4.2 Importance of policies, processes, and procedures for incident response Flashcards
What do you call a set of intended actions, usually mutually related through which one expects to achieve a goal? High-level, light on the details.
Plan
What do you call a series of related tasks or methods that together turn inputs into outputs? Ordered task list or flow chart.
Process
What do you call a prescribed way of undertaking a process or part of a process? A particular method for performing a task.
Procedure
What phase of incident response is where incident response plans are written and configurations documented.
Phase 1: Preperation
What phase of incident response determines whether or not an organization has been breached? (Is it really an incident?)
Phase 2: Identification
What phase of incident response focuses on limiting damage (scope) of the incident?
Phase 3: Containment
What phase of incident response is where affected systems are identified, isolated or shutdown, and rebuilt?
Phase 4: Eradication
What phase of incident response is where the root cause is addressed and time to return to normal operations estimated and executed?
Phase 5: Recovery
What phase of incident response helps prevent recurrence and improves the incident response process?
Phase 6: Lessons Learned
What type of incident response exercise has one distribute copies of incident response plans to the members of the incident response team for review? Team members then provide feedback about any updates needed to keep the plan current.
Tabletop Exercise
What type of incident response exercise has the team members of the incident response team gather and role-play an incident scenario? Can ensure needed tools and resources are available and team members are familiar with their roles.
Walkthrough
What type of incident response is similar to a structured walkthrough, except some of the response measures are then tested (on non-critical functions)? Involves some form of doing.
Simulation
What is an online framework that can be used by commercial organizations developed by a US government-sponsored company whose aim is to help prevent cyber-attacks? Provides information about adversaries and their attack methods.
MITRE ATT&CK Framework
What attack framework traces the stages of a cyberattack from early reconnaissance to the exfiltration of data?
Lockheed Martin Cyber Kill Chain
What step of the Lockheed Martin Cyber Kill Chain deals with harvesting email addresses, company info, etc…?
Step 1. Reconnaissance
In what step of the Lockheed Martin Cyber Kill Chain does the actor create malware tailored to the vulnerabilities of the remote target?
Step 2. Weaponization
What step of the Lockheed Martin Cyber Kill Chain deals with delivering weaponized bundle to victim via email, web, USB, etc…?
Step 3. Delivery
What step of the Lockheed Martin Cyber Kill Chain deals with exploiting a vulnerability to execute code on the victim’s system?
Step 4. Exploitation
What step of the Lockheed Martin Cyber Kill Chain deals with installing malware on the asset?
Step 5. Installation
What step of the Lockheed Martin Cyber Kill Chain deals with the command channel for remote manipulation of the victim?
Step 6. Command and Control
What step of the Lockheed Martin Cyber Kill Chain deals with ‘hands on keyboard’ access, intruders accomplish their original goals?
Step 7. Actions on Objectives
What is a framework for gathering intelligence on network intrusion attacks, compromised of four key elements?
Diamond Model of Intrusion Analysis
In the Diamond Model of Intrusion Analysis what do you call the threat actor group?
Adversary
In the Diamond Model of Intrusion Analysis what do you call where the adversary develops an exploit that they use to carry out the attack?
Capabilities
In the Diamond Model of Intrusion Analysis what do you call the person targeted by the adversary?
Victim
In the Diamond Model of Intrusion Analysis what do you call how the attacker can get to the victim?
Infrastructure
What plan details how relevant stakeholders will be informed in the event of an incident like a security breach?
Communication Plan
What do you call the overall organization plan for “how to” continue business?
Business Continuity Plan (BCP)
What do you call the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operation?
Disaster Recovery Plan (DRP)
What do you call the plan for continuing to do business until the IT infrastructure can be restored?
Continuity of Operations Plan (COOP)
What is the difference between the BCP and DRP?
BCP focuses on the whole business while DRP focuses more on the technical aspects of recovery. BCP will cover communications and process more broadly.
Who on the Incident Response Team is a top-level manager who takes charge?
Incident Response Manager
Who on the Incident Response Team provides technical support to the incident?
Security Analyst
Who on the Incident Response Team checks that the company is compliant?
IT Auditor
Who on the Incident Response Team evaluates all aspects of risk?
Risk Analyst
Who on the Incident Response Team is responsible for handling when employees are involved in the incident?
HR
Who on the Incident Response Team gives advice and makes decisions on legal issues?
Legal department
Who on the Incident Response Team deals with the press to reduce the impact?
Public Relations
What is the labeling/tagging of data based on type?
Data classification
What is it called when for legal and compliance reasons, you may need to keep certain data for different periods of time?
Regulatory Compliance
What retention policy is used to ensure that legal and compliance issues are addressed?
Data Retention policy