Module 3: Incident Response and Handling Steps Flashcards
What can be used to detect information system security breaches
Intrusion Detection System (IDS)
What are common symptoms of a security incident
- Suspicious log entries
- The IDS generates an alarm
- Presence of unexplained user accounts on the network
- Presence of suspicious files
- Modified files or folders
- Unusual services running or ports opened
- Unusual system behavior
- Icons of drive changed/drives not accessible
- Number of packets received are more than expected
What is Incident Handling (IH)
A set of procedures to overcome the various kinds of incidents caused by the various vulnerabilities in the systems
What are the three basic functions of Incident Handling
- Incident reporting
- Incident analysis
- Incident response
What is Incident Response (IR)
To identify the attacks or incidents or incidents that have compromised the personal and business information in the system
Why is Incident Response required
- Protect Systems
- Protect Personnel
- Efficiently use the resources
- Address legal issues
What are the goals of Incident Response
- Examining whether or not the incident occurred
- Limiting the impact of incident on business and network operations
- Preventing future attacks or incidents
- Supporting enhancement of accurate information
- Creating guidelines and control measures for proper recovery and handling of evidence
- Safeguarding privacy rights recognized by law and policy
- Identifying illegal activity and taking legal action
- Providing useful recommendations with precise reports
- Swift detection, reporting, containment and recovery after an incident
- Limiting the exposure and compromise of the business data
- Securing the organization’s reputation and assets
What is an Incident Response Plan
It is a set of instructions to detect and respond to an incident
What is the team created for responding to the incident response plan
The Incident Response Team
The Incident Response Plan covers
- How information is passed to the appropriate personnel
- Assessment of the incident
- Incident containment and response strategy
- Restoration of systems and resource
- Documentation of the incident
- Preservation of the evidence
- Reporting of the incident to the appropriate personnel
What does an Incident Response Plan require these essential per-requisites
- Expert teams
- Legal review and approved strategy
- Company’s financial support
- Support from the top management
- Corrective action plan
- Physical resources
What is the most important aspect of incident handling and response
Preparation
How does preparation help the organization and incident response teams
It prepares them for a comprehensive risk response that include planning, risk assessment, control implementation, and resource allocation
What is an Incident Response Team
A team of experts capable of handling any computer security incidents that may occur in your organization
What does the Incident Response Team need to prepare for an incident
- Hardware and software for investigating incidents
- Forms and reports to investigate
- Policies and SOP’s
- Training programs for staff to prepare for incidents
What are the 17 steps of Incident Response and Handling
- Identification
- Incident Reporting
- Initial Response
- Communicating the Incident
- Containment
- Formulating a Response Strategy
- Incident Classification
- Incident Investigation
- Data Collection
- Forensic Analysis
- Evidence Protection
- Notifying External Agencies
- Eradication
- Systems Recovery
- Incident Documentation
- Incident Damage and Cost Assessment
- Review and Update the Response Policies
What is done in Step 1 Incident
An incident is analyzed for its nature, intensity, and its effects on the network and systems
Incident identification involves
- Validating an incident
- Identifying the nature of an incident
- Identifying and protecting the evidence
- Logging and making a report of whatever anomalies are observed
What actions are taken in the identification phase
- Audit log collection, examination, and analysis
- Incident Reporting and assessment
- Collect/protect system information
- Incident severity level
- Other systems analysis
- Assign members to incident task force
What is Step 2 Incident Recording
The process of storing the details of occurrence of an incident accurately
What information should be recorded
- The date and time of the incident occurred
- The date and time the incident was detected
- Who has reported the incident
- Description of the incident
- Systems involved
- Backup info such as error messages, log files, etc.
What is Step 3 Initial Response
It is the steps to be followed while responding to an incident are documented
What is Step 4 Communicating the Incident
A process where it helps in reducing the impact of the incident by facilitating a better coordination between different stakeholders affected with incident.
What is Step 5 Containment
To reduce loss and damage due to attacks by eliminating threat sources
What are the common techniques used in Containment
- Disabling of specific system services
- Changing of passwords and disabling account
- Complete backups of the infected system
- Temporary shutdown of the compromised system
- System Restoration
- Maintaining a low profile
What is the goal of Step 6 Formulating a Response Strategy
The goal of response strategy is to examine the most appropriate response procedure
What is the goal of Step 7 Incident Classification
Classifying incidents based on the severity of the incident with a high, medium, or low level
How is an incident classified
- Categorization (type of incident)
- Priority level
- Resource allocation
What is the goal of Step 8 Incident Investigation
Identifying the perpetrators who are responsible for the occurrence of incident
What is the investigation phase capable of determining
- Who is responsible for the incident?
- What is the reason behind the incident?
- When did the incident occur?
- Where exactly the incident happened?
- How to recover from the incident?
What are the two different phases in a computer security investigation
- Data collection
* Forensic analysis
What is the goal of Step 9 Data Collection
The process of gathering known facts and evidence that are required for forensic analysis
What are the different evidence gathered during the data collection phase
- Host-based evidence
- Network-based evidence
- Other evidence
What is host-based evidence
The evidence gathered and available on a computer system
What is network-based evidence
The information gathered from the network resources
What does other evidence consist of
- Gathering personal files
- Interviewing employees, witnesses, and character witnesses
- Documenting the information gathered
What is Step 10 Forensic Analysis
The process of analyzing and reviewing the data gathered from computer systems such as log files of the system, system files, web history files, email files, installed applications, graphic files, etc.
Why is documentation important in forensic analysis
It helps the forensic examiners to file a case against the attackers during the investigation process.
What should forensic analysis help determine
- The victims and attackers of the event or incident
- What kind of incident happened
- When and where the incident have occurred
- What the incident has affected
- How the events have occurred
Why is Step 11 Evidence Protection important
Organizations or incident response teams need to protect the evidence to take legal action against perpetrators for intentionally attacking a computer system
Why is Step 12 Notify External Agencies important
External agencies provide technical assistance in recovering from the computer security incident and prevent it from happening in the future.
What is the goal of Step 13 Eradication
To locate malicious objects and remove the residual of attacks.
Who performs Step 13 Eradication
The Incident Response Team
What are some types of techniques are used in Step 13 Eradication phase
- Using anti-virus
- Installing latest patches
- Conducting independent security audits
- Disabling any unnecessary services
- Tracking progress on all corrections that are required
What happens in Step 14 Systems Recovery
An affected system is restored to its normal operations.
What are the two important steps in Step 14 Systems Recovery
- Determine the course of action. (Selecting the appropriate strategy to restore the system after an incident)
- Monitor and validate the systems. (Used to make sure that the recovered systems are sanitized of incident causes)
What should Step 15 Incident Documentation provide
- Description of the security breach
- Who handled the incident
- When the incident was handled
- Reasons behind the occurrence of the incident
Why is proper documentation important
It is necessary for the prosecution of the offender
How should the document prepared in Step 15 Incident Documentation
- Concise and clear
- Standard Format
- Error-free
Why should an organization perform Step 16 Incident Damage and Cost Assessment
Because incident damage and recovery cost play an important role in legal actions against the perpetrators
Step 16 Incident Damage and Cost Assessment should include what costs
- The loss of confidential info
- Legal costs for investigating the case
- Labor costs
- System downtime
- Cost of repair
Why is Step 17 Review and Update the Response Policies important
It will reduce the impact of incident and help you to handle future incidents
What steps can you use in Step 17 Review and Update the Response Policies
- Using additional security policies
- Update policies
- Use lessons learned
- Examine the organization’s computer systems regularly
True or False: A Training and Awareness program is important for educating people on how to handle incidents
TRUE
What are the four important elements of any security awareness and training programs
- Designing and planning of the awareness and training program
- Development of the training material
- Implementation of the program
- Measuring the effectiveness of the program
What is the objective of Incident Management
To quickly restore the services of computer system into normal operations after an incident with little or no impact on the business
What is the purpose of Incident Management
- Prevent incidents and attacks by tightening the physical security of the system or infrastructure
- Create awareness program by training employees and users
- Monitor and test the organization’s infrastructure for weaknesses
- Share information with other teams
What are the five steps of Incident Management
- Preparation
- Protection
- Detection
- Triage
- Response
What is the purpose of the Incident Management Team
Provides support to all users in the organization that are affected by threat or attack
Who is in the Incident Management Team
- Executive Management
- Staff that supports department representatives
- Head of departments
What is the goal of the Incident Response Team
To minimize the severity and impact of the incident by providing a quick, effective, and skillful response to any unexpected involving computer systems
Incident Response Team Members
- Information Security Officer (ISO)
- Information Technology Officer (ITOC)
- Information Privacy Officer (IPO)
- Network Admin
- System Admin
- Business App and Online Sales Officer
- Internal Auditor
TRUE or FALSE: The members of the team involved in incident response procedure should have excellent technical skills for the team’s success
TRUE
The efficiency of an incident response team depends on what
Availability and response time
How is a Centralized Incident Response Team structured
There is a single team responsible for response to all types of incidents in the organization.
These are considered more effective in quickly responding to an incident
How is a Distributed Incident Response Team structured
Organizations have multiple IR teams that are responsible for responding to a specific type of incident or incidents in a particular department.
This model is a best fit for organizations with a distributed geographical presence and a large computing base
How is a Coordinated Team structured
This model plays an advisory role and not directly responsible for incident response
What are the 3 models that an Incident Response Team is staffed
- Employee (In-house)
- Partially Outsourced (Outsource Incident Handling but do not give up sensitive or confidential info and require additional technical knowledge)
- Fully Outsourced (Organizations completely outsource their incident response activities)
What major factors play a key role in deciding the structure and staffing for an Incident Response Team
- Cost/benefit analysis (required long term financial investment)
- Availability of expertise (People who know what they are doing)
- Size of the organization (Determines the need of exact number of IR teams and team members)
- Operations up-time (Having 24 hour service)
What are the different teams to help support an Incident Response Team
- Management
- Information Security Teams
- Telecommunications Department
- IT Support Teams
- Legal Department
- Public Affairs and Media Relations Department
- HR Department
- Business Continuity Planning Team
- Physical Security
TRUE or FALSE: Incident Management is a function carried out by Incident Handling and Incident Handling is one of the services provided in Incident Response
FALSE
Incident Response is a function of Incident Handling which is a service provided in Incident Management
See page 162 for diagram
TRUE or FALSE: Staying calm, Stop the incident if it is still in progress, and Document everything are just a few of the best practices for Incident Response
TRUE
According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms
Protection
When recognizing and separating the infected hosts from the information system what helps to achieve this
Inspecting the processes running on the system
Which step in the incident handling and response steps focuses on limiting the scope and extent of an incident
Containment
Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out
Containment
What approach in incident response, focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident
Proactive approach
TRUE or FALSE: A state of network interface is considered host-based evidence
TRUE
Which stage of the incident response and handling process involves auditing the system and network log files
Identification
What is the purpose of the Incident Coordinator of an IRT
They link the groups that are affected by the incidents,such as legal, human resources, different business areas, and management
