CySA+ Stgudy Notes 11 Flashcards
??? make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.
Preparation stage
??? Determine whether an incident has taken place and assess how severe it might be (triage), followed by notification of the incident to stakeholders.
??? Limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.
Detection and Analysis / Containment Stages
Once the incident is contained, the cause can be removed, and the system brought back to a secure state. The response process may have to iterate through multiple phases of detection, containment, and eradication to effect a complete resolution.
Eradication and Recovery
Analyze the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. This phase is very commonly referred to as lessons learned. The outputs from this phase feed back into a new preparation phase in the cycle.
Post-incident Activity
During an incident, you cannot depend on normal communications channels being available, so it is imperative that your incident response kit (or “jump bag”) contains a printed call list of incident response contacts, ideally showing the hierarchy for notification and escalation.
info
Observe—You need information about the network and the specific incident and a means of filtering and selecting the appropriate data.
Orient—What is the state of play? Is the attack just beginning, or has the network been compromised for some time? What are the resources and goals of the adversary?
Decide—What are the options for countermeasures? What are our goals? Can we prevent a data breach from happening or should we focus on gathering forensic evidence to try to prosecute later?
Act—Remediate the situation quickly and decisively. Then start the loop again until the incident is fully resolved: Observe, Orient, Decide, Act.
OODA Loop
Both data integrity and downtime will have important economic effects, both in the short term and the long term. Long-term economic costs may come to reputation and market standing. the impact of an incident can be both tangible and intangible, ex tangible: HDD, stolen passwords, deleted list of clients, etc … intangible : reputation, etc …
Economic
the media is encrypted by default. To apply the erase operation, the encryption key itself is destroyed. CE is a feature of self-encrypting drives (SED). CE should only be used on a device that has been sanitized and encrypted before writing sensitive data to the device.
Cryptographic Erase (CE)
Sanitization tools typically overwrite all locations on the storage device with zero (zero-fill). Some routines might write a random pattern of ones and zeroes before applying the zero-fill. This prevents other tools from extracting and reconstructing meaningful data from the drive.
use Secure Erase for flash based drives like SSD etc …
info
One method of restoring the host software and settings following sanitization is to reimage the host disk using a known clean backup or template image you created prior to the incident. Another option is to reconstruct a system using a configuration template or scripted install from trusted media.
If no patch is available, you need to apply different mitigating controls, such as extended monitoring or network segmentation.
Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts.
info
