Section 31 - Incident Response Procedures Flashcards
What is an incident response?
A set of procedures that an investigator follows when they’re examining a computer security incident.
What is the basic six procedure for an incident response?
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
What happens during the preparation phase of an incident response?
Step 1
During this phase your organization is going to ensure that it has a well-planned incident response procedure, a strong security posture, and a knowledgeable chief information security officer who’s able to limit the damage to data and the company reputation if an incident response occurs.
What happens during the “identification” phase of an incident response?
Step 2
This is the process of recognizing whether an event is actually going to be categorized as an incident or not.
What happens during the “containment” phase of an incident response?
Step 3
This is focused on isolating the incident or problem.
What happens during the “eradication” phase of an incident response?
Step 4
This is the phase where we’re going to remove the threat or attack.
What happens during the “recovery” phase of an incident response?
Step 5
This is focused on making sure we do data restoration, system repair, and re-enabling any servers or networks that we took offline during our incident response.
What happens during the “lessons learned” phase of an incident response?
Step 6
This is a process that we use to document the incident response process and we make any changes to the procedures and the processes that we used that we want to make sure we do better next time.
What is an incident response team?
The key people available to respond to any incident that meets the severity and priority thresholds that are set out by your incident response plan, because not everything that you run into is going to require you to activate the whole team.
What are the positions on an incident response team?
Incident Response Manager/Team Lead
Security Analyst
Threat Researcher
Cross Functional Support
What is the role of an incident response manager/team lead?
This person is going to oversee and prioritize actions during the detection, analysis and containment of an incident.
What is the role of a security analyst?
These people play detective in order to determine what happened up to this point.
Security analysts may be assigned into two categories. What are these?
Triage analyst - assigned to work on the network during the incident response. They filter out false positives by properly configuring IDS/IPS as well as performing ongoing monitoring and analysis.
Forensic analyst - Focused on the detective work and trying to piece together what has already occurred on the network. They focus on recovering key artifacts and evidence to build a timeline of events.
What is the role of a threat researcher?
They complement your analysts by providing threat intelligence and overall context during the incident response. They work to always remain up to date on the current threats and with previous incidents that have occurred.
What is the role of a cross functional support?
This includes people from management or the executive team, someone from human resources, technical experts an attorney or lawyer or even public relations.
*** Anyone who comes from outside the incident response team itself and across the entire organization
Your incident response team is often known as a…?
CSIRT
Computer Security Incident Response Team
They should be your single point of contact for security incidents
What is an out-of-band communication system?
Where your signals are being sent between two parties or two devices that are sent via a path or method that’s different from the primary communication between.
*** Often this is established as a backup method to communicate in case your primary means has been compromised.
What is an example of an out-of-band communication system?
WhatsApp
Signal
Off-the-Record
These apps have a messaging system with end-to-end encryption so no attacker can see the information being exchanged.
What is an escalation procedure?
This is the procedure you follow to determine at what point you should call in your incident response team.
What is a SIEM?
Security Information and Event Monitoring System
Through a multitude of different data sources, this provides us with real-time analysis of security alerts that are generated by applications and network hardware.
When talking about a SIEM, the first thing we have to think about is…?
Our sensor
This is the actual endpoint that’s being monitored. The sensor can feed data up into the SIEM.
Another thing we have to think about with our SIEMs is their…?
Sensitivity
This is focused on how much or how little you are going to be logging.
By using a SIEM and it’s graphical ability to look across logs, we can start seeing ___ in our network.
Trends
Inside the SIEM, we can set it up so there’s certain ___ that happen based on certain parameters.
alerts