01. Incident Management Operations (471) Flashcards
Incident Management operations
Key phases of incident response;
- Planning
- Detection
- Initiation
- Analysis
- Containment
- Eradication
- Recovery
- Remediation
- Closure
- Post-Incident Review
- Retention of Evidence
471
Planning
The develipment of written respinse plans, guidelines, and procedures to be followed when an incident occurs
471
Detection
The moment in which an organisation is initially aware that a security incident is taking place or has taken place
472
Initiation
Incident response begins. Declaration of an incident and notifications
472
Analysis
Response teams collect and analyse available data to understand the incidents cause, scope, and impact
472
Containment
Direct actions taken by incident responders to contain the advancement of an incident
472
Eradication
Incident responders take steps to remove the source of the incident
472
Recovery
After evaluation and eradication, recovery of systems to pre-incident state
473
Remediation
Involves neccessary changes that will reduce or eliminate the possibility of a similar incident in the future
473
Closure
Once eradication, recovery, and remediation have been completed, the incident can be closed
473
Post-incident Review
Review of the cause, impact, and response to incident. Lessons to be learned
473
Retention of Evidence
Identifying items that need to be retained as part of an incident i.e. items that might be used in legal proceedings.
473
Security Incident Handling
Computer Security Incident Handling Guide by NIST
NIST-800-61
473
MSSP
Managed Security Service Provider (MSSP)
Reasons that organisations chose to outsource security monitoring;
- Domain expertise
- Dedicated personnel
- Staffing shortage
- Cost Control
477
Threat Hunting
- Using tools to proactively look for indicators of compromise (IOC)
- Organisations should consider threat hunting only after reaching a mature level with monitoring capabilities
477
