Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

4.0 - Operations and Incident Response > 4.2 IR Policies, Processes, and Procedures > Flashcards

4.2 IR Policies, Processes, and Procedures Flashcards

1
Q

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
• User clicks an email attachment and executes malware
– Malware then communicates with external servers
• DDoS
– Botnet attack
• Confidential information is stolen
– Thief wants money or it goes public
• User installs peer-to-peer software and allows external
access to internal servers

A

Security incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
Part of Incident Response Process - 
• Incident response team
– Specialized group, trained and tested
• IT security management
– Corporate support
• Compliance officers
– Intricate knowledge of compliance rules
• Technical staff
– Your team in the trenches
• User community
– They see everything
A

IR - Roles and responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q 
This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.
• National Institute of Standards and Technology
– NIST Special Publication 800-61 Rev. 2
– Computer Security Incident
– Handling Guide
• The incident response lifecycle:
– Preparation
– Detection and Analysis
– Containment, Eradication, and Recovery
– Post-incident Activity
A

NIST SP800-61

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Part of Incident Response Process -

This phase will be the work horse of your incident response planning, and in the end, the most crucial phase to protect your business. Part of this phase includes:
- Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of data breach
- Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.
- Ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance
Your response plan should be well documented, thoroughly explaining everyone’s roles and responsibilities. Then the plan must be tested in order to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they’ll make critical mistakes.

• Communication methods
– Phones and contact information
• Incident handling hardware and software
– Laptops, removable media, forensic software,
digital cameras, etc.
• Incident analysis resources
– Documentation, network diagrams, baselines,
critical file hash values
• Incident mitigation software
– Clean OS and application images
• Policies needed for incident handling
– Everyone knows what to do
A

Preparing for an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Part of Incident Response Process -

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.
>>> Questions to address <<<
When did the event happen?
How was it discovered?
Who discovered it?
Have any other areas been impacted?
What is the scope of the compromise?
Does it affect operations?
Has the source (point of entry) of the event been discovered?

• Many different detection sources
– Different levels of detail, different levels of perception
• A large amount of “volume”
– Attacks are incoming all the time
– How do you identify the legitimate threats?
• Incidents are almost always complex
– Extensive knowledge needed

A

The challenge of detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Part of Incident Response Process -

• An incident might occur in the future
– This is your heads-up
• Web server log
– Vulnerability scanner in use
• Exploit announcement
– Monthly Microsoft patch release,
– Adobe Flash update
• Direct threats
– A hacking group doesn’t like you
A

Incident precursors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Part of Incident Response Process -
• An attack is underway
– Or an exploit is successful
• Buffer overflow attempt
– Identified by an intrusion detection/prevention system
• Anti-virus software identifies malware
– Deletes from OS and notifies administrator
• Host-based monitor detects a configuration change
– Constantly monitors system files
• Network traffic flows deviate from the norm
– Requires constant monitoring

A

Incident indicators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Part of Incident Response Process -
This phase, the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident.
• Generally a bad idea to let things run their course
– An incident can spread quickly
– It’s your fault at that point
• Sandboxes
– An isolated operating system
– Run malware and analyze the results
– Clean out the sandbox when done
• Isolation can be sometimes be problematic
– Malware or infections can monitor connectivity
– When connectivity is lost, everything could be
deleted/encrypted/damaged

A

Isolation and containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
Part of Incident Response Process - 
This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.
• Get things back to normal
– Remove the bad, keep the good
• Eradicate* the bug
– Remove malware
– Disable breached user accounts
– Fix vulnerabilities
• Recover the system
– Restore from backups
– Rebuild from scratch
– Replace compromised files
– Tighten down the perimeter
A

Recovery after an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Part of Incident Response Process -
• A phased approach
– It’s difficult to fix everything at once
• Recovery may take months
– Large-scale incidents require a large amount of work
• The plan should be efficient
– Start with quick, high-value security changes
• Patches, firewall policy changes
– Later phases involve much “heavier lifting”
• Infrastructure changes, large-scale security
rollouts

A

Reconstitution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q 
Part of Incident Response Process - 
• Learn and improve
– No system is perfect
• Post-incident meeting
– Invite everyone affected by the incident
• Don’t wait too long
– Memories fade over time
– Some recommendations can be applied to the
next event

Answer the tough questions
• What happened, exactly?
– Timestamp of the events
• How did your incident plans work?
– Did the process operate successfully?
• What would you do differently next time?
– Retrospective views provide context
• Which indicators would you watch next time?
– Different precursors may give you better alerts

A

Lessons learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q 
a Incident Response Planning-
• Test yourselves before an actual event
– Scheduled update sessions (annual, semi-annual, etc.)
• Use well-defined rules of engagement
– Do not touch the production systems
• Very specific scenario
– Limited time to run the event
• Evaluate response
– Document and discuss
A

Exercise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

a Incident Response Planning-
• Performing a full-scale disaster drill can be costly
– And time consuming
• Many of the logistics can be determined through
analysis
– You don’t physically have to go through a
disaster or drill
• Get key players together for a tabletop exercise
– Talk through a simulated disaster

A

Tabletop exercises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

a Incident Response Planning-
• Include responders
– A step beyond a tabletop exercise
– Many moving parts
• Test processes and procedures before an event
– Walk through each step
– Involve all groups
– Reference actual response materials
• Identifies actual faults or missing steps
– The walkthrough applies the concepts from the
tabletop exercise

A

Walkthrough

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q 
a Incident Response Planning-
• Test with a simulated event
– Phishing attack, password requests, data breaches
• Going phishing
– Create a phishing email attack
– Send to your actual user community
– See who bites
• Test internal security
– Did the phishing get past the filter?
• Test the users
– Who clicked?
– Additional training may be required
A

Simulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

a Incident Response Planning-
• Keeping a good ongoing relationship with
customers of IT
– These can be internal or external customers
– An incident response will require teamwork
– Without the stakeholder, IT would not exist
• Most of this happens prior to an incident
– Ongoing communication and meetings
– Exercises should include the customers
• Continues after the incident
– Prepare for the next event

A

Stakeholder management

17
Q

a Incident Response Planning-

a policy-driven approach to providing stakeholders with information. The plan formally defines who should be given specific information, when that information should be delivered and what communication channels will be used to deliver the information.
• Get your contact list together
– There are a lot of people in the loop
• Corporate / Organization
– CIO / Head of Information Security / Internal
Response Teams
• Internal non-IT
– Human resources, public affairs, legal department
• External contacts
– System owner, law enforcement
– US-CERT (for U.S. Government agencies)

A

Communication plan

18
Q 
a Incident Response Planning-
• If a disaster happens, IT should be ready
– Part of business continuity planning
– Keep the organization up and running
• Disasters are many and varied
– Natural disasters
– Technology or system failures
– Human-created disasters
• A comprehensive plan
– Recovery location
– Data recovery method
– Application restoration
– IT team and employee availability
A

Disaster recovery plan

19
Q

a Incident Response Planning-

aka BCP, a detailed outline of the steps to ensure business operations continuation during an emergency or natural disaster. It should also encompass plans to deal with cybersecurity threats. These can include data breaches, loss of access, ransomware attacks, or malicious insider incidents.
• Not everything goes according to plan
• Disasters can cause a disruption to the norm
• We rely on our computer systems
• Technology is pervasive
• There needs to be an alternative
• Manual transactions
• Paper receipts
• Phone calls for transaction approvals
• These must be documented and tested before
a problem occurs

A

Continuity of operations planning (COOP)

20
Q

a Incident Response Planning-
a group of IT professionals in charge of preparing for and reacting to any type of organizational emergency.
• Receives, reviews, and responds
– A predefined group of professionals
• Determine what type of events require a response
– A virus infection? Ransomware? DDoS?
• May or may not be part of the organizational structure
– Pulled together on an as-needed basis
• Focuses on incident handling
– Incident response, incident analysis, incident reporting

A

Incident response team

21
Q

a Incident Response Planning-
describes how long a business needs to keep a piece of information (record), where it’s stored and how to dispose of the record when its time.
• Backup your data
– How much and where? Copies, versions of copies,
lifecycle of data, purging old data
• Regulatory compliance
– A certain amount of data backup may be required
• Operational needs
– Accidental deletion, disaster recovery
• Differentiate by type and application
– Recover the data you need when you need it

A

Retention policies

22
Q

Part of an Attack Framework -

• A constantly moving chessboard
– The rules are also constantly changing
• Response and intelligence teams need assistance
– Gather and maintain ongoing reconnaissance
• Understand attacks
– Many different vectors
• Assess the risk in an organization
– Determine if a risk exists
– Use appropriate mitigation
A

Attacks and responses

23
Q

an Attack Framework -
a documented collection of information about the malicious behaviors advanced persistent threat (APT) groups have used at various stages in real-world cyberattacks. ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, includes detailed descriptions of these groups’ observed tactics (the technical objectives they’re trying to achieve), techniques (the methods they use), and procedures (specific implementations of techniques), commonly called TTPs.
• The MITRE corporation
– US not-for-profit based in Massachusetts and Virginia
– Supports several U.S. government agencies
• The MITRE ATT&CK framework
– https://attack.mitre.org/
• Determine the actions of an attacker
– Identify point of intrusion
– Understand methods used to move around
– Identify potential security techniques to
block future attacks

A

MITRE ATT&CK framework

24
Q

how an “adversary” exploits a “capability” over an “infrastructure” against a “victim” in simple terms. This approach claims that adversaries use their infrastructure capabilities against victims to make an impact on each intrusion.
• Designed by the intelligence community
– https://apps.dtic.mil/docs/citations/ADA586960
– Guide analysts to help understand intrusions
– Integrates well with other frameworks
• Apply scientific principles to intrusion analysis
– Measurement, testability, and repeatability
– Appears simple, but is remarkably complex
• An adversary deploys a capability over some
infrastructure against a victim
– Use the model to analyze and fill in the details

A

Diamond Model of Intrusion Analysis

25
Q

a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain.

The term kill chain is adopted from the military, which uses this term related to the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target.

• Seven phases of a cyber attack
– A military concept

  1. Reconnaissance
    The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information.

Automated scanners are used by intruders to find points of vulnerability in the system. This includes scanning firewalls, intrusion prevention systems, etc to get a point of entry for the attack.

  1. Weaponization
    Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place.
  2. Delivery
    The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams.
  3. Exploitation
    The malicious code is delivered into the organization’s system. The perimeter is breached here. And the attackers get the opportunity to exploit the organization’s systems by installing tools, running scripts, and modifying security certificates.

Most often, an application or the operating system’s vulnerabilities are targeted. Examples of exploitation attacks can be scripting, dynamic data exchange, and local job scheduling.

  1. Installation
    A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System).
  2. Command and Control
    The attacker gains control over the organization’s systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control.
  3. Actions on Objective
    The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the .organization’s environment.

Based on these stages, the following layers of control implementation are provided:

Detect – Determine the attempts to penetrate an organization.
Deny – Stopping the attacks when they are happening.
Disrupt – Intervene is the data communication done by the attacker and stops it then.
Degrade – This is to limit the effectiveness of a cybersecurity attack to minimize its ill effects.
Deceive – Mislead the attacker by providing them with misinformation or misdirecting them.
Contain – Contain and limit the scope of the attack so that it is restricted to only some part of the organization.

A

Cyber Kill Chain

4.0 - Operations and Incident Response (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions