CCSP Domain 5: Incident Management Flashcards
What is a popular security incident management methodology?
NIST SP 800-61 rev2 Computer Security Incident Handling Guide
Describe the Preparation phase of the NIST SP 800-61 rev2 incident response lifecycle
organization’s preparation necessary to ensure they can respond to a security incident, including tools, processes competencies and readiness; should be documented in a security incident response plan that is regularly reviewed and updated
How many times should be the Preparation phase reviewed and how?
multiple times a year in a walkthrough (tabletop excersise)
Describe the Detection and Analysis phase of the NIST SP 800-61 rev2 incident response lifecycle
activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident
Describe the Containment, eradication, recovery phase of the NIST SP 800-61 rev2 incident response lifecycle
required and appropriate actions taken to contain the security incident based on the analysis done in the previous phase (Detection & Analysis); limits the scope of the incident
When should we proceed to recovery in the NIST SP 800-61 rev2 incident response lifecycle?
after the adversary has been evicted from the environment and known vulnerabilities have been remidiated
What happens after recovery in NIST SP 800-61 rev2 incident response lifecycle?
post-mortem analysis is performed; actions taken during the process are reviewed to determine if any changes are needed in hte preparation or detection and analysis phase
What are are the phases in the NIST SP 800-61 rev2 incident response lifecycle?
Preparation > Detection and Analysis > Containment, Eradication and Recovery > Post-incident Activity