4.2 Summarize the importance of policies, processes, and procedures for incident response. Flashcards
Security Incidents
The user clicks email attachment and executes the malware
Malware then comms with external servers
DDOS attack, botnet attack
Confidential information is stolen
- Thieves want money, or it goes public.
Maybe the user installs peer-to-peer software and allows external access to internal servers.
Nist SP800-61
It gives info on the entire incident response life cycle
1. Preparation
2. detection
3. containment, eradication and recovery
4. Post-incident activity
Preparing for an incident
- You need phones and contacts for important people who need to be contacted in case of an incident. You should also list who needs to be contacted for any circumstance.
- hardware and software tools, so you know exactly how to respond to these problems, store and capture data that’s important and be able to have information that you might want to use later on as evidence. laptops, removable media etc.
- Documentation of organization network and create hashes to verify its integrity
- Incident mitigation software, clean OS and application images
- Policies needed for incident handling. Everyone needs to know them.
Exercise
Test yourself before an actual event.
-do not touch production
This is a very specific scenario because of the limited time to run the event.
Tabletop Exercise
- Performing a full-scale disaster drill can be costly
– And time consuming - Many of the logistics can be determined through
analysis
– You don’t physically have to go through a
disaster or drill - Get key players together for a tabletop exercise
– Talk through a simulated disaster - Staff will “Ghost” the same procedures.
Walkthrough
Include responders
– A step beyond a tabletop exercise
– Many moving parts
* Test processes and procedures before an event
– Walk through each step
– Involve all groups
– Reference actual response materials
* Identifies actual faults or missing steps
– The walkthrough applies the concepts from the
tabletop exercise
Simulation
Test with a simulated event
– Phishing attack, password requests, data breaches
* Going phishing
– Create a phishing email attack
– Send to your actual user community
– See who bites
* Test internal security
– Did the phishing get past the filter?
* Test the users
– Who clicked?
– Additional training may be required
Stakeholder Management
Keeping a good ongoing relationship with
customers of IT
– These can be internal or external customers
– An incident response will require teamwork
– Without the stakeholder, IT would not exist
* Most of this happens prior to an incident
– Ongoing communication and meetings
– Exercises should include the customers
* Continues after the incident
– Prepare for the next event
Disaster Recovery Plan
If a disaster happens, IT should be ready
– Part of business continuity planning
– Keep the organization up and running
* Disasters are many and varied
– Natural disasters
– Technology or system failures
– Human-created disasters
* A comprehensive plan
– Recovery location
– Data recovery method
– Application restoration
– IT team and employee availability
Continuity of operations planning (COOP)
Not everything goes according to plan
* Disasters can disrupt the norm
* We rely on our computer systems
* Technology is pervasive
* There needs to be an alternative
* Manual transactions
* Paper receipts
* Phone calls for transaction approvals
* These must be documented and tested before
a problem occurs
Incident Response Team
Receives, reviews, and responds
– A predefined group of professionals
* Determine what type of events require a response
– A virus infection? Ransomware? DDoS?
* May or may not be part of the organizational structure
– Pulled together on an as-needed basis
* Focuses on incident handling
– Incident response, incident analysis, incident reporting
Retention Policies
Backup your data
– How much and where? Copies, versions of copies,
lifecycle of data, purging old data
* Regulatory compliance
– A certain amount of data backup may be required
* Operational needs
– Accidental deletion, disaster recovery
* Differentiate by type and application
– Recover the data you need when you need it
Diamond Model of Intrusion Analysis
- Designed by the intelligence community
– https://apps.dtic.mil/docs/citations/ADA586960
– Guide analysts to help understand intrusions
– Integrates well with other frameworks - Apply scientific principles to intrusion analysis
– Measurement, testability, and repeatability
– Appears simple, but is remarkably complex - An adversary deploys a capability over some
infrastructure against a victim
– Use the model to analyze and fill in the details
MITRE ATT&CK framework
The MITRE corporation
– US not-for-profit based in Massachusetts and Virginia
– Supports several U.S. government agencies
* The MITRE ATT&CK framework
– https://attack.mitre.org/
* Determine the actions of an attacker
– Identify point of intrusion
– Understand methods used to move around
– Identify potential security techniques to
block future attacks
Cyber Kill chain
Seven Phases of a cyber Attack
- Reconnaissance - gather intel; harvest emails from Google and LinkedIn
- Weaponization - Build a deliverable payload that includes an exploit and backdoor
- Delivery - Send the weapon - deliver an executable over email
- Exploit - Execute code on the victim’s device
- Installation - Malware is installed into the Operating system.
- Command and Control - A C2 channel is created for the remote access
- Actions on Objectives - The attacker can remotely carry out objectives.