(9) Contain, Eradicate, Recover Flashcards
What does the Computer Security Incident and Response Team (CSIRT) do during the Incident, Detection, and Analysis phase?
During the incident detection and analysis phase, CSIRT performs passive activities to uncover and analyze information about the incident. After assessing, the team moves on to more active activities to contain the effects of the incident and recover normal operations.
What is the high level goal of the CSIRT during the containment, eradication and recovery phase of the incident response process?
- Select a containment strategy that fits the situation
- Implement the containment strategy to limit damage causes by the incident
- Gather extra evidence needed to respond properly and possibly take legal action
- Identify the attackers and the systems that they use
- Stop the effects and recover normal business operations
Once the incident is resolved, name the steps that security teams need to take during post incident activity
The CSIRT performs Forensic Analysis, Root cause Analysis, Lessons Learned review, and evidence retention During the post incident activity
During post incident activity, what is forensic analysis?
Forensic analysis is about going through the large amount of data to figure out what happened and how the event occurred
During Post Incident Activity, what is root cause analysis?
Root cause analysis is about developing an understanding of the incidents root cause. This helps to also discover the controls that can prevent the same attack from happening again in the future
During Post incident Activity, describe the lessons learned review process
During lessons learned review, responders do a full review of the incident and their response, if possible it should be a review where everyone is present for the discussion. Being live and present physically or virtually is important because it leads to very good insights
According to NIST 800-61, who should be the one to lead the lessons learned review?
The one who should be involved in the post incident lessons learned review should be an independent facilitator who was not involved in the incident response and is an outside to those in attendance. This prevents people operating with an agenda.
During the post incident lessons learned review, what types of questions should be asked by the independent facilitator?
The facilitator should ask what happened, when did it happen, did the company respond well, could better steps be taken, what can be done to prevent it, and what resources are needed to support the prevention effort?
When it comes to post incident investigation, describe evidence retention
The leader of the investigation should discuss and work with staff to figure out internal and external evidence retention requirements. If legal action is involved, then the team should discuss what to retain with an attorney. If no evidence will be used in court, then data retention policies would need to be followed.
