Incident response Flashcards
What is an incident response
Set of procedures that an investigator follows when examining a computer security incident
what is an IMP
Incident management program - program consisting of the monitoring and detection of security events on a computer network and the execution of proper responses to those events
What are the steps to an IMP
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
Explain the preparation stage of IMP
Create and maintain a security posture, create a detailed IRP, and have solid repeatable procedures
Explain the identification stage of IMP
recognizing whether an event should be be classified as an incident
Explain the containment stage of IMP
focused on isolating the incident. If a PC is infected with virus, important to airgap the machine to prevent spread
Explain the eradication stage of IMP
Remove the threat or attack
Explain the recovery stage of IMP
data restoration, system repair, re-enabling any items that were taken offline during the attack
Explain the lessons learned stage of IMP
document the incident response process
make changes to the process and procedures to make sure that next time you are better prepared
What are some questions commonly posed in the lessons learned stage of an IMP
Was the threat detected
How was event detected
Did we respond, and how
Were our eradication methods successful
What is an IRT
Incident response teams consists of key people who must respond to any incident that meets severity and priority thresholds outlined by the IMP
Describe the roles within an IRT
Incident response manager
Security analysts acting as either a Triage or forensic analyst
Threat researcher
Describe the role of the incident response manager
Oversee and prioritize actions during detection, analysis and containment of incidents
Describe the role of the triage security analyst
assigned to work on the network during the response, help filter out false positives by using IPD/IDS to monitor, analyze, and detect instrustions
Describe the role of the forensic analyst
detective work to piece together what has occurred on the network.
Focus on recovering artifacts and evidens from the network and use this to build a timeline of events that led up to the incident.
What is a threat researcher
provide threat intelligence and context during incident response. Tasked with keeping up to date
Describe cross functional support
People from executive management, HR, Attourneys that assist in incident response
What is a CSIRT
Computer security IRT - Single point of contact for security incidents and may be part of the SOC or independant
Best practices for a CSIRT include:
Out of band comms.
Up to date contact lists
Planning for how far comms go \
True or False; It is essential to prevent unauthorized release of infomration outside the CSIRT
True
Who should be identified and notified in the event of a breach or incident
The affected stakeholders
What are some examples of affected stakeholders
Operations affected - Senior Leadership
Compliance affected - Regulatory Bodies
Risk of lawsuit - Legal
Insider threat - Human Resources
When there may be damage to image - Public Relations
What role does LE play in incident response and who calls them
Law Enforcement - May provide incident handling, or gathering evidence for prosecution. Senior leadership will decide when to involve LE with guidance from Legal
