Incident Response Process 5.4 Flashcards
National Institute of Standards and Technology Special Publication 800-61
This is a computer security incident handling guide created by the US Dept. of Commerce.
The Incident Response Lifecycle: Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity
Perparation
Determine the communication methods, and who to contact during and incident. Have your contact list already prepared.
Have your incident handling hardware/software, and know what to do with all of the parts.
Make sure your incident analysis resources are prepared. (Network diagrams, baselines, critical file has values).
Incident Mitigation Software - Make sure you have a clean OS and app images ready to load up.
Make sure your policies for incident handling are already squared away so everyone knows what to do.
The Challenge of Detection
You have many different detection sources. Each of them covers a different level of detail and has different levels of perception. Attacks come all the time, how do you identify the legitimate threats? Incidents are almost always complex and require extensive knowledge.
Incident Precursors
There are a number of ways to give yourself a heads up that something is occurring.
Web server logs: Vulnerability scanners can detect things.
Exploit Announcements: Monthly patch releases, Adobe Flash Updates
Direct Threats: You might hear that your org is going to get attacked.
Incident Indicators
You can see an attack is underway a few different ways. Buffer Overflows can be detected through IDS/IPS. Antivirus will identify malware. Host-Based monitor detects a config change. Network traffic flow deviates from the norm.
Isolation and Containment
It’s generally a bad idea to let things run their course. An incident can spread quickly. It’s your fault at that point. Sometimes its bad to isolate malware, some of them can detect that they have been cut off and will delete themselves as well as all the data on the system.
Recovery After and Incident
This is when it’s time to get back to normal. If there is any leftover malware, this is when you clean it up, disable breached user accounts, and fix vulnerabilities. Recover the system from known good backups, or you might have to rebuild from scratch.
Reconstitution
It’s difficult to fix everything at once. Sometimes you will have to fix things in phases. Recovery could take months. The plan should be efficient, start with quick high value security changes, then later on work on infrastructure changes and large-scale security rollouts.
Post Incident Learning
Learn and improve. Invite everyone affected by the incident. Don’t wait to long to do this so everything is fresh on everyone’s minds.
Answer Tough Questions
Find out exactly what happened with timestamps. How did you incident plans work out? Did the process operate successfully? What would you do differently next time? What indicators would you watch next time?
