5A Flashcards
The incident response policy is designed for the ____ team that will be handling security incidents.
security
The incident response policy specifies what each person on the incident response team is responsible for and how to handle…?
security incidents
Reporting accurate incident information as close to ____ as possible is crucial to an effective response.
near-real-time
The first thing to do to prepare for handling security incidents within your organization is to make sure that you have an incident response team in place also known as?
CIRT
What does CIRT stand for?
Computer Incident Response Team
An incident response team is responsible for knowing how to handle security incidents that occur within the organization, and for ___ and ____ the security issues in a timely manner.
correcting and documenting
The first step in making an Incident Response Team is to create the ___. The team will be made up of different types of employees
within the organization with different skill sets.
team
List members that will typically appear on a response team.
- Team Leader
- Technical Specialist
- Documentation Specialist
- Legal Advisor
The following describes which member of the incident response team?
The ___ ___ is responsible for ensuring that all team members know their role when a security incident occurs. The ___ ___ is also responsible for building relationships with outside resources that may be called upon in special circumstances.
Team Leader
The following describes which member of the incident response team?
The ___ ___ has the technical expertise to assess the situation, identify the scale of the security incident, and the know-how to correct the situation. The CIRT may have several ___ ___ who specialize in different areas. For example, you may have a Windows Server specialist, a Linux specialist, and a Cisco specialist.
Technical Specialist
The following describes which member of the incident response team?
The ___ ___ knows how to document the entire response process, and the specialist is the person responsible for logging each incident in a documentation database, including the cause of the problem, and what the solution is.
Documentation Specialist
The following describes which member of the incident response team?
The ___ ___ knows the laws and regulations that your organization must follow when it comes to computer forensics and incident response. The legal advisor is someone the rest of the team can turn to if they have questions about legal issues.
Legal Advisor
The following are common elements to include in the incident response plan:
- Incident Categories
- Roles and Categories
- Reporting Requirements/Escalation
- Exercise Planning
- User Roles
The following describes which general incident response plan?
The plan should define the different types of security incidents that can occur within your organization. For example, you may have an incident type called, “social engineering attack,” and another one called, “denial of service attack.”
Incident Categories
The following describes which general incident response plan?
The plan should define each team member’s roles and responsibilities. This includes each member’s job role before a security incident occurs, during, and after a security incident.
Roles and Categories
The following describes which general incident response plan?
The plan should identify when and how users are supposed to report potential security incidents. The incident response plan should also identify who the first responder is to escalate the incident to. Finally, the plan should identify any reporting requirements for the security incident, and what elements should be contained in the report.
Reporting Requirements/Escalation
The following describes which general incident response plan?
It is important to ensure that everyone is prepared for the day a security incident occurs, so be sure to plan exercises where you can practice the events that may occur during a security incident from
the identification phase through to the lesson learned.
Exercise Planning
The following describes which general incident response plan?
The first responder is the first individual to be notified of the incident and takes charge of the incident. The first responder is a member of the incident response team
User roles
Upon detection of a possible event by internal or external sources, the appropriate operations center (OC) and Air Force Cyberspace Defense (ACD) units will initiate notification procedures in accordance with _____, Chairman of the Joint Chiefs of Staff (CJCSM) 6510.01B and established SOPs of the affected units.
AFI 10-206
In cases when the cause/intent of a possible event is not readily apparent, it’s necessary to initially categorize detected activity as a category (CAT) __ investigation.
category 8 - Investigating.
Information typically requested during an investigation
includes…?
1.Data detailing the source of the incident
2. The systems affected by the activity
3. Anti-virus and system log data
4. IDS and IPS logs
5. initial forensics data obtained either remotely or locally by using appropriate forensics tools as directed.
6. The ACD unit may also request the victim’s hard drive for an in-depth forensic analysis.
Next, it must be determined whether a detected event is a reportable ___ or ___.
event or incident
An ____ is any observable occurrence in a system and/or network. ____ sometimes provide indication that an incident is occurring
event
An ____ is an assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores,
or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies
incident
When investigating a possible event/incident, it will be given a ___ ___ identifying it for descriptive purposes and level of severity of potential impact to mission. Reaction to different categories
will be different.
category number
What is a category 0? (event)
Training and Exercises
What is a category 1? (incident)
Root-Level Intrusion. Includes unauthorized access to information or account credentials that could be used to perform administrative functions. If the Information System (IS) is compromised with malicious code that provides remote interactive control, it will be reported in this CAT.
What is a category 2? (incident)
User-Level Intrusion. Unauthorized non- privileged access to an IS. This includes unauthorized access to information or account credentials that could be used to perform user functions such as accessing Web applications, portals, or other similar information resources. If the IS is compromised with malicious code that provides
remote interactive control, it will be reported in this CAT.
What is a category 3? (event)
Unsuccessful Activity Attempt. Deliberate attempts to gain unauthorized access to an IS that are defeated by normal defensive mechanisms. Attacker fails to gain access to the IS (i.e., attacker attempts valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory
scanning.
What is a category 4? (incident)
Denial of Service. Activity that denies, degrades, or disrupts normal functionality of an IS or DoD information network.
What is a category 5? (event)
Non-Compliance Activity. Activity that potentially exposes ISs or networks to increased risk because of the action or inaction of authorized users. This includes administrative and user actions such as failure to apply security patches, connections across security domains, installation of vulnerable applications, and other breaches
of existing AF or DoD policy.
What is a category 6? (event)
Reconnaissance. Activity that seeks to gather information used to characterize ISs, applications, DoD information networks, and users that may be useful in formulating an attack. This includes activity such as mapping DoD information networks, IS devices and applications, interconnectivity, and their users or reporting structure.
This activity does not directly result in a compromise.
What is a category 7? (incident)
Malicious Logic. Installation of software designed and/or deployed by adversaries with malicious intentions for the purpose of gaining access to resources or information without the consent or knowledge of the user. This only includes malicious code that does not provide remote interactive control of the compromised IS. Malicious code that has allowed interactive access should be categorized as CAT 1 or CAT 2 incidents, not CAT 7.
What is a category 8? (event)
Investigating. Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing, further review. No event will be closed out as a CAT 8 but will be re-categorized prior to closure.
What is a category 9? (event)
Explained Anomaly. Suspicious events that, after further investigation, are determined to be non-malicious activity and do not fit the criteria for any other categories. This includes events such as system malfunctions and false alarms. When reporting these events, clearly specify the reason for which it cannot be otherwise categorized.
