Chapter 5 Building an Incident Response Program

Question 1

• Any observable occurrence on a network
• i.e. user accessing a files stored on a server, administrator changing permissions on a shared folder, and an attacker conducting a port scan

Answer 1

Event

Question 2

• Any event that has negative consequences

- i.e. malware, server crash, use your accessing file they are not authorized to view

Answer 2

Adverse event

Question 3

• A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices
• i.e. accidental loss of sensitive information, intrusion into a computer system by an attacker, the use of a keylogger to steal a password, and a launch of a denial-of-service attack

Answer 3

Security incident

Question 4

A team responsible for responding to computer security incidents that occur within an organization by following standardized response procedures and incorporating their subject matter expertise.

Answer 4

Computer Security Incident Response Teams (CSIRT)

Question 5

What are the phases of incident response according to NIST?

Answer 5

1. Preparation
2. Detection and Analysis
3. Containment eradication and Recovery
4. Post-incident activity

Question 6

• Part of the Preparation phase

- NIST recommends that every organization’s incident response toolkit include at the minimum, the following.

Answer 6

• Digital forensic workstations
• Backup devices
• Laptops for data collection, analysis, and reporting
• Spare server and networking equipment
• Blank removable media
• Portable printer
• Forensic and packet capture software
• Bootable USB media containing trust two copies of forensic tools
• Office supplies and evidence collection materials

Question 7

• Part of the Detection and Analysis phase

- NIST 800-61 describes four major category sources of security event indicators: what are they?

Answer 7

1. Alerts
2. Logs
3. Publicly available information
4. People

Question 8

• One of NIST 800-61 four major categories of security event indicators
• Originates from intrusion detection and prevention systems, SIEMs, Management Systems, antivirus software, file integrity checking software, and third party monitoring services.

Answer 8

Alerts

Question 9

• One of NIST 800-61 four major categories of security event indicators
• Generating by operating systems, services, applications, network devices and network flows

Answer 9

Logs

Question 10

• One of NIST 800-61 four major categories of security event indicators
• Provides info about new vulnerabilities
• Keeping up with new exploits can prevent some incidents from occurring and assist in analyzing new attacks

Answer 10

Publicly available information

Question 11

• One of NIST 800-61 four major categories of security event indicators
• Represents users inside the organization or external sources who report suspicious activity that may indicate a security incident is in progress

Answer 11

People

Question 12

• Part of the Detection and Analysis phase

- NIST recommends the following actions to improve the effectiveness of an incident analysis

Answer 12

• Profile networks and systems to measure the characteristics of expected activity
• Understand normal behavior of users, systems, networks, and applications
• Create a logging policy that specifies the information that must be logged by systems, applications, and network devices
• Perform event correlation to combine information from multiple sources
• Synchronize clocks across servers, workstations, and network devices
• Maintain an organization-wide knowledge base that contains critical information about systems and applications
• Create network traffic as soon as the incident is suspected
• Filter information to reduce clutter
• Seek assistance from external resources

Question 13

The Containment, Eradication, and Recovery phase of the process is designed to achieve these objectives:

Answer 13

• Select the containment strategy appropriate to the incident circumstances
• Implement the selected containment strategy to limit the damage caused by the incident
• Gather additional evidence, as needed to support the response effort and potential legal action
• Identify the attackers and attacking systems
• Eradicate the effects of an incident and recover normal business operations

Question 14

Post-incident activity includes what?

Answer 14

• Lessons Learned review

- Evidence retention

Question 15

NIST recommends that incident response policies contain what key element?

Answer 15

• Statement of management commitment
• Purpose of objectives of the policy
• Scope of the policy (to whom it applies and under what circumstances)
• Definition of cybersecurity incidents and related terms
• Organizational structure and definition of roles, responsibilities, and level of authority
• Prioritization or severity rating scheme for incidents
• Performance measures for the CSIRT
• Reporting and contact forms

Question 16

Design to be a step-by-step recipe style responses to cyber security incidents

Answer 16

Playbooks

Question 17

In addition to the core team members the CSIRT may include a representation from the following:

Answer 17

• Technical subject matter experts
• IT support staff
• Legal counsel
• Human resource staff
• Public relations in marketing staff

Question 18

NIST provides the following attack vectors that are useful for classifying threats

Answer 18

• External removable media
• Attrition (brute-force, DDoS attacks)
• Web
• Email
• Impersonation
• Improper usage
• Loss or theft of equipment
• Unknown
• Other

Question 19

Highly skilled and talented attackers focused on a specific objective

Answer 19

Advanced persistent threat (APT)

Question 20

Vulnerabilities that are unknown to the security community and as a result are not included in security test performed by vulnerability scanners and other tools and have no patches available to correct them

Answer 20

Zero-day vulnerabilities

Question 21

• NIST functional impact categories

- No effect to the organization’s ability to provide all services to all users

Answer 21

None

Question 22

• NIST functional impact categories

- Minimum affect the organization can still provide all critical services to all users but has lost efficiency

Answer 22

Low

Question 23

• NIST functional impact categories

- Organization has lost ability to provide a critical service to a subset of system servers

Answer 23

Medium

Question 24

• NIST functional impact categories

- Organization is no longer able to provide some critical services to any users

Answer 24

High

Question 25

• Economic impact categories

- The organization does not expect to experience any Financial impact or the financial impact is negligible

Answer 25

None

Question 26

• Economic impact categories

- The organization expects to experience a financial impact of $10,000 or less

Answer 26

Low

Question 27

• Economic impact categories

- The organization expects to experience of financial impact of more than $10,000 but less than $500,000

Answer 27

Medium

Question 28

• Economic impact categories

- The organization expects to experience a financial impact of $500,000 or more

Answer 28

High

Question 29

• NIST recoverability effort categories

- The time to recover is predictable with existing resources

Answer 29

Regular

Question 30

• NIST recoverability effort categories

- The time to recovery is predictable with additional resources

Answer 30

Supplemented

Question 31

• NIST recoverability effort categories

- Time to recovery is unpredictable additional resources and outside help are needed

Answer 31

Extended

Question 32

• NIST recoverability effort categories

- Recovery from an incident is not possible launch investigation

Answer 32

Not Recoverable

Question 33

• NIST information impact categories

- No information was exfiltrated, changed, deleted, or otherwise compromise

Answer 33

None

Question 34

• NIST information impact categories
• Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, and so on was accessed or exfiltrated

Answer 34

Privacy breach

Question 35

• NIST information impact categories
• Unclassified proprietary information, such as protected critical infrastructure information (PCII) was accessed or exfiltrated

Answer 35

Proprietary breach

Question 36

• NIST information impact categories

- Sensitive or proprietary information was changed or deleted

Answer 36

Integrity loss

Question 37

• Private organization information impact categories

- No information was exfiltrated, changed, deleted or otherwise compromise

Answer 37

None

Question 38

• Private organization information impact categories
• Information regulated by an external compliance obligation was accessed or exfiltrated. i.e. protected health information under HIPAA or payment card information protected under PCI DSS

Answer 38

Regulated information breach

Question 39

• Private organization information impact categories
• Sensitive intellectual property was accessed or exfiltrated. This may include product development plans, formulas, or other sensitive trade secrets

Answer 39

Intellectual property breach

Question 40

• Private organization information impact categories
• Corporate confidential information was accessed or exfiltrated. This includes information that is sensitive but does not fit under the categories of regulated information or intellectual property. i.e. corporate accounting information or about mergers or act or acquisitions

Answer 40

Confidential information breach

Question 41

• Private organization information impact categories

- Sensitive or proprietary information was changed or deleted

Answer 41

Integrity loss