4.2 Summarize the Importance of policies, Processes, and Procedures for Incident response Flashcards
Incident response plans
An incident response plan provides more detail than the incident response policy. It provides organizations with a formal, coordinated plan that personnel can use when responding to an incident.
Incident response process
Incident response includes multiple phases. It starts with creating an incident response policy and an incident response plan. With the plan in place, personnel are trained and given the tools necessary to handle incidents. Ideally, incident response preparation will help an organization prevent all incidents.
Preparation
This phase occurs before an incident and provides guidance to personnel on how to respond to an incident. It includes establishing and maintaining an incident response plan and incident response procedures. It also includes establishing procedures to prevent incidents. For example, preparation includes implementing security controls to prevent malware infections.
Identification
All events aren’t security incidents, so when a potential incident is reported, personnel take the time to verify it is an actual incident. For example, intrusion detection systems (IDSs) might falsely report an intrusion, but administrators would investigate it and verify if it is a false positive or an incident. If the incident is verified, personnel might try to isolate the system based on established procedures.
Containment
After identifying an incident, security personnel attempt to isolate or contain it. This protects critical systems while maintaining business operations. Containment might include quarantining a device or removing it from the network. This can be as simple as unplugging the system’s network interface card to ensure it can’t communicate on the network.
Eradication
After containing the incident, it’s often necessary to remove components from the attack. For example, if attackers installed malware on systems, it’s important to remove all remnants of the malware on all hosts within the organization. Similarly, an attack might have been launched from one or more compromised accounts. Eradication would include deleting or disabling these accounts.
Recovery
During the recovery process, administrators return all affected systems to normal operation and verify they are operating normally. This might include rebuilding systems from images, restoring data from backups, and installing updates. Additionally, if administrators have identified the vulnerabilities that caused the incident, they typically take steps to remove the vulnerabilities.
Lessons learned
After personnel handle an incident, security personnel perform a lessons learned review. The incident may provide some valuable lessons, and the organization organization might modify procedures or add additional controls to prevent a reoccurrence of the incident. A review might indicate a need to provide additional training to users or indicate a need to update the incident response policy. The goal is to learn from the incident and prevent a future reoccurrence of a similar incident.
Tabletop
A tabletop exercise (also called a desktop exercise) is discussion-based. A coordinator gathers participants in a classroom or conference room and leads them through one or more hypothetical scenarios such as a cyberattack or a natural disaster.
Walkthroughs
Walk-throughs are workshops or orientation seminars that train team members about their roles and responsibilities.
Simulations
Simulations allow personnel to go through the actual steps of an exercise but in a simulated environment. Unlike walk-throughs and tabletop exercises, they allow personnel to perform response and recovery steps rather than just talk about them.
Attack frameworks
Cybersecurity professionals use several attack frameworks to identify tactics, techniques, and procedures (TTPs) used by attackers. The goal is to understand how attackers operate to decrease the impact of future attacks.
MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of tactics and techniques used in real-world attacks. The knowledge base is presented in a matrix or table format. Tactics represent the adversary’s tactical objective for performing an action or why the adversary is doing what he’s doing. The techniques document how an adversary achieves a tactical objective or what the adversary gains by performing an action.
MITRE is a not-for-profit organization that receives federal funding to perform research and development in cybersecurity.
The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis identifies four key components of every intrusion event.
Adversary. Adversaries can be identified by email addresses, handles used in online forums, memberships in advanced persistent threat groups, and other identifiers. Capabilities. Capabilities refer to the malware, exploits, and other hacker tools used in the intrusion. Infrastructure. The infrastructure refers to the Internet domain names, email addresses, and IP addresses used by the adversary.
Cyber kill chain
Historically, kill chain has been a military concept related to an attack. It starts with the identification of a target, dispatching resources to the target, someone deciding to attack and giving the order, and it ends with the destruction of the target. Military personnel attempt to break an opponent’s kill chain, such as by disrupting communication methods.