Module 2 - Stages of Incident Handling Flashcards
Upon the completion of this module students will be able to: Characterize the different stages of an incident response Differentiate a precursor from an indicator Evaluate the changes made to a system during live response/acquisitionCharacterize the roles of help desk technicians and first responders Evaluate the different roles an incident response plan and how incident responders fill those roles Critique the key elements of staffing and teaming models for incident response Analyze volati
Four Stages of Incident Response
(Iterative Process)
Preparation
Incident Identification
Treatment of Incident
Post-mortem
NIST Plan (4 Stage) for IR
- Preparation
- Detection and Analysis
- Containment, eradication, and recovery (Others break this up)
- Post-incident recovery
6 Stage Plan for IR
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned/Follow-up
Goal of Preparation Phase
Limit the number of incidents, if possible
Incident Identification Phase (components)
Detection and analysis of incident
Through precursors and indicators
Categories of Incidents
Attacks (external or internal sources) Defacement Inappropriate/unauthorized access Theft/loss (equipment or data) Damage/non-functional equipment
Preparathon Phase (components)
forming a plan establishing a team assemble tools contact lists documentation if system goes offline travel bag / jump kit
Symptoms of an incident
Firewall IDS Anti-virus alerts Forward-facing server, i.e., mail or web server Nodes on the LAN, e.g., computers/printers Users Help desk Third-party notification
Factors that escalate response
high value data
high value system
scope of incident
rate of scope’s expansion
Non-obvious sources of incident identification
Log analysis, which requires:
Log retention
Time synchronization
Atypical network traffic over a large amount of time.
Public sources, e.g., US-CERT, InfraGuard
Incident Identification - Documentation
Items to consider
- Indicators
- Response/actions, which will generate their own set of changes
- Dates and times of events
Prioritization of Incident Identification / Recovery
Priority can be based on:
- Functional impact (None, Low, Medium, High)
- Informational impact (None, Privacy Breach, Proprietary Breach, Integrity Loss)
- Theft
- Deletion
- Changing of information within the organization.
- Speed of recovery of individual systems (Regular, Supplemented, Extended, Not Recoverable)
Incident Notification (Who)
Based on Severity of Incident:
Contact incident response lead Manager Stakeholders Senior Management External entities
Post Mortem to Incident
Identification of cause Symptoms Corrective methods Preventative methods - Create signature patterns for firewalls or IDSs - Change configuration of computers via Group Policy List of deficiencies - Identification of incident - Technical skills - Gaps in the plan Corrections to plan Identify Meaningful Metrics Preventative Measurures Identify Opportunities for Improvement Recommendations
Precursor vs Indicator
Precursor: sign that an incident may occur in the future, e.g. vulnerability scans or security alerts of new exploits
Indicator: is a sign that an incident may have occurred or may be occurring now, logs, intrusion detection