Section 24.228 Incident Response: & Incident Response Process Flashcards
Objective 4.8 Explain appropriate incident response activities
Incident Response
Systematic approach to managing and mitigating security incidents
Aim:
● Minimise impact
● Reduce detection and containment time
● Facilitate recovery
Incident Response Key Steps
● Detection
● Classification
● Containment
● Eradication
● Evidence preservation
● Communication
● Lessons learned
Incident Response Process
Incident
An act violating a security policy
Phases of Incident Response
NIST (National Institute for Standards and Technology) defines a four-phase incident response process
● Preparation
● Detection and Analysis
● Containment, Eradication and Recovery
● Post-Incident Activity
■ In the CompTIA model, “Detection and Analysis” is divided into two phases, and “Containment, Eradication, and Recovery” is divided into three, creating a seven-phase model
USE 7 PHASES FOR EXAM
Seven Phases of Incident Response
Preparation
Gets an organisation ready for future incidents
● Focuses on making systems resilient to attacks by hardening systems and networks
● Involves creating policies, procedures, and a communication plan
Seven Phases of Incident Response
Detection
Determines if a security incident has occurred
● Identifies a security incident
● Cybersecurity and triage analysts play a vital role in assessing incident
severity
Seven Phases of Incident Response
Analysis
Thoroughly examines and evaluates the incident
● Provides insights into the incident’s scope and impact
● Notifies stakeholders and initiates containment
Seven Phases of Incident Response
Containment
Limits the incident’s scope by securing data and minimising business impact
● Prevents the spread of malicious activity
Seven Phases of Incident Response
Eradication
● Starts after containment and focuses on removing malicious activity from systems or networks
● May involve reimaging affected systems
Seven Phases of Incident Response
Recovery
Restores affected systems and services to their secure state
● Includes restoring from backups, patching, and updating configurations
● Ensures resilience against future threats
Seven Phases of Incident Response
Post-Incident Activity
Lessons learned
Occurs after containment, eradication, and recovery
● Identifies the initial incident source and improvements to prevent future incidents
Involves:
○ Root cause analysis
○ Lessons learned
○ After-action report
Post-Incident Activity
Root cause analysis
Steps:
● Define/scope the incident
● Determine the causal relationships that led to the incident
● Identify an effective solution
● Implement and track the solutions
Post-Incident Activity
Lessons learned
Document experiences during incidents in a formalised way
Post-Incident Activity
After-action report
Collects formalised information about what occurred
Incident Response Team
The core team
The core team includes cybersecurity professionals with incident response experience
● Temporary members may be added as needed (e.g., database
administrators)
■ Large organisations have full-time incident response teams
● Smaller organizations form temporary teams for specific incidents
