Module 6 - Incident Response

Question 1

Incident response

Answer 1

Incident Response involves the methods, policies, and procedures that are used by an organisation to respond to a cyberattack. The aims of incident response are to limit the impact of the attack, assess the damage caused, and implement recovery procedures. Because of the potential large-scale loss of property and revenue that can be caused by cyberattacks, it is essential that organisations create and maintain detailed incident response plans and designate personnel who are responsible for executing all aspects of that plan.

Question 2

NIST 800-61r2

Answer 2

The NIST 800-61r2 standard provides guidelines for incident handling, particularly for analysing incident-related data, and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

Question 3

CSIRC

Answer 3

Computer Security Incident Response Capability

To establish and maintain a CSIRC, NIST recommends creating:
- Policies
- Plans
- Procedures

Question 4

Policy Elements

Answer 4

An incident response policy details how incidents should be handled based on the organisation’s mission, size, and function and should be reviewed regularly to adjust to the goals of the organisation’s roadmap.

Policy elements include the following:

• Statement of management commitment
• Purpose and objectives of the policy
• Scope of the policy
• Definition of computer security incidents and related terms
• Organisational structure and definition of roles, responsibilities, and levels of authority
• Prioritisation of severity ratings of incidents
• Performance measures
• Reporting and contact forms

Question 5

Plan Elements

Answer 5

A good incident response plan helps to minimise damage caused by an incident. It also helps to make the overall incident response program better by adjusting it according to lessons learned. It will ensure that each party involved in the incident response has a clear understanding of not only what they will be doing, but what others will be doing as well.

Plan elements are as follows:

• Mission
• Strategies and goals
• Senior management approval
• Organisational approach to incident response
• How the incident response team will communicate with the rest of the organisation and with other organisations
• Metrics for measuring the incident response capacity
• How the program fits into overall organisation

Question 6

Procedure Elements

Answer 6

The procedures that are followed during an incident response should follow the incident response plan.

Procedures elements are as follows:

• Technical processes
• Using techniques
• Filling out forms
• Following checklists

These are typical standard operating procedures (SOPs). These SOPs should be detailed so that the mission and goals of the organisation are in mind when these procedures are followed. SOPs minimise errors that may be caused by personnel who are under stress while participating in incident handling.

It is important to share and practice these procedures, making sure that they are useful, accurate, and appropriate.

Question 7

Incident Response Stakeholders

Answer 7

• Management
• Information Insurance
• IT Support
• Legal Department
• Public Affairs and Media Relations
• Human Resources
• Business Continuity Planners
• Physical Security and Facilities Management

Question 8

CMMC

Answer 8

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed to evaluate and enhance the cybersecurity capabilities of organisations working with the U.S. Department of Defense (DoD). It consists of five certification levels, with varying security requirements, and assesses organisations across 17 domains.

One of these domains is incident response, which involves:
- Planning
- Detecting
- Responding to
- Reviewing
- Testing responses to cybersecurity incidents.

The higher the CMMC level achieved, the more mature an organisation’s cybersecurity capabilities.

Question 9

Level 2

Answer 9

Establish an incident response plan that follows the NIST process. Detect, report, and prioritise events. Respond to events by following predefined procedures. Analyse the cause of incidents in order to mitigate future issues.

Question 10

Level 3

Answer 10

Document and report incidents to stakeholders that have been identified in the incident response plan. Test the incident response capability of the organisation.

Question 11

Level 3

Answer 11

Use knowledge of attacker tactics, techniques, and procedures (TTP) to refine incident response planning and execution. Establish a security operation center (SOC) that facilitates a 24/7 response capability.

Question 12

Level 5

Answer 12

Use accepted and systematic computer forensic data gathering techniques including the secure handling and storage of forensic data. Develop and use manual and automated real-time responses to potential incidents that follow known patterns.

Question 13

NIST Incident Response Life Cycle

Answer 13

• Preparation
• Detection and Analysis
• Containment, Eradication and Recovery
• Post-Incident Activities

Question 14

Preparation

Answer 14

The preparation phase in cybersecurity incident response involves creating and training the Computer Security Incident Response Team (CSIRT) and acquiring necessary tools and assets for incident investigation. This phase includes:

• Establishing communication processes within the response team, including contact information for stakeholders, other CSIRTs, and law enforcement.
• Setting up facilities for hosting the response team and the Security Operations Center (SOC).
• Acquiring hardware and software for incident analysis and mitigation, such as forensic tools, servers, backup devices, etc.
• Implementing controls based on risk assessments to reduce incident occurrences.
• Validating the deployment of security hardware and software on user devices, servers, and network equipment.
• Developing user security awareness training materials.

Question 15

Detection and Analysis

Answer 15

The Detection and Analysis Phase in incident response involves identifying and understanding security incidents. This phase includes:

• Attack Vectors: Understanding common ways incidents can occur, such as through websites, emails, equipment loss, impersonation, attrition, or external media.
• Detection: Finding and recognising security incidents, which can be challenging and involve automated methods like antivirus software or manual reports from users. Incidents can be categorised into “precursors” (indicating potential future incidents) and “indicators” (suggesting current or past incidents).
• Analysis: Evaluating the validity of indicators using complex algorithms and machine learning, especially in large organisations with numerous daily incidents. Profiling network and system activity helps identify unusual changes. The CSIRT must react quickly, following a predefined process and documenting each step.
• Scoping: Determining the scope of an incident, including affected networks, systems, origins, and methods. This information guides subsequent actions like containment and deeper analysis.
• Incident Notification: Notifying relevant stakeholders and external parties, such as the CIO, head of information security, incident response teams, legal, law enforcement, and others, depending on the incident’s nature and potential impact.

Question 16

Containment, Eradication and Recovery

Answer 16

Containment Phase:
The Containment Phase in incident response involves taking immediate actions to limit the impact and spread of a security incident. Key aspects of this phase include:

1. Containment Strategy: Developing and enforcing a tailored strategy for each type of incident based on factors like implementation time, resource requirements, evidence preservation, potential impact on services, and strategy effectiveness. Experience and expertise play a crucial role in adapting containment beyond the initial strategy.

2. Evidence: Gathering and preserving evidence related to the incident is crucial for resolution and potential legal proceedings. Proper documentation of evidence handling, conforming to regulations, and maintaining a chain of custody are essential. Important documentation includes the location of evidence storage, identifying criteria, personnel involved in handling evidence, and timestamps.

3. Attacker Identification: While secondary to containment, identifying attackers can minimise the impact on critical assets and services. Steps to identify attackers include researching incident databases, validating attacker IP addresses, using internet search engines for additional information, and monitoring communication channels that attackers might use.

Eradication, Recovery, Remediation Phase:
The Eradication, Recovery, and Remediation Phase in incident response follows containment and focuses on eliminating all effects of the security incident. Key elements of this phase are:

1. Eradication: Identifying all affected hosts and remediating the security incident. This involves eliminating malware infections, securing compromised user accounts, and addressing exploited vulnerabilities to prevent future incidents.

2. Recovery: Restoring affected hosts using clean backups or rebuilding them with installation media if backups are unavailable or compromised. Updating and patching operating systems and software, changing host and system passwords, and validating and upgrading network security, backup strategies, and security policies to prevent future attacks.

3. Remediation: Prioritising critical systems and operations for quick fixes while addressing vulnerabilities systematically. Focusing on preventing attackers from returning or launching similar attacks on additional resources. Continuous improvement in security practices and policies is essential to enhance overall resilience.

Question 17

Post-Incident Activities

Answer 17

The Post-Incident Activities phase in incident response occurs after the threat has been eradicated, and the organization is in the process of recovering. This phase focuses on reflection, learning, and improving security practices.

Lessons-Based Hardening: Holding a “lessons learned” meeting to assess the effectiveness of the incident handling process and identify necessary improvements in security controls and practices. Key questions to address in this meeting include:

• What exactly happened and when did it occur?
• How did staff and management perform during the incident response?
• Were documented procedures followed, and were they adequate?
• What information was needed earlier in the response?
• Were there any actions that may have hindered recovery?
• What would be done differently in a similar incident in the future?
• How can information sharing with other organizations be enhanced?
• What corrective actions can be taken to prevent similar incidents?
• What precursors or indicators should be monitored for in the future to detect similar incidents?
• What additional tools or resources are required for detecting, analyzing, and mitigating future incidents?

This phase provides an opportunity to reflect on the incident handling process, identify strengths and weaknesses, and implement improvements to enhance the organisation’s overall security posture. It ensures that valuable lessons are learned from the incident, leading to a more resilient security environment.