(12) Incident Reporting Flashcards
Describe the importance of stakeholder notification when it comes to Incident response
The org needs to identify key stakeholders in order to get information to the right people are he right time.
These people include admins, developers, management, legal counsel, etc.
External stakeholders could include customers, law enforcement, service providers, external counsel, etc.
When an incident is detected and analysis has begun, what communication needs to happen?
- The IoCs that cause the investigation need to be communicated to incident responders
- The incident responders need to determine if the IoCs point to an incident or false positive
- If an incident is declared, incident response processes kick in and the containment, eradication, and recovery stages happen.
Communication must happen at all stages of the incident response process.
What should orgs do as far as legal council is concerned for the incident response process?
Orgs should engage legal council before an incident occurs so that they have pathways setup for easy decision making when they need it.
What is important to remember about customer communication during incident handling?
Customer communication is paramount because customer trust and protection is a very important consideration.
Useful information can be hard to provide up front because assumptions can be proven wrong later.
What media considerations need to be observed?
Media considerations include:
-Procedures for briefing the media
-Having an ongoing, regularly updated response document
-Prepping staff for contact with the media and requests for information
-Holding practice sessions for incident responders
Regulations may require that the company respond in a certain way as well
What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) about?
It says that really REALLY bad events (that cause VERY big harm to national security, foreign relations, the economy, civil liberties, public health) be reported to the Cybersecurity Infrastructure Security Agency (CISA) within 72 hours and that ransomware payment be reported within 24 hours of the payment being made.
What happens if cybersecurity criminals are involved in an incident, especially those are involve nation state actors?
In the case of nation state actors, orgs may need to get law enforcement on the case.
What happens when law enforcement gets involved with an incident response process?
When law enforcement gets involved, systems may need to be handed over to law enforcement, they may need to be taken offline or other things may also need to happen.
The org can choose to cooperate or decline but should get legal counsel before doing so
What is Root Cause Analysis? (RCA)
RCA is about figuring out why the incident occurred. The steps include:
- Identify the problems and events that occurred with the incident, and describe them as well as possible
- Get a timeline of events, it helps figure out what happened, and in what order
- Figure out the difference between each event and causal factors
- Document the analysis
What four measures should we consider when it comes to incident response?
The four measures we should consider are:
-Mean time to detect
-Mean time to respond
-Mean time to remediate
-Alert Volume
What do Orgs need to remember about KPIs?
Orgs need to understand what is being measured and why they are measuring it. They have to tie into the company objectives somehow.
What should an Incident Response (IR) report include in it according to the Dept of Homeland Security and the CISA?
The IR report should include:
-Executive Summary
-Recommendations
-Timeline
-Impact Assessment
-Scope
-Evidence
