the Knowledge Development phase. She has compiled a “dirty word” list and is using it to search her collected data for correlating information that will help her to develop a timeline of events.Incorrect. Rachel is engaged in Phase 2, the Knowledge Development phase. She has compiled a “dirty word” list and is using it to search her collected data for correlating information that will help her to develop a timeline of events.Now check your knowledge on the phases of the analysis methodology. Screen 16 of 20. Topic title: Knowledge Check. Screen title: Knowledge Check. Knowledge check is a survey-style activity with three questions and three answer columns labeled Phase 1: Data Gathering, Phase 2: Knowledge Development, and Phase 3: Reporting. Select the best answer for each question, and then select Done. Use the keyboard to cycle through the answers.Knowledge Check 2disacnd03_1717Knowledge Check1280550Question 1 of 6.
Which type of data can she use to get information about network connections and fill the gaps left by alert data?Alert dataSession/flow dataLog dataPacket dataAsset/vulnerability Statistical dataCorrect. Session/flow data provides information about network connections and helps to fill gaps left by the limited scope of alert data. It can tell you what network connections were made and how much data was transferred, but it can’t tell you what data was transferred.Incorrect. Session/flow data provides information about network connections and helps to fill gaps left by the limited scope of alert data. It can tell you what network connections were made and how much data was transferred, but it can’t tell you what data was transferred.Question 2 of 6.
Which type of data will show her trends or unusual spikes in activity?Alert dataSession/flow dataLog dataPacket dataAsset/vulnerability Statistical dataCorrect. Statistical data can reveal trends in activity and show outliers that indicate underlying security issues. It can be obtained from network monitoring tools, switch monitoring tools, and other tools that monitor network activity. Incorrect. Statistical data can reveal trends in activity and show outliers that indicate underlying security issues. It can be obtained from network monitoring tools, switch monitoring tools, and other tools that monitor network activity. Question 3 of 6.
Which type of data can she use to review records of system, user, and network activity?Alert dataSession/flow dataLog dataPacket dataAsset/vulnerability Statistical dataCorrect. Log data provides records of system, user, and network activity. It can tell you what systems were involved, how systems and users behaved, what information was accessed, who accessed the information, and when activities occurred.Incorrect. Log data provides records of system, user, and network activity. It can tell you what systems were involved, how systems and users behaved, what information was accessed, who accessed the information, and when activities occurred.Question 4 of 6.
Which type of data is typically the initial focus of CND analysis?Alert dataSession/flow dataLog dataPacket dataAsset/vulnerability Statistical dataCorrect. Because it is often your first clue to a possible intrusion, alert data is typically the initial focus of CND analysis. Keep in mind that alert data is only a clue and does not provide enough information on its own to conduct effective analysis.Incorrect. Because it is often your first clue to a possible intrusion, alert data is typically the initial focus of CND analysis. Keep in mind that alert data is only a clue and does not provide enough information on its own to conduct effective analysis.Question 5 of 6.
Which type of data is going to provide her with the most comprehensive information about an incident?Alert dataSession/flow dataLog dataPacket dataAsset/vulnerability Statistical dataCorrect. Packet data is the gold mine of information! Although it provides the most comprehensive information about an incident, it also presents significant challenges in storage, searching, and sorting.Incorrect. Packet data is the gold mine of information! Although it provides the most comprehensive information about an incident, it also presents significant challenges in storage, searching, and sorting.Question 6 of 6.
Which type of data should she access to obtain information about the overall security posture of a system or network and get help to predict whether a given system is susceptible to exploitation?Alert dataSession/flow dataLog dataPacket dataAsset/vulnerability Statistical dataCorrect. Asset and vulnerability data provide information about the overall security posture of a system or network and can help to predict whether a given system is vulnerable to exploitation.Incorrect. Asset and vulnerability data provide information about the overall security posture of a system or network and can help to predict whether a given system is vulnerable to exploitation.Now try these questions about the types of data used in CND analysis. Screen 17 of 20. Screen title: Knowledge Check. Knowledge check is a series of six multiple-choice questions, each with the same six possible answers. For each question, select the best answer, and then select Done. Use the keyboard to cycle through the answers.Knowledge Check 3disacnd03_1818Knowledge Check1565550Tells the story of the incidentAnalyze and Correlate Data for Statement: Tells the story of the incidentDevelop Timelines for Statement: Tells the story of the incidentDevelop Narratives for Statement: Tells the story of the incidentDevelop Hypotheses for Statement: Tells the story of the incidentNone of These for Statement: Tells the story of the incidentCorrect. Developing narratives involves answering the narrative questions to tell the story of the incident.Incorrect. Developing narratives involves answering the narrative questions to tell the story of the incident.Fills gaps in the dataAnalyze and Correlate Data for Statement: Fills gaps in the dataDevelop Timelines for Statement: Fills gaps in the dataDevelop Narratives for Statement: Fills gaps in the dataDevelop Hypotheses for Statement: Fills gaps in the dataNone of These for Statement: Fills gaps in the dataCorrect. Data correlation brings all data sources together to provide context and fill gaps in the data.Incorrect. Data correlation brings all data sources together to provide context and fill gaps in the data.Helps to show cause and effectAnalyze and Correlate Data for Statement: Helps to show cause and effectDevelop Timelines for Statement: Helps to show cause and effectDevelop Narratives for Statement: Helps to show cause and effectDevelop Hypotheses for Statement: Helps to show cause and effectNone of These for Statement: Helps to show cause and effectCorrect. Plotting data on a timeline can help analyst to draw associations between causes and effects.Incorrect. Plotting data on a timeline can help analyst to draw associations between causes and effects.Gathers dataAnalyze and Correlate Data for Statement: Gathers dataDevelop Timelines for Statement: Gathers dataDevelop Narratives for Statement: Gathers dataDevelop Hypotheses for Statement: Gathers dataNone of TheseCorrect. Data gathering occurs during Phase 1 and is not a Knowledge Development task.Incorrect. Data gathering occurs during Phase 1 and is not a Knowledge Development task.Uses the “dirty word” listAnalyze and Correlate Data for Statement: Uses the “dirty word” listDevelop Timelines for Statement: Uses the “dirty word” listDevelop Narratives for Statement: Uses the “dirty word” listDevelop Hypotheses for Statement: Uses the “dirty word” listNone of These for Statement: Uses the “dirty word” listCorrect. Data correlation relies on the “dirty word” list to provide search terms that can be used to query all data sources for key indicators of the incident.Incorrect. Data correlation relies on the “dirty word” list to provide search terms that can be used to query all data sources for key indicators of the incident.Asks: “How else can you explain this incident?”Analyze and Correlate Data for Statement: Asks: “How else can you explain this incident?”Develop Timelines for Statement: Asks: “How else can you explain this incident?”Develop Narratives for Statement: Asks: “How else can you explain this incident?”Develop Hypotheses for Statement: Asks: “How else can you explain this incident?”None of These for Statement: Asks: “How else can you explain this incident?”Correct. Developing hypotheses involves asking how else you can explain the incident and developing additional theories as necessary.Incorrect. Developing hypotheses involves asking how else you can explain the incident and developing additional theories as necessary.Reveals trends and unusual activityAnalyze and Correlate Data for Statement: Reveals trends and unusual activityDevelop Timelines for Statement: Reveals trends and unusual activityDevelop Narratives for Statement: Reveals trends and unusual activityDevelop Hypotheses for Statement: Reveals trends and unusual activityNone of These for Statement: Reveals trends and unusual activityCorrect. Plotting data on a timeline can reveal trends and unusual activity.Incorrect. Plotting data on a timeline can reveal trends and unusual activity.Now, check your understanding of the tasks involved in analysis. Screen 18 of 20. Screen title: Knowledge Check. Knowledge check is a survey-style activity with seven questions and five answer columns labeled Analyze and Correlate Data, Develop Timelines, Develop Narratives, Develop Hypotheses, and None of These. Select the best answer for each question, and then select Done. Use the keyboard to cycle through the answers.Knowledge Check 4disacnd03_1919Knowledge Check1282565Question 1 of 7.
As a CND analyst for a DoD contractor, you work onsite at a U.S. military installation. Your network’s IDS just threw a series of alerts, and your CND team is frantically trying to figure out what’s going on. What is the first thing you need to do to begin your analysis of the incident?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. After receiving notification of a new IDS alert, your first step should be to gather data to correlate and provide additional context to the alert data.Incorrect. After receiving notification of a new IDS alert, your first step should be to gather data to correlate and provide additional context to the alert data.Question 2 of 7.
You’ve gathered data from numerous sources, but you need to make sense of it all. How will you bring order to the chaos of all the data that you’ve gathered?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. After gathering various types of data, you must analyze and correlate that data to establish some context for the incident.Incorrect. After gathering various types of data, you must analyze and correlate that data to establish some context for the incident.Question 3 of 7.
You know when the IDS alert came in, but much of the data that you’ve uncovered seems to have timestamps that proceed the actual time of the intrusion. How will you determine whether this event is part of a trend?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. Developing timelines helps you to bring order to your various types of data and identify trends or unusual activity.Incorrect. Developing timelines helps you to bring order to your various types of data and identify trends or unusual activity.Question 4 of 7.
You’ve gathered and analyzed a multitude of data, and you’ve created timelines to help you establish a sequence of events. What will you do next?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. Once you have gathered and analyzed the data that you need to establish a sequence of events, you should have enough data available to answer the narrative questions and begin to develop your narratives.Incorrect. Once you have gathered and analyzed the data that you need to establish a sequence of events, you should have enough data available to answer the narrative questions and begin to develop your narratives.Question 5 of 7.
You’ve gathered and analyzed a multitude of data, you’ve created timelines to help you make sense of the data, and you’ve got some ideas about what might have caused this incident. What is your next step?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. Although you may begin to develop theories early on in your analysis, you should be cautious about developing hypotheses before you have gathered and analyzed sufficient data to support and develop your hypotheses.Incorrect. Although you may begin to develop theories early on in your analysis, you should be cautious about developing hypotheses before you have gathered and analyzed sufficient data to support and develop your hypotheses.Question 6 of 7.
You’ve gathered and analyzed a multitude of data, you’ve created timelines to help you make sense of the chronology, you’ve begun to answer the narrative questions, and you’ve developed several viable hypotheses, but you still have some big gaps in your story. What will you do next?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. Even the most thorough analyses sometimes have gaps in their data, but before you decide to conclude your analysis, you should attempt to fill those gaps by gathering more data.Incorrect. Even the most thorough analyses sometimes have gaps in their data, but before you decide to conclude your analysis, you should attempt to fill those gaps by gathering more data.Question 7 of 7.
You’ve developed your narratives, and you’ve settled on two likely explanations for the network threat event. What is your next step?Gather dataAnalyze and correlate dataDevelop timelinesDevelop narrativesDevelop hypothesesReportCorrect. Once you have developed your narratives and determined your most likely hypotheses, you are ready to report your findings.Incorrect. Once you have developed your narratives and determined your most likely hypotheses, you are ready to report your findings.Now see how well you do applying the analysis methodology to a sample intrusion. Screen 19 of 20. Screen title: Knowledge Check. Knowledge check is a series of seven multiple-choice questions, each with the same six possible answers. For each question, select the best answer, and then select Done. Use the keyboard to cycle through the answers.ConclusionSummary and Conclusiondisacnd03_2020Congratulations! You have completed the lesson on an approach to CND analysis. You should now be able to identify the three phases of the recommended CND analysis methodology, the various types of data used to support CND analysis, and the various activities involved in conducting an analysis. You should also be able to identify the key pieces of information that are included in each narrative element and recognize best practices in reporting the outcome of CND analyses. Screen 20 of 20. Topic title: Conclusion. Screen title: Summary and Conclusion. Congratulations text displays. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.