4.2 Summarize the Importance of policies, Processes, and Procedures for Incident response Flashcards

1
Q

Incident response plans

A

An incident response plan provides more detail than the incident response policy. It provides organizations with a formal, coordinated plan that personnel can use when responding to an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident response process

A

Incident response includes multiple phases. It starts with creating an incident response policy and an incident response plan. With the plan in place, personnel are trained and given the tools necessary to handle incidents. Ideally, incident response preparation will help an organization prevent all incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Preparation

A

This phase occurs before an incident and provides guidance to personnel on how to respond to an incident. It includes establishing and maintaining an incident response plan and incident response procedures. It also includes establishing procedures to prevent incidents. For example, preparation includes implementing security controls to prevent malware infections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identification

A

All events aren’t security incidents, so when a potential incident is reported, personnel take the time to verify it is an actual incident. For example, intrusion detection systems (IDSs) might falsely report an intrusion, but administrators would investigate it and verify if it is a false positive or an incident. If the incident is verified, personnel might try to isolate the system based on established procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Containment

A

After identifying an incident, security personnel attempt to isolate or contain it. This protects critical systems while maintaining business operations. Containment might include quarantining a device or removing it from the network. This can be as simple as unplugging the system’s network interface card to ensure it can’t communicate on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Eradication

A

After containing the incident, it’s often necessary to remove components from the attack. For example, if attackers installed malware on systems, it’s important to remove all remnants of the malware on all hosts within the organization. Similarly, an attack might have been launched from one or more compromised accounts. Eradication would include deleting or disabling these accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Recovery

A

During the recovery process, administrators return all affected systems to normal operation and verify they are operating normally. This might include rebuilding systems from images, restoring data from backups, and installing updates. Additionally, if administrators have identified the vulnerabilities that caused the incident, they typically take steps to remove the vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Lessons learned

A

After personnel handle an incident, security personnel perform a lessons learned review. The incident may provide some valuable lessons, and the organization organization might modify procedures or add additional controls to prevent a reoccurrence of the incident. A review might indicate a need to provide additional training to users or indicate a need to update the incident response policy. The goal is to learn from the incident and prevent a future reoccurrence of a similar incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tabletop

A

A tabletop exercise (also called a desktop exercise) is discussion-based. A coordinator gathers participants in a classroom or conference room and leads them through one or more hypothetical scenarios such as a cyberattack or a natural disaster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Walkthroughs

A

Walk-throughs are workshops or orientation seminars that train team members about their roles and responsibilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Simulations

A

Simulations allow personnel to go through the actual steps of an exercise but in a simulated environment. Unlike walk-throughs and tabletop exercises, they allow personnel to perform response and recovery steps rather than just talk about them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Attack frameworks

A

Cybersecurity professionals use several attack frameworks to identify tactics, techniques, and procedures (TTPs) used by attackers. The goal is to understand how attackers operate to decrease the impact of future attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

MITRE ATT&CK

A

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of tactics and techniques used in real-world attacks. The knowledge base is presented in a matrix or table format. Tactics represent the adversary’s tactical objective for performing an action or why the adversary is doing what he’s doing. The techniques document how an adversary achieves a tactical objective or what the adversary gains by performing an action.

MITRE is a not-for-profit organization that receives federal funding to perform research and development in cybersecurity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The Diamond Model of Intrusion Analysis

A

The Diamond Model of Intrusion Analysis identifies four key components of every intrusion event.

Adversary. Adversaries can be identified by email addresses, handles used in online forums, memberships in advanced persistent threat groups, and other identifiers. Capabilities. Capabilities refer to the malware, exploits, and other hacker tools used in the intrusion. Infrastructure. The infrastructure refers to the Internet domain names, email addresses, and IP addresses used by the adversary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cyber kill chain

A

Historically, kill chain has been a military concept related to an attack. It starts with the identification of a target, dispatching resources to the target, someone deciding to attack and giving the order, and it ends with the destruction of the target. Military personnel attempt to break an opponent’s kill chain, such as by disrupting communication methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Stakeholder management

A

A stakeholder is any entity with an interest or concern in an organization and can include owners, stock owners, employees, creditors, suppliers, and more.

Stakeholder management refers to creating and maintaining positive relationships with stakeholders.

17
Q

Communication plan

A

A communication plan is part of an incident response plan, and it provides direction on how to communicate issues related to an incident. As with all elements of an incident response plan, it’s important to create the communication plan before an incident.

18
Q

Disaster recovery plan

A

A disaster recovery plan (DRP) identifies how to recover critical systems and data after a disaster. Disaster recovery is a part of an overall business continuity plan.

19
Q

Business continuity plan

A

Business continuity planning helps an organization predict and plan for potential outages of critical services or functions. The goal is to ensure that critical business operations continue and the organization can survive the outage.

20
Q

Continuity of operations planning (COOP)

A

Continuity of operations planning (COOP) focuses on restoring mission-essential functions at a recovery site after a critical outage. For example, suppose a hurricane or other disaster prevents the company from operating in the primary location.

21
Q

Incident response team.

A

An incident response team is composed of employees with expertise in different areas. Organizations often refer to the team as an incident response team, a computer incident response team (CIRT), or a security incident response team. Combined, they have the knowledge and skills to respond to an incident. Due to the complex nature of incidents, the team often has extensive training. Training includes concepts, such as how to identify and validate an incident, how to collect evidence, and how to protect the collected evidence.

22
Q

Retention policies

A

A data retention policy identifies how long data is retained, and sometimes specifies where it is stored. This reduces the amount of resources, such as hard drive space or backup tapes, required to retain the data. Retention policies also help reduce legal liabilities. For example, imagine if a retention policy states that the company will only keep emails for one year. A court order requiring all emails from the company can only expect to receive email from the last year.