Ch17 - 17.03 - Looking at Incident Response

Question 1

Computer Incident Response Team, or CIRT

Answer 1

An incident response team is responsible for knowing how to handle security incidents that occur within the organization and for correcting and documenting the security issue in a timely manner.

The first step is to create a team. The team will be made up of different types of employees within the organization with different skill sets. The following is a brief listing of some of the members that typically appear on a response team:

1. Team Leader
2. Technical Specialist
3. Documentation Specialist
4. Legal Advisor

Question 2

Incident Response Plan

Answer 2

Once you have the incident response team in place, you can start working on creating the incident response plan. The incident response plan should include a number of elements, such as identifying different types of incidents and the job role of each team member during an incident. The following are common elements to include in the incident response plan:

1. Documented incident types/category definitions
2. Roles and responsibilities
3. Reporting requirements/escalation
4. Computer (or Cyber) Incident Response Team
5. Exercise

Question 3

Incident Response Process

Answer 3

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lesson Learned

Question 4

Incident Response Process - 1. Preparation

Answer 4

The first step is to prepare for security incidents by assembling a CIRT and creating incident response procedures. Be sure to educate the entire organization on their responsibility to respond to security incidents and what their role is.

Question 5

Incident Response Process - 2. Identification

Answer 5

The next step is that someone in the company will identify that a potential security incident has occurred. This could be anything from a user noticing that their computer is not responding as expected to an employee noticing that files on the web server have been replaced.

Once a security incident has been identified by an employee, the employee needs to promptly notify the CIRT, who will send a first responder. Be sure that employees know to whom they should report the security incident so that the first responder can deal with the incident immediately. The first responder will determine if an incident has occurred and if the incident needs to be escalated.

Question 6

Incident Response Process - 3. Containment

Answer 6

One of the main goals of the first responder is to isolate
the incident to prevent the security incident from becoming a bigger problem. For example, if responding to an incident that involves a virus, the first responder should disconnect the system from the network right away to prevent the virus from spreading to other systems on the network.

Question 7

Incident Response Process - 4. Eradication

Answer 7

Once the security incident has been identified and
contained, the CIRT will identify and execute the steps to eradicate whatever issue caused the incident. This could be something as simple as putting a firewall in place or enhancing virus protection.

Question 8

Incident Response Process - 5. Recovery

Answer 8

The recovery phase is when the CIRT recovers a system
back to the state it was in before the security incident occurred. This typically involves using recovery procedures, which are well-documented resources that include step-by-step instructions on how to restore the system.

A system involved in a security incident is considered a
compromised system and in many cases should have the hard drives wiped, the operating system reinstalled or reimaged, and data from the last good backup restored.

Question 9

Incident Response Process - 6. Lesson Learned

Answer 9

After the incident has been dealt with, the CIRT
needs to document the lessons learned. This step allows the team to look at the big picture and answer the question “What happened here, and how can we prevent this from occurring again?”

Question 10

First Responders - Responsibilities

Answer 10

The first responder is the first security professional
to respond to a security incident after it has been identified. The first responder’s primary objective is to contain the security incident.

As previously mentioned, if you are a first responder to a security incident, your first goal is to contain the incident. For example, if you are responding to a user’s complaint that their system seems to be slow and you notice after
arriving that it may be due to a virus, disconnect the system from the network (by disconnecting the network cable from the computer) so that the virus does not infect other systems on the network. The only thing worse than dealing with an infected computer is dealing with multiple infected systems!

If you find that the systems on your network are replicating a worm virus out to the Internet, you may have to power off the entire switch or maybe even disconnect from the Internet so that the virus does not continue to replicate from your network out to the Internet.

Question 11

Damage and Loss Control

Answer 11

With damage and loss control, the goal is to assess the
damage during a security incident and then to try to control the losses due to the security incident.

The first thing you do when arriving at the security incident scene is to assess the severity of the security incident. Ask yourself questions such as “Is the incident affecting just one system or a number of network systems?”

The other goal is to control the loss. The best way to control losses from a security incident is to contain the incident by disconnecting the involved system or systems from the network. If one system is involved, you can simply disconnect that system from the network, whereas if a whole department of systems is involved, you may want to power off the network switch so no network connectivity can occur.

Question 12

Incident Response Terms - Recovery

Answer 12

A system involved in a security incident is considered a compromised system, and in many cases recovery involves wiping the hard drives, reinstalling or reimaging the operating system, and restoring data from the last good backup.

Question 13

Incident Response Terms - Reporting

Answer 13

Documentation describing the incident and the lessons

learned should be created to help educate the rest of the security team and organization.

Question 14

Incident Response Terms - Quarantine

Answer 14

A compromised or affected system should be removed

from the network until the security incident has been resolved.

Question 15

Incident Response Terms - Legal Hold

Answer 15

Legal hold is the term for putting data in a special hold so that users cannot delete that data during an investigation.

For example, Microsoft Exchange Server allows an administrator to put a mailbox in legal hold so that the user cannot delete mail while the mailbox is being searched for evidence.

Question 16

Incident Response Terms - Data Breach

Answer 16

A data breach occurs when data that is considered
sensitive is made available to an untrusted source. Be sure to control access to information and the use of external flash drives to help prevent data breaches in your organization.

Question 17

Incident Response Terms - Damage & Loss Control

Answer 17

Each security incident requires identification of the extent of the damage and containment of the
incident to control the loss associated with it.

Question 18

Incident Response Terms - Strategic intelligence/counterintelligence gathering

Answer 18

An important task of the security team is to continuously monitor and log activity on systems and the network so that the security team becomes aware of security events as they are occurring. Continuous monitoring is a never-ending process of monitoring access to resources, network traffic, and security logs for events.