Security - Incident Response Flashcards
What are the three types of incident detection methods?
- Passive - discovered when not actively looking for it, like when performing maintenance on a computer or reviewing network log files. Passive detection helps determine what and how a security incident happened.
- Active - actively looking for threats, like IDS is looking for threats. Active detection helps discover security incidents as they are occurring.
- Proactive - pentesting or threat hunting. It’s an important part of a security plan and should be an ongoing practice.
Who is the first responder?
The person or team that should be immediately notified when a security incident is discovered. The first responder is responsible for securing the affected systems and collecting all evidence. And stopping the threat.
What are the steps to take in an incident response?
- Gather evidence
- Establish the chain of custody
- Report the incident
- Follow-up
What are the first steps of the Gathering of Evidence phase in an incident response?
- Interview any witnesses.
- Take pictures of screens, error messages, and physical damage.
- Take detailed notes of the time, location, and details of the incident.
What is the Order of Volatility and during what phase of an incident response is it done?
It’s done during the Gathering of Evidence phase.
- Copy RAM to an external drive
- Copy Swap file to an external drive
- Back up active network connections, browser history, and any evidence that a system was exploited to an external drive.
- File evidence - back up prohibited content, suspicious files, application files, and everything saved on the file system to an external drive.
What is the last step in the Gathering of Evidence phase of an incident response?
Create an evidence grade sector-by-sector of the hard drive. The first responder should then use a write-blocker on the original hard drive to prevent changes to it.
What happens during establishing the chain of custody phase in incident response?
The chain of custody should document:
- System information including serial number, make, and model.
- Each instance of someone accessing the evidence. The documentation should include who accessed it, why it was accessed, what was done with it, and how it was secured again.
If the chain of custody is broken, the evidence will not be allowed in a court of law since it can no longer be proven that the evidence is unaltered.
What happens during the Reporting the Incident phase of an incident response?
The first responder reports the incident to the proper authorities as outlined in the security plan. This can be law enforcement or an internal security team.
The first responder’s goal is to gather the evidence to establish the:
1. Who
2. What
3. When
4. Where
5. How
6. Why (if possible)
The authorities then take over the investigation to fill in the details.
What happens during the Follow-Up phase of an incident response?
- Get operations back to normal and minimize the impact on production. This might involve replacing a workstation or re-configuring an affected server. Every incident requires unique solutions.
- Remediate all affected systems.
- Clear all traces of the incident.
- Verify that all affected systems are working properly.
-Implement changes necessary to prevent a repeat of the security incident.
- Document all changes. - Schedule a hot-wash meeting to review the incident and steps for remediation. Make recommendations to prevent the incident from occurring again or to improve the organization’s response.
