Incident Response Flashcards

1
Q

Preparation

A
  • Prepare the business/responders/handlers to tackle incidents
  • Important to focus on people, policy, communications and most importantly documentation, emphasising the importance of thorough note taking, as mentioned in previous modules.
  • This stage will also allow for testing of the incident response plan.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identification

A
  • Identifying the scope of the incident: how many machines have been infected, do we have a ‘patient zero’?
  • Analysing logs and security events.
  • This stage will require the most intense level of forensic work, including taking live captures and analysing systems without tipping off the attacker.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Containment

A
  • The attack has now been identified, so it is time to stop the attacker from progressing any deeper into the target systems.
  • This may be a case of changing permissions on critical systems, or it may be logically separating the infected machines from the rest of the network.
  • Installing monitoring systems that are specifically tailored to this attack would also be done at this stage.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Eradication

A
  • This stage is about applying patches, closing back doors, disabling accounts and ultimately kicking the attacker out of your systems.
  • Once all of the tasks in this phase are complete, it is important to pause and allow time for the monitoring team to see if the attacker has re-entered the environment.
  • More advanced teams will leave a user account, or a system, in place as a honeypot. The idea is that the attacker will use this honeypot thinking it has been missed, whereas in reality the account, or system, no longer has the ability to cause any damage.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Recovery

A
  • This stage is focused on returning the systems to full production specifications.
  • This will also include more widespread actions, such as a mass password reset for every account on the network, including all automated or system accounts, and pushing out all patches that were not directly related to the incident and reviewing access systems, such as firewalls, for weaknesses.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Lessons Learned

A
  • Finally, it is time to look at what happened. The business as a whole needs to review the entire attack from start to finish, in order to figure out what went wrong in the first place and how to stop it from happening again.
  • This will also include a detailed report, whether that be paper based or a presentation, to show how the teams dealt with the incident and what lessons they have taken on board for the future.
  • This is the time to look closely at policies that are in place, from passwords to patching; all will need to be scrutinised.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly