Chapter 5 Building an Incident Response Program Flashcards
- Any observable occurrence on a network
- i.e. user accessing a files stored on a server, administrator changing permissions on a shared folder, and an attacker conducting a port scan
Event
- Any event that has negative consequences
- i.e. malware, server crash, use your accessing file they are not authorized to view
Adverse event
- A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices
- i.e. accidental loss of sensitive information, intrusion into a computer system by an attacker, the use of a keylogger to steal a password, and a launch of a denial-of-service attack
Security incident
A team responsible for responding to computer security incidents that occur within an organization by following standardized response procedures and incorporating their subject matter expertise.
Computer Security Incident Response Teams (CSIRT)
What are the phases of incident response according to NIST?
- Preparation
- Detection and Analysis
- Containment eradication and Recovery
- Post-incident activity
- Part of the Preparation phase
- NIST recommends that every organization’s incident response toolkit include at the minimum, the following.
- Digital forensic workstations
- Backup devices
- Laptops for data collection, analysis, and reporting
- Spare server and networking equipment
- Blank removable media
- Portable printer
- Forensic and packet capture software
- Bootable USB media containing trust two copies of forensic tools
- Office supplies and evidence collection materials
- Part of the Detection and Analysis phase
- NIST 800-61 describes four major category sources of security event indicators: what are they?
- Alerts
- Logs
- Publicly available information
- People
- One of NIST 800-61 four major categories of security event indicators
- Originates from intrusion detection and prevention systems, SIEMs, Management Systems, antivirus software, file integrity checking software, and third party monitoring services.
Alerts
- One of NIST 800-61 four major categories of security event indicators
- Generating by operating systems, services, applications, network devices and network flows
Logs
- One of NIST 800-61 four major categories of security event indicators
- Provides info about new vulnerabilities
- Keeping up with new exploits can prevent some incidents from occurring and assist in analyzing new attacks
Publicly available information
- One of NIST 800-61 four major categories of security event indicators
- Represents users inside the organization or external sources who report suspicious activity that may indicate a security incident is in progress
People
- Part of the Detection and Analysis phase
- NIST recommends the following actions to improve the effectiveness of an incident analysis
- Profile networks and systems to measure the characteristics of expected activity
- Understand normal behavior of users, systems, networks, and applications
- Create a logging policy that specifies the information that must be logged by systems, applications, and network devices
- Perform event correlation to combine information from multiple sources
- Synchronize clocks across servers, workstations, and network devices
- Maintain an organization-wide knowledge base that contains critical information about systems and applications
- Create network traffic as soon as the incident is suspected
- Filter information to reduce clutter
- Seek assistance from external resources
The Containment, Eradication, and Recovery phase of the process is designed to achieve these objectives:
- Select the containment strategy appropriate to the incident circumstances
- Implement the selected containment strategy to limit the damage caused by the incident
- Gather additional evidence, as needed to support the response effort and potential legal action
- Identify the attackers and attacking systems
- Eradicate the effects of an incident and recover normal business operations
Post-incident activity includes what?
- Lessons Learned review
- Evidence retention
NIST recommends that incident response policies contain what key element?
- Statement of management commitment
- Purpose of objectives of the policy
- Scope of the policy (to whom it applies and under what circumstances)
- Definition of cybersecurity incidents and related terms
- Organizational structure and definition of roles, responsibilities, and level of authority
- Prioritization or severity rating scheme for incidents
- Performance measures for the CSIRT
- Reporting and contact forms
Design to be a step-by-step recipe style responses to cyber security incidents
Playbooks
In addition to the core team members the CSIRT may include a representation from the following:
- Technical subject matter experts
- IT support staff
- Legal counsel
- Human resource staff
- Public relations in marketing staff
NIST provides the following attack vectors that are useful for classifying threats
- External removable media
- Attrition (brute-force, DDoS attacks)
- Web
- Impersonation
- Improper usage
- Loss or theft of equipment
- Unknown
- Other
Highly skilled and talented attackers focused on a specific objective
Advanced persistent threat (APT)
Vulnerabilities that are unknown to the security community and as a result are not included in security test performed by vulnerability scanners and other tools and have no patches available to correct them
Zero-day vulnerabilities
- NIST functional impact categories
- No effect to the organization’s ability to provide all services to all users
None
- NIST functional impact categories
- Minimum affect the organization can still provide all critical services to all users but has lost efficiency
Low
- NIST functional impact categories
- Organization has lost ability to provide a critical service to a subset of system servers
Medium
- NIST functional impact categories
- Organization is no longer able to provide some critical services to any users
High
- Economic impact categories
- The organization does not expect to experience any Financial impact or the financial impact is negligible
None
- Economic impact categories
- The organization expects to experience a financial impact of $10,000 or less
Low
- Economic impact categories
- The organization expects to experience of financial impact of more than $10,000 but less than $500,000
Medium
- Economic impact categories
- The organization expects to experience a financial impact of $500,000 or more
High
- NIST recoverability effort categories
- The time to recover is predictable with existing resources
Regular
- NIST recoverability effort categories
- The time to recovery is predictable with additional resources
Supplemented
- NIST recoverability effort categories
- Time to recovery is unpredictable additional resources and outside help are needed
Extended
- NIST recoverability effort categories
- Recovery from an incident is not possible launch investigation
Not Recoverable
- NIST information impact categories
- No information was exfiltrated, changed, deleted, or otherwise compromise
None
- NIST information impact categories
- Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, and so on was accessed or exfiltrated
Privacy breach
- NIST information impact categories
- Unclassified proprietary information, such as protected critical infrastructure information (PCII) was accessed or exfiltrated
Proprietary breach
- NIST information impact categories
- Sensitive or proprietary information was changed or deleted
Integrity loss
- Private organization information impact categories
- No information was exfiltrated, changed, deleted or otherwise compromise
None
- Private organization information impact categories
- Information regulated by an external compliance obligation was accessed or exfiltrated. i.e. protected health information under HIPAA or payment card information protected under PCI DSS
Regulated information breach
- Private organization information impact categories
- Sensitive intellectual property was accessed or exfiltrated. This may include product development plans, formulas, or other sensitive trade secrets
Intellectual property breach
- Private organization information impact categories
- Corporate confidential information was accessed or exfiltrated. This includes information that is sensitive but does not fit under the categories of regulated information or intellectual property. i.e. corporate accounting information or about mergers or act or acquisitions
Confidential information breach
- Private organization information impact categories
- Sensitive or proprietary information was changed or deleted
Integrity loss
