SECOPS 13: Incident Response Plan

Question 1

IR Plan questions (4)

Answer 1

Assets to protect?
Threats to assets?
How are threats detected?
Response to threats?

Question 2

IR Lifecycle (7)

Answer 2

Preparation
Identification
Analysis
Containment
Eradication/Recovery
Lessons Learned
Reporting

Question 3

Preparation phase

Answer 3

Get ready to handle an incident

Question 4

Identification phase

Answer 4

Monitoring and hunting

Question 5

Analysis phase

Answer 5

Preform analysis and determine scope

Question 6

Containment phase

Answer 6

Determine best containment steps.

Hardest decision

Question 7

Eradication and Recovery

Answer 7

Find root cause and clean it up (hardening, etc.).

Question 8

Lessons learned

Answer 8

How and why? Conduct FMEA

Question 9

FMEA

Answer 9

Failure Mode and Effects Analysis. Qualitative tool in a spreadsheet documenting what might go wrong.

Question 10

Reporting phase

Answer 10

IR Team notifies appropriate individuals

Question 11

Attrition attack vector

Answer 11

Brute force. DDOS

Question 12

Improper usage

Answer 12

Incident from violation of AUP.

Question 13

Impersonation attack vector

Answer 13

Replacing something benign with something malicious. Spoofing, MITM, rogue wireless, some SQL injection

Question 14

US-CIRT reporting Testing (CAT and time)

Answer 14

CAT 0. n/a

Question 15

US-CIRT reporting Unauthorized Access (Cat and time)

Answer 15

CAT 1. 1 Hour

Question 16

US-CIRT reporting DOS (Cat and time)

Answer 16

CAT 2. 2 hours if ongoing

Question 17

US-CIRT reporting Malicious code (Cat and time)

Answer 17

CAT 3. 1 hour if widespread

Question 18

US-CIRT reporting Improper Usage (Cat and time)

Answer 18

CAT 4. Weekly

Question 19

US-CIRT reporting Scans\Probes\Attempted Access. (CAT and time)

Answer 19

CAT 5. Monthly or 1 hour for classified

Question 20

US-CIRT reporting Investigation (Cat and time)

Answer 20

CAT 6. n/a