Incident Response Process 5.4 Flashcards

1
Q

National Institute of Standards and Technology Special Publication 800-61

A

This is a computer security incident handling guide created by the US Dept. of Commerce.

The Incident Response Lifecycle:
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Perparation

A

Determine the communication methods, and who to contact during and incident. Have your contact list already prepared.

Have your incident handling hardware/software, and know what to do with all of the parts.

Make sure your incident analysis resources are prepared. (Network diagrams, baselines, critical file has values).

Incident Mitigation Software - Make sure you have a clean OS and app images ready to load up.

Make sure your policies for incident handling are already squared away so everyone knows what to do.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Challenge of Detection

A

You have many different detection sources. Each of them covers a different level of detail and has different levels of perception. Attacks come all the time, how do you identify the legitimate threats? Incidents are almost always complex and require extensive knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Incident Precursors

A

There are a number of ways to give yourself a heads up that something is occurring.

Web server logs: Vulnerability scanners can detect things.
Exploit Announcements: Monthly patch releases, Adobe Flash Updates
Direct Threats: You might hear that your org is going to get attacked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Incident Indicators

A

You can see an attack is underway a few different ways. Buffer Overflows can be detected through IDS/IPS. Antivirus will identify malware. Host-Based monitor detects a config change. Network traffic flow deviates from the norm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Isolation and Containment

A

It’s generally a bad idea to let things run their course. An incident can spread quickly. It’s your fault at that point. Sometimes its bad to isolate malware, some of them can detect that they have been cut off and will delete themselves as well as all the data on the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Recovery After and Incident

A

This is when it’s time to get back to normal. If there is any leftover malware, this is when you clean it up, disable breached user accounts, and fix vulnerabilities. Recover the system from known good backups, or you might have to rebuild from scratch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Reconstitution

A

It’s difficult to fix everything at once. Sometimes you will have to fix things in phases. Recovery could take months. The plan should be efficient, start with quick high value security changes, then later on work on infrastructure changes and large-scale security rollouts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Post Incident Learning

A

Learn and improve. Invite everyone affected by the incident. Don’t wait to long to do this so everything is fresh on everyone’s minds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Answer Tough Questions

A

Find out exactly what happened with timestamps. How did you incident plans work out? Did the process operate successfully? What would you do differently next time? What indicators would you watch next time?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly