Module 2 - Stages of Incident Handling Flashcards

Upon the completion of this module students will be able to: Characterize the different stages of an incident response Differentiate a precursor from an indicator Evaluate the changes made to a system during live response/acquisitionCharacterize the roles of help desk technicians and first responders Evaluate the different roles an incident response plan and how incident responders fill those roles Critique the key elements of staffing and teaming models for incident response Analyze volati

1
Q

Four Stages of Incident Response

A

(Iterative Process)

Preparation
Incident Identification
Treatment of Incident
Post-mortem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NIST Plan (4 Stage) for IR

A
  1. Preparation
  2. Detection and Analysis
  3. Containment, eradication, and recovery (Others break this up)
  4. Post-incident recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

6 Stage Plan for IR

A
  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned/Follow-up
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Goal of Preparation Phase

A

Limit the number of incidents, if possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Incident Identification Phase (components)

A

Detection and analysis of incident

Through precursors and indicators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Categories of Incidents

A
Attacks (external or internal sources)
Defacement
Inappropriate/unauthorized access
Theft/loss (equipment or data)
Damage/non-functional equipment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Preparathon Phase (components)

A
forming a plan
establishing a team
assemble tools
contact lists
documentation if system goes offline
travel bag / jump kit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Symptoms of an incident

A
Firewall
IDS
Anti-virus alerts
Forward-facing server, i.e., mail or web server
Nodes on the LAN, e.g., computers/printers
Users
Help desk
Third-party notification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Factors that escalate response

A

high value data
high value system
scope of incident
rate of scope’s expansion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Non-obvious sources of incident identification

A

Log analysis, which requires:
Log retention
Time synchronization
Atypical network traffic over a large amount of time.
Public sources, e.g., US-CERT, InfraGuard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Incident Identification - Documentation

A

Items to consider

  • Indicators
  • Response/actions, which will generate their own set of changes
  • Dates and times of events
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Prioritization of Incident Identification / Recovery

A

Priority can be based on:

  • Functional impact (None, Low, Medium, High)
  • Informational impact (None, Privacy Breach, Proprietary Breach, Integrity Loss)
  • Theft
  • Deletion
  • Changing of information within the organization.
  • Speed of recovery of individual systems (Regular, Supplemented, Extended, Not Recoverable)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Incident Notification (Who)

A

Based on Severity of Incident:

Contact incident response lead
Manager
Stakeholders
Senior Management
External entities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Post Mortem to Incident

A
Identification of cause
Symptoms
Corrective methods
Preventative methods
- Create signature patterns for firewalls or IDSs
- Change configuration of computers via Group Policy
List of deficiencies 
- Identification of incident
- Technical skills
- Gaps in the plan
Corrections to plan
Identify Meaningful Metrics
Preventative Measurures
Identify Opportunities for Improvement
Recommendations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Precursor vs Indicator

A

Precursor: sign that an incident may occur in the future, e.g. vulnerability scans or security alerts of new exploits

Indicator: is a sign that an incident may have occurred or may be occurring now, logs, intrusion detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly