4.2 Importance of policies, processes and procedure in Incident response Flashcards
Incident response process: what are the stakeholders involve in this process ?
- Incident response team
- IT security management
- Compliance officer
- Technical staff
- User community
Incident response process: what framework can be used for incident response lifecycle?
NIST
Incident response process: how a company can be “prepared” for an incident ?
- Use communication methods (phone, email)
- Set up incident handling hardware and software
- Have incident analysis resources (documentation, network diagrams, baseline, critical file hash value)
- Policies & procedures
Incident response process: how to know that an incident has occured?
Monitor the system and network (antivirus, IPS/IDS, network flow)
Incident response process: what to do when a security incident occurs ?
Isolate it in a sandbox (VM) and analyze it. Clean out the sandbox when done
Incident response process: how to recover from the incident ?
Eradicate the bug (remove the malware) and recover the system (restore from backup, rebuild from scratch, replace compromised file etc)
Incident response process: why documentation is important?
To understand when and why the incident happened. How the incident was resolved and what can be done next time it happened
Incident response planning: why exercise are important in incident management?
To test yourselves before an actual real incident
Incident response planning: what is COOP ?
Continuity of Operations Planning
Attack frameworks: what is MITRE ATT&CK framework?
Framework that determine the actions of an attacker: identify point of intrusion, understand methods used to move around, identify potential security techniques to block future attacks etc
The framework is available online
Attack frameworks: what is Diamond Model of Intrusion Analysis framework?
Apply scientific principles to intrusion analysis: measurement, testatbility and repeatability.
Attack frameworks: what are the 4 corners of Diamond Model of Intrusion Analysis framework?
- Adversary: the attacker
- Capability: how the attacker uses (malware, exploit etc)
- Victim: it could be a person, assets, email etc
- Infrastructure: describe hat was used to gain access (IP, domain names, email etc)
The 4 points are all connected. Therefor Adversary would uses the infrastructure and develops a capability. The victim is exploited by the capability and connect to the infra
Attack frameworks: what is Cyber Kill Chain framework?
Framework with 7 phases of a cyber attack:
- Reconnaissance: gather info
- Weaponization: build a payload inc. exploit & backdoor
- Delivery: send the weapon
- Exploit: Execute code on victim
- Installation: malware is install
- Command & control: get remote access
- Actions on objectives: attacker can remotely carry out objectives
