Section 5: Incident Response

Question 1

Cat 4 incident

Answer 1

Improper Usage

Authenticates identity of sender and receiver to ensure privacy of message contents (including attachments)

Reporting time frame:
Weekly

Question 2

Disaster recovery plan (DRP)

Answer 2

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster.

Question 3

Examples of an incident

Answer 3

• Multiple failed login attempts from an unfamiliar system
• Denial of service
• Changes to hardware or software without owner’s consent

Question 4

Investigation

Answer 4

Capability if identifying an adversary is required

Question 5

Mitigation & Recovery

Answer 5

Procedures to contain the incident, reduce losses and return operations to normal

Question 6

Incident Recovery

Answer 6

This phase ensures that affected systems or services are restored to a condition specified in the service delivery objectives (SDO) or business continuity plan (BCP). The time constraint up to this phase is documented in the recovery time objectives (RTO).

Activities in this phase include:
• Restore operations to normal
• Verify that actions taken on restored systems were successful
• Get system owners to test the system
• Help system owners declare normal operation

Question 7

SEM

Answer 7

Automatically aggregate and correlate security event log data across multiple security devices. This allows security analysts to focus on a manageable list of critical events.

Security incidents are often made up of a series of events that occur throughout a network. By correlating data, the SEM can take many isolated events and combine them to create one single relevant security incident. These systems use either rule-based or statistical correlation. Rule-based correlations create situation-specific rules that establish a pattern of events. Statistical correlation uses algorithms to calculate threat levels incurred by relevant events on various IT assets

Question 8

Computer emergency response team (CERT)

Answer 8

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.

Question 9

Computer security incident response team (CSIRT)

Answer 9

A team established within an enterprise to respond to computer security incidents.

Question 10

Cybersecurity disaster

Answer 10

A cybersecurity-related disaster may occur when a disruption in service is caused by system malfunctions, accidental file deletions, untested application releases, loss of backup, network DoS attacks, intrusions or viruses. These events may require action to recover operational status in order to resume service. Such actions may necessitate restoration of hardware, software or data files.

Question 11

Business Continuity Plan Phases

Answer 11

1. Prepare Business Impact Analysis (BIA)
2. Identify and prioritize required resources
3. Chose strategy to recover critical IS facilities
4. Develop Disaster Recovery Plan
5. Develop Business Continuity Plan
6. Train staff and test plans
7. Maintain plans
8. Store plans for ease of access despite network failure
9. Audit the plans

Question 12

Full backups

Answer 12

Provide a complete copy of every selected file on the system, regardless of whether it was backed up recently. This is the slowest backup method but the fastest method for restoring data.

Question 13

Incremental backups

Answer 13

Copy all files that have changed since the last backup was made, regardless of whether the last backup was a full or incremental backup. This is the fastest backup method but the slowest method for restoring data.

Question 14

Differential backups

Answer 14

Copy only the files that have changed since the last full backup. The file grows until the next full backup is performed.

Question 15

Emergency

Answer 15

Generally suggests a serious local incident, requiring management attention.

Question 16

Disaster

Answer 16

Suggests a much larger level of impact or damage. Declaring a disaster often invokes fallback plans.

Question 17

Crisis

Answer 17

More serious and implies that a major incident is spiraling out of control and growing in severity. If a company crisis team decides to meet, it is a very serious situation.

Question 18

Incident

Answer 18

A violation or imminent threat to computer security policies, acceptable use policies, or standard security practices. (NIST definition).

• Attempted or successful unauthorized access, use, disclosure, modification or loss of information or interference with system or network operations
• The activity of a human threat agent
• Anything disruptive, including a court order for discovery of electronic information or disruption from a natural disaster

Question 19

Cat 1 incident

Answer 19

Unauthorized access

Individual gains logical or physical access without permission to a network, system, application, data or other resource

Reporting time frame:
Within 1 hour of discovery / detection

Question 20

Cat 2 incident

Answer 20

Denial of service (DoS)

An attack that successfully prevents or impairs normal authorized functionality of networks, systems or applications by exhausting resources

Reporting time frame:
Within 2 hours of discovery / detection (if the successful attack is still ongoing)

Question 21

Cat 3 incident

Answer 21

Malicious code

Successful installation of malicious software (e.g., virus, worm, Trojan horse or other code-based malicious entity) that infects an operating system or application

Reporting time frame:
Daily; Within 1 hour of discovery / detection if widespread

Question 22

Cat 5 incident

Answer 22

Scans/probes/ attempted access

Any activity that seeks to access or identify a computer, open ports, protocols, service or any combination of the above

Reporting time frame:
Monthly

Question 23

Cat 6 incident

Answer 23

Investigation

Unconfirmed incidents that are potentially malicious or anomalous activity

Reporting time frame:
n/a

Question 24

Incident Response

Answer 24

A formal program that prepares an entity for an incident. The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people, or its ability to function productively.
An incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing damage assessment, and any other measures necessary to bring an enterprise to a more stable status.

Question 25

Phases of Incident Response

Answer 25

1. Preparation
2. Detection & Analysis
3. Investigation
4. Mitigation & Recovery
5. Post Incident Analysis

Question 26

Preparation

Answer 26

To establish roles, responsibilities and plans for how an incident will be handled

• Establish approach to handling incidents
• Establish policy and warning banners to deter intruders and allow information collection
• Establish communication plan with stakeholders
• Develop incident reporting criteria
• Develop process to activate the incident management team
• Establish secure location to execute the incident response plan
• Ensure equipment needed is available

Question 27

Detection & Analysis

Answer 27

Capabilities to identify incidents as early as possible and effectively assess the nature of the incident

Identification
• Assign ownership to an incident handler
• Verify reports or events qualifying as incidents
• Establish chain of custody
• Determine incident severity and escalate as necessary

Question 28

Post Incident Analysis

Answer 28

To determine corrective actions to prevent similar incidents in the future

Question 29

Containment

Answer 29

After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure.

Activities in this phase include:
• Activate incident management/response team and notify appropriate stakeholders
• Obtain agreement on actions taken that may affect availability
• Get IT representative and relevant virtual team members to implement containment procedures
• Obtain and preserve evidence
• Document actions
• Control and manage communication to the public

Question 30

Eradication

Answer 30

When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause.

Activities in this phase include:
• Determine signs and cause of incidents
• Locate most recent version of backups or alternative solutions
• Remove root cause
• Improve defenses by implementing protection techniques
• Perform vulnerability analysis

Question 31

Lessons Learned

Answer 31

At the end of the incident response process, a report should always be developed to share what occurred, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the incident management team (IMT) and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan.

Activities in this phase include:
• Write incident report
• Analyze issues encountered during incident response efforts
• Propose improvements
• Present report to relevant stakeholders

Question 32

SIEM

Answer 32

In addition, security incident and event management (SIEM) systems take the SEM capabilities and combine them with the historical analysis and reporting features of security information management (SIM) systems.

Question 33

Service delivery objective (SDO)

Answer 33

Directly related to the business needs, it’s the level of services to be reached during the alternate process mode until the normal situation is restored.

Question 34

Business Continuity and Disaster Recovery

Answer 34

When it comes to disaster recovery, the number one priority is ensuring the safety and security of human life. This might include plans for drills, evacuation plans and on-site shelters. Once human safety plans are in place, the additional purpose of business continuity planning (BCP)/disaster recovery planning (DRP) is to enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities. Rigorous planning and commitment of resources are necessary to adequately plan for such an event.

Question 35

Business Impact Analysis (BIA)

Answer 35

Based on the key processes, process should begin to determine time frames, priorities, resources and interdependencies that support the key processes. Business risk is directly proportional to the impact on the organization and the probability of occurrence of the perceived threat.

Thus, the result of the BIA should be the identification of the following:
• The human resources, data, infrastructure elements and other resources (including those provided by third parties) that support the key processes
• A list of potential vulnerabilities—the dangers or threats to the organization
• The estimated probability of the occurrence of these threats
• The efficiency and effectiveness of existing risk mitigation controls (risk countermeasures)

Question 36

Critical Recovery Time Period

Answer 36

To evaluate the impact of downtime for a particular process/application, the impact bands are developed (i.e., high, medium, low) and, for each process, the impact is estimated in time (hours, days, weeks). The same approach is used when estimating the impact of data loss.

Question 37

Recovery point objectives (RPO)

Answer 37

Acceptable data loss in case of a disruption of operations. Indicates the earliest point in time to which it is acceptable to recover data. In other words, it is the last known point of good data. To ensure an effective incident management plan or disaster recovery plan, the RTO and RPO must be closely linked.

Question 38

Recovery time objectives (RTO)

Answer 38

Amount of time allowed for the recovery of a business function or resource after a disaster occurs. It’s is usually determined based on the point where the ongoing cost of the loss is equal to the cost of recovery.

Question 39

Types of Cybersecurity Incidents

Answer 39

Cat 1: Unauthorized access
Cat 2: Denial of service (DoS)
Cat 3: Malicious code
Cat 4: Improper Usage
Cat 5: Scans/probes/ attempted access
Cat 6: Investigation