5.4 Given a scenario, follow incident response procedures. Flashcards
Incident Response Plan
Once you have the incident response team in place, you can start working on creating the incident response plan.
Incident Response Plan - Documented Incident Types/Category Definitions
The plan should define the different types of security incidents that can occur within your organization. For example, you may have an incident type called Social Engineer Attack and one called Denial of Service. It is important to note that each incident type does not need to be an attack type; you
could have an incident type called Accidental Unauthorized Access.
Once you list each of the different incident types, you can then assign
them definitions that identify the incident type.
Incident Response Plan - Roles and Responsibilities
The plan should define each team member’s roles and responsibilities. This includes each member’s job role before a security incident occurs, during a security incident, and after a security incident.
Incident Response Plan - Reporting Requirements/Escalation
The plan should identify how and when users are supposed to report potential security incidents. The incident response plan should also identify who the first responder is to escalate the incident. Finally, the plan should identify any reporting requirements for the security incident, and what elements should be contained in the report.
Incident Response Plan - Cyber-Incident Response Team
The plan should identify the different CIRT members and their responsibilities.
- ** The first step is to create the team. *** The team will be made up of different types of employees within the organization with different skill sets. The following is a brief listing of some of the members that typically appear on a response team:
1. Team Leader
2. Technical Specialist
3. Documentation Specialist
4. Legal Advisor
(2nd is creating an Incident Response Plan, then follow Incident Response Process)
Incident Response Plan - Exercise
It is important to ensure that everyone is prepared for the day a security incident occurs, so be sure to plan exercises where you can practice the events that occur during a security incident from the identification phase through to the lesson learned
Incident Response Process
The Security+ exam expects you to know specifically the process of how to respond to security incidents when they occur within a business environment. Ensuring that the CIRT understands the different phases to the incident response process is critical.
Incident Response Process - Preparation
The first step is to prepare for security incidents by assembling a CIRT and creating incident response procedures. Be sure to educate the entire organization on their responsibility to respond to security incidents and what their role is.
Incident Response Process - Identification
The next step is that someone in the company will identify that a potential security incident has occurred. This could be anything from a user noticing that their computer is not responding as expected to an employee noticing that files on the web server have been replaced.
Once a security incident has been identified by an employee, the employee needs to promptly notify the CIRT, who will send a first responder. Be sure that employees know to whom they should report the security incident so that the first responder can deal with the incident immediately. The first responder will determine if an incident has occurred and if the incident needs to be escalated.
Incident Response Process - Containment
One of the main goals of the first responder is to isolate the incident to prevent the security incident from becoming a bigger problem. For example, if responding to an incident that involves a virus, the first responder should disconnect the system from the network right away to prevent the virus from spreading to other systems on the network.
Incident Response Process - Eradication
Once the security incident has been identified and contained, the CIRT will identify and execute the steps to eradicate whatever issue caused the incident. This could be something as simple as putting a firewall in place or enhancing virus protection.
Incident Response Process - Recovery
The recovery phase is when the CIRT recovers a system back to the state it was in before the security incident occurred. This typically involves using recovery procedures, which are well-documented resources that include step-by-step instructions on how to restore the system.
Incident Response Process - Lessons Learned
After the incident has been dealt with, the CIRT needs to document the lessons learned. This step allows the team to look at the big picture and answer the question “What happened here, and how can we prevent this from occurring again?”
