L04 Flashcards
Who responds to an incident?
An incident response team will consist of at least:
Incident Response Manager
Security Analysts
Threat Researchers
incident response manager
Oversees all operations and assigns priorities to the rest of the team.
Forensic analysts
Will recover any key assets and look after any evidence
Triage analysts
Will analyse data, clarifying any false positives and look for further intrusions
Steps to respond to an incident
Prepare Detect Contain Eradicate Recover Lessons Learnt
Prepare
Make sure employees are aware of what to do
Perform regular drills and mock scenarios
Create an incident response plan
Detect
When did the incident happen? How did the incident happen? Who discovered the incident? What other areas have been affected? What was the source of the incident?
Contain
Restricting any further damage being caused
Quarantining infected systems
Keeping system users informed of actions being taken
Eradicate
Identification and implementation of measures to eliminate any further infection
Identify the origin of the infection and rebuild devices in a sandboxed environment
Removing/Repairing any infected system files
Checks for any remaining traces of infection
Identification of the vulnerability that was exploited
Recover
Retesting the functionality of networked devices in the same environment (sandboxed) that caused the infection
Networked devices are tested for malware in the above scenario
Upon successful testing of the above, devices are restored to their original state
Lessons Learnt
Incident manager will write a report for the organisation with advice on recommended changes in security measures, along with confirmation of full system functionality being restored.
Organisation will consider above advice and apply where feasible
If necessary a statement to the media is released
Cyber Security Incident Report
Incident title and date of incident
Target of the incident (e.g. organisation)
Incident category
Description of the incident
Type of attacker(s) (e.g. lone hacker)
Purpose of incident (e.g. financial theft)
Techniques used by the attacker(s)
Capability of attacker(s) (e.g. experienced)
Impact of the incident
Cost of the incident (e.g. significant, minimal)
Responses needed (e.g. technical, legal)
Future management(review, trends, updates on documentation, recommendations for changes)