4.2: Summarize the importance of policies, processes, and procedures for incident response. Flashcards
Incident Response Plans
An incident response plan describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network. The causes of incidents are many—from the environment (storms), to user error, to unauthorized actions by unauthorized users, to name a few. Although the causes may be many, the results can be classified into classes. A low-impact incident may not result in any significant risk exposure, so no action other than repairing the broken system is needed. A moderate-risk incident will require greater scrutiny and response efforts, and a high-level risk exposure incident will require the greatest scrutiny and response efforts. To manage incidents when they occur, an IT team needs to create an incident response plan that includes a table of guidelines to assist in determining the level of response.
Incident Response Process
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are broad and varied, as they have to deal with numerous causes and consequences. Incident response activities at times are closely related to other IT activities involving IT operations. Incident response activities can be similar to disaster recovery and business continuity operations.
Preparation
Preparation is the phase of incident response that occurs before a specific incident. Preparation includes all the tasks needed to be organized and ready to respond to an incident. Through the use of a structured framework coupled with properly prepared processes, incident response becomes a manageable task. Without proper preparation, this task can quickly become impossible or intractably expensive. Successful handling of an incident is a direct result of proper preparation. Items done in preparation include ensuring that the correct data events are being logged, the reporting of potential incidents is happening, and people are trained with respect to the IR process and their personal responsibilities.
Identification
Identification is the process where a team member suspects that a problem is bigger than an isolated incident and notifies the incident response team for further investigation. An incident is defined as a situation that departs from normal, routine operations. Whether an incident is important or not is the first point of decision as part of an incident response process. A single failed login is technically an incident, but if it is followed by a correct login, then it is not of any consequence. In fact, this could even be considered normal. But having 10,000 failed attempts on a system, or failures across a large number of accounts, is distinctly different and may be worthy of further investigation. The act of identification involves coming to a decision that the information related to the incident is worthy of further investigation by the IR team.
Containment
Once the IR team has determined that an incident has in fact occurred and requires a response, their first step is to contain the incident and prevent its spread. For example, if the incident involves a virus or worm that is attacking database servers, then protecting uninfected servers is paramount. Containment is the set of actions taken to constrain the incident to a minimal number of machines. This preserves as much of production as possible and ultimately makes handling the incident easier. This can be complex because, in many cases, containing the problem requires fully understanding it as well as its root cause and the vulnerabilities involved.
Eradication
Once the IR team has contained a problem to a set footprint, the next step is to eradicate the problem. Eradication involves removing the problem, and in today’s complex system environment, this may mean rebuilding a clean machine. A key part of operational eradication is the prevention of reinfection. Presumably, the system that existed before the problem occurred would be prone to a repeat infection, so this needs to be specifically guarded against. One of the strongest value propositions for virtual machines is the ability to rebuild quickly, making the eradication step relatively easy.
Recovery
After the issue has been eradicated, the recovery process begins. At this point, the investigation is complete and documented. Recovery is the process of returning the asset into the business function and restoring normal business operations. Eradication, the previous step, removed the problem, but in most cases the eradicated system will be isolated. The recovery process includes the steps necessary to return the system and applications to operational status. After recovery, the team moves to document the lessons learned from the incident.
Lessons Learned
A postmortem session should collect lessons learned and assign action items to correct weaknesses and to suggest ways to improve. To paraphrase a famous quote, those who fail to learn from history are destined to repeat it. The lessons learned phase serves two distinct purposes. The first is to document what went wrong and allowed the incident to occur in the first place. Failure to correct this means a sure repeat. The second is to examine the incident response process itself. Where did it go well, where did problems occur, and how can it be improved? Continuous improvement of the actual incident response process is an important task.
MITRE ATT&CK
The MITRE ATT&CK framework is a comprehensive matrix of attack elements, including the tactics and techniques used by attackers on a system. This framework can be used by threat hunters, red teamers, and defenders to better classify attacks and understand the sequential steps an adversary will be taking when attacking a system. This framework enables personnel to plan and defend, even during an attack, and further it acts as a useful tool in assessing an organization’s risk.
The Diamond Model of Intrusion Analysis
he four nodes that make up an event are adversary, infrastructure, capability, and victim. The adversary node is a description of the attacker and their data, including anything you know about them (e-mails, names, locations, handles, and so on). The infrastructure node is a description of what is being used in the attack, such as IP addresses, domain names, e-mail addresses, and so on. The victim node is the target, and the capability node is a description of what is being used (malware, stolen certificates/credentials, tools, exploits, and so on).
Cyber Kill Chain (1)
The Cyber Kill Chain is a model developed by Lockheed Martin as a military form of engagement framework. This model has a series of distinct steps that an attacker uses during a cyberattack—from the early reconnaissance stages to the exfiltration of data. The use of the Cyber Kill Chain helps us understand and combat different forms of attack—from ransomware, to security breaches, and even advanced persistent threats (APTs).
The Cyber Kill Chain has slightly different steps depending on whose version you use, but the most common implementations include the following ones:
Cyber Kill Chain (2)
- Reconnaissance Research and identify targets.
- Weaponization Exploit vulnerabilities to enter.
- Delivery Deliver the payload (evil content).
- Exploitation Begin the payload attack on the system and gain entry.
- Installation Implement backdoors, persistent access, bots, and so on.
- Command and Control Communicate to outside servers for control purposes.
- Action on Objective Obtain the objective of the attack (for example, steal intellectual property).
Business Continuity Plan
As in most operational issues, planning is a foundational element to success. This is true in business continuity, and the business continuity plan (BCP) represents the planning and advanced policy decisions to ensure the business continuity objectives are achieved during a time of obvious turmoil.
The focus of a BCP is the continued operation of the essential elements of the business or organization. Business continuity is not about operations as normal but rather about trimmed-down, essential operations only.
EXAM TIP
Although the terms DRP and BCP may be used synonymously in small firms, in large firms, there is a difference in focus between the two plans. The focus of the BCP is on continued operation of a business, albeit at a reduced level or through different means during some period of time. The DRP is focused specifically on recovering from a disaster. In many cases, both of these functions happen at the same time, and hence they are frequently combined in small firms and in many discussions. The DRP is part of the larger BCP process.
Continuity of Operation Planning (COOP)
The overall goal of continuity of operation planning (COOP) is to determine which subset of normal operations needs to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during a situation where normal operations are interrupted.
