Incident response Flashcards
What is an incident response
Set of procedures that an investigator follows when examining a computer security incident
what is an IMP
Incident management program - program consisting of the monitoring and detection of security events on a computer network and the execution of proper responses to those events
What are the steps to an IMP
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
Explain the preparation stage of IMP
Create and maintain a security posture, create a detailed IRP, and have solid repeatable procedures
Explain the identification stage of IMP
recognizing whether an event should be be classified as an incident
Explain the containment stage of IMP
focused on isolating the incident. If a PC is infected with virus, important to airgap the machine to prevent spread
Explain the eradication stage of IMP
Remove the threat or attack
Explain the recovery stage of IMP
data restoration, system repair, re-enabling any items that were taken offline during the attack
Explain the lessons learned stage of IMP
document the incident response process
make changes to the process and procedures to make sure that next time you are better prepared
What are some questions commonly posed in the lessons learned stage of an IMP
Was the threat detected
How was event detected
Did we respond, and how
Were our eradication methods successful
What is an IRT
Incident response teams consists of key people who must respond to any incident that meets severity and priority thresholds outlined by the IMP
Describe the roles within an IRT
Incident response manager
Security analysts acting as either a Triage or forensic analyst
Threat researcher
Describe the role of the incident response manager
Oversee and prioritize actions during detection, analysis and containment of incidents
Describe the role of the triage security analyst
assigned to work on the network during the response, help filter out false positives by using IPD/IDS to monitor, analyze, and detect instrustions
Describe the role of the forensic analyst
detective work to piece together what has occurred on the network.
Focus on recovering artifacts and evidens from the network and use this to build a timeline of events that led up to the incident.