4.2 Flashcards
Incident Response Plans
An incident response plan describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network. The causes of incidents are many—from the environment (storms), to user error, to unauthorized actions by unauthorized users, to name a few. Although the causes may be many, the results can be classified into classes.
Incident Response Process
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are broad and varied, as they have to deal with numerous causes and consequences.
Incident Response Preparation
The preparation phase is where the different incident response plans are written and kept up to date. System configurations are documented as well.
Incident Response Identification
Once an incident has occurred, it is important that the appropriate incident response plan is invoked, and that stakeholders and the incident response team for that particular incident are notified.
Incident Response Containment
At this stage, we will isolate or quarantine computers, to prevent the attack from spreading any further and collect the volatile evidence. We will disable any accounts used by the attackers.
Incident Response Eradication
In the eradication phase, we want to destroy the source of the incident. For example, if it is a virus, we want it removed. We will remove the virus or delete infected files, patch the system, and turn off any services that we don’t need so that it is hardened.
Incident Response Recovery
In the recovery phase, we are getting the company back to an operational state, hopefully within the Recovery Point Objective (RPO). For example, imaging machines, restoring data, or putting domain controllers or infected machines back online after cleansing.
Incident Response Lessons Learned
Lessons learned is a detective phase where we pull together all of the facts and plan to prevent a re-occurrence in the future. Failure to carry this out will lead to a re-occurrence.
Tabletop Exercises
A tabletop exercise is a paper-based, hypothetical exercise where all parties meet around a table and discuss how they would deal with a disasterscenario.
Walkthrough Exercises
A structured walk-through is where a mock disaster is enacted physically with all parties involved. An example of this would be carrying out a fire drill where we mobilize the fire crew or a military exercise or mission where many different scenarios are carried out.
Simulation Exercises
The white team organizes and measures the responses to this event. The simulation is a test, based on a given scenario from a part of a disaster recovery plan. The red and blue teams are briefed about the scenario and their roles, with the red team attacking and the blue team defending. This is smaller and faster than a structured walk-through.
MITRE ATT&CK
MITRE is a US Government-sponsored company whose aim is to help prevent cyber-attacks. They developed an online framework that can be used by the general public and they have many matrices. They give information about adversaries and their attack methods. They use the acronym ATT&CK to help you understand better the attack vectors used by the attackers.
Adversarial
Tactics
Techniques
Common Knowledge
The Diamond Model of Intrusion Analysis
This model is a framework for gathering intelligence on network intrusion attacks. This comprises four key elements: adversary, capabilities, infrastructure, and victims, and these are interconnected.
Adversary: This is the threat actor group, and we can use the MITRE ATT&CK model to identify who they are and what attacks they use.
Capabilities: This is where the adversary develops an exploit that they use to carry out the attack. These are also laid out in the MITRE ATT&CK model.
Infrastructure: This is how the attacker can get to the victim. This could be via USB, email, IP address, or remote access.
Victim: This is the person targeted by the adversary.
Cyber Kill Chain
Lockheed Martin originally developed the kill chain, a military model to identify the steps an enemy would take to attack you. It was then adapted to become the cyber kill chain, a framework to aid cybersecurity teams in terms of becoming more aware of potential cyber-attacks. It helps them trace each step of an attack and gives them a clearer picture of increasing clarity as each stage is completed.
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives
Stakeholder Management
When we have an incident, there are five groups of stakeholders that we need to inform and manage. These are creditors, directors, employees, governmental bodies, and the shareholders who are the owners of the business. We notify the stakeholders and we remind them that their responsibility is to ensure that the press do not have knowledge of the incident as this could severely affect your company’s reputation. Knowledge of the incident may be common knowledge maybe a month after it has been dealt with.
Communication Plan
This is the medium for informing all stakeholders of the incident where we would use encryption such as PGP or S/MIME to ensure that the event does not become public knowledge. A list of contacts should be maintained that includes the government, police, customers, suppliers, and internal staff.
Disaster Recovery Plan
Disasters range from natural disasters, such as hurricanes and floods, to hardware failure, malicious insider attacks, and the accidental deletion of data. The main aim of a disaster recovery plan is getting the company back up and running so that it can generate income. We need to identify the most critical assets and ensure that they are up and running first. We will run disaster recovery exercises periodically to gain experience of executing the plan. As technology frequently changes, we need to update the disaster recovery plan to facilitate the changes.
Business Continuity Plan
We need to complete a business impact analysis to identify a single point of failure so that we can build in some redundancy. Focus on Recovery Point Objective (RPO), so that we can identify how long we can operate without our data and the time that we have to complete disaster recovery and return to an operational state.
Four Steps: Initial Response Relocation Recovery Site Resiliency
Continuity of operations planning (COOP)
COOP was developed by the United States federal government. This was their version of a Business Continuity Plan (BCP). It looks at each type of disaster and puts processes in place for the government so that they can work with limited resources, providing critical services until the incident has been mitigated.
Incident Response Team
Incident Response Manager: A top-level manager who takes charge.
Security Analyst: Technical support to the incident.
IT Auditor: Checks that the company is compliant.
Risk Analyst: Evaluates all aspects of risk.
HR: Sometimes employees are involved in the incident.
Legal: Gives advice and makes decisions on legal issues.
Public Relations: Deals with the press to reduce the impact.
Cyber Incident Response Team: The cyber incident response team must move rapidly and have up-to-date training for the variety of incidents that they may encounter. They may have to use third-party specialists in some aspects ofcybercrime.
Retention Policies
We need to first of all classify the data that we may require following a disaster. We need to create a data retention policy for all PII and sensitive information as well as unclassified data. For legal and compliance reasons, you may need to keep certain data for different periods of time.
