4.2 Summarize the importance of policies, processes, and procedures for incident response. Flashcards

1
Q

Security Incidents

A

The user clicks email attachment and executes the malware
Malware then comms with external servers

DDOS attack, botnet attack

Confidential information is stolen
- Thieves want money, or it goes public.

Maybe the user installs peer-to-peer software and allows external access to internal servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Nist SP800-61

A

It gives info on the entire incident response life cycle
1. Preparation
2. detection
3. containment, eradication and recovery
4. Post-incident activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Preparing for an incident

A
  1. You need phones and contacts for important people who need to be contacted in case of an incident. You should also list who needs to be contacted for any circumstance.
  2. hardware and software tools, so you know exactly how to respond to these problems, store and capture data that’s important and be able to have information that you might want to use later on as evidence. laptops, removable media etc.
  3. Documentation of organization network and create hashes to verify its integrity
  4. Incident mitigation software, clean OS and application images
  5. Policies needed for incident handling. Everyone needs to know them.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Exercise

A

Test yourself before an actual event.
-do not touch production
This is a very specific scenario because of the limited time to run the event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tabletop Exercise

A
  • Performing a full-scale disaster drill can be costly
    – And time consuming
  • Many of the logistics can be determined through
    analysis
    – You don’t physically have to go through a
    disaster or drill
  • Get key players together for a tabletop exercise
    – Talk through a simulated disaster
  • Staff will “Ghost” the same procedures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Walkthrough

A

Include responders
– A step beyond a tabletop exercise
– Many moving parts
* Test processes and procedures before an event
– Walk through each step
– Involve all groups
– Reference actual response materials
* Identifies actual faults or missing steps
– The walkthrough applies the concepts from the
tabletop exercise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Simulation

A

Test with a simulated event
– Phishing attack, password requests, data breaches
* Going phishing
– Create a phishing email attack
– Send to your actual user community
– See who bites
* Test internal security
– Did the phishing get past the filter?
* Test the users
– Who clicked?
– Additional training may be required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Stakeholder Management

A

Keeping a good ongoing relationship with
customers of IT
– These can be internal or external customers
– An incident response will require teamwork
– Without the stakeholder, IT would not exist
* Most of this happens prior to an incident
– Ongoing communication and meetings
– Exercises should include the customers
* Continues after the incident
– Prepare for the next event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Disaster Recovery Plan

A

If a disaster happens, IT should be ready
– Part of business continuity planning
– Keep the organization up and running
* Disasters are many and varied
– Natural disasters
– Technology or system failures
– Human-created disasters
* A comprehensive plan
– Recovery location
– Data recovery method
– Application restoration
– IT team and employee availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Continuity of operations planning (COOP)

A

Not everything goes according to plan
* Disasters can disrupt the norm
* We rely on our computer systems
* Technology is pervasive
* There needs to be an alternative
* Manual transactions
* Paper receipts
* Phone calls for transaction approvals
* These must be documented and tested before
a problem occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Incident Response Team

A

Receives, reviews, and responds
– A predefined group of professionals
* Determine what type of events require a response
– A virus infection? Ransomware? DDoS?
* May or may not be part of the organizational structure
– Pulled together on an as-needed basis
* Focuses on incident handling
– Incident response, incident analysis, incident reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Retention Policies

A

Backup your data
– How much and where? Copies, versions of copies,
lifecycle of data, purging old data
* Regulatory compliance
– A certain amount of data backup may be required
* Operational needs
– Accidental deletion, disaster recovery
* Differentiate by type and application
– Recover the data you need when you need it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Diamond Model of Intrusion Analysis

A
  • Designed by the intelligence community
    – https://apps.dtic.mil/docs/citations/ADA586960
    – Guide analysts to help understand intrusions
    – Integrates well with other frameworks
  • Apply scientific principles to intrusion analysis
    – Measurement, testability, and repeatability
    – Appears simple, but is remarkably complex
  • An adversary deploys a capability over some
    infrastructure against a victim
    – Use the model to analyze and fill in the details
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

MITRE ATT&CK framework

A

The MITRE corporation
– US not-for-profit based in Massachusetts and Virginia
– Supports several U.S. government agencies
* The MITRE ATT&CK framework
– https://attack.mitre.org/
* Determine the actions of an attacker
– Identify point of intrusion
– Understand methods used to move around
– Identify potential security techniques to
block future attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cyber Kill chain

A

Seven Phases of a cyber Attack

  1. Reconnaissance - gather intel; harvest emails from Google and LinkedIn
  2. Weaponization - Build a deliverable payload that includes an exploit and backdoor
  3. Delivery - Send the weapon - deliver an executable over email
  4. Exploit - Execute code on the victim’s device
  5. Installation - Malware is installed into the Operating system.
  6. Command and Control - A C2 channel is created for the remote access
  7. Actions on Objectives - The attacker can remotely carry out objectives.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Eradication

A

Eradication is an incident response lifecycle phase pertaining to finding the root cause of an incident. For example, a user clicking a malicious link in an email is a root cause for a potentially larger problem.

17
Q

Containment

A

Containment is a stage in the incident response lifecycle. In this stage, the goal is to limit the scope and reach of the event. One approach in containment is to isolate infected systems.

18
Q

Recovery

A

Recovery is a stage in the incident response lifecycle. This stage ensures the threat no longer exists and all systems are brought back to a secure state.

19
Q

Preparation

A

Preparing for an incident response means establishing the policies and procedures for dealing with security breaches, along with personnel and resources to implement those policies. A triage plan is developed during this phase.

20
Q

Corrective Action report

A

A corrective action report is a formal response setting out a plan to correct a defect in a system, such as a security vulnerability.

previous

21
Q

change management

A

Change management is a formal process that oversees change in an organization. Change can be proactive or reactive, and is usually executed for improvements.

22
Q

Risk assessment

A

A risk assessment evaluates the likelihood and impact (or consequence) of a threat actor exercising a vulnerability