Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Comptia > Summarize the importance of policies, processes, and procedures for incident response > Flashcards

Summarize the importance of policies, processes, and procedures for incident response Flashcards

1
Q

Incident response plans

A

Specific procedures that must be performed if a certain type of event is detected or reported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident response process

A 
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Preparation

A

Preparation—make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identification

A

Identification—from the information in an alert or report, determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Containment

A

Containment—limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Eradication

A

Eradication—once the incident is contained, remove the cause and restore the affected system to a secure state by applying secure configuration settings and installing patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Recovery

A

Recovery—with the cause of the incident eradicated, the system can be reintegrated into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing. Systems must be monitored more closely for a period to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to effect a complete resolution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Lessons learned

A

Lessons learned—analyze the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. The outputs from this phase feed back into a new preparation phase in the cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Exercises

A

Tabletop
Walkthroughs
Simulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Tabletop

A

Tabletop—this is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take to identify, contain, and eradicate the threat. The training does not use computer systems. The scenario data is presented as flashcards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Walkthroughs

A

Walkthroughs—in this model, a facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response. Unlike a tabletop exercise, the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company’s actual response and recovery tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Simulations

A

Simulations—a simulation is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Attack frameworks

A

MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Cyber Kill Chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

MITRE ATT&CK

A

As an alternative to the life cycle analysis implied by a kill chain, the MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrices provide access to a database of known TTPs. This freely available resource (attack.mitre.org) tags each technique with a unique ID and places it in one or more tactic categories, such as initial access, persistence, lateral movement, or command and control. The sequence in which attackers may deploy any given tactic category is not made explicit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The Diamond Model of Intrusion Analysis

A

The Diamond Model of Intrusion Analysis suggests a framework to analyze an intrusion event (E) by exploring the relationships between four core features: adversary, capability, infrastructure, and victim. These four features are represented by the four vertices of a diamond shape. Each event may also be described by meta-features, such as date/time, kill chain phase, result, and so on. Each feature is also assigned a confidence level (C), indicating data accuracy or the reliability of a conclusion or assumption assigned to the value by analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cyber Kill Chain

A

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.

17
Q

Stakeholder management

A

Trusted parties might include both internal and external stakeholders. It is not helpful for an incident to be publicized in the press or through social media outside of planned communications. Ensure that parties with privileged information do not release this information to untrusted parties, whether intentionally or inadvertently.

You need to consider obligations to report the attack. It may be necessary to inform affected parties during or immediately after the incident so that they can perform their own remediation. It may be necessary to report to regulators or law enforcement. You also need to consider the marketing and PR impact of an incident. This can be highly damaging and you will need to demonstrate to customers that security systems have been improved.

18
Q

Communication plan

A

Secure communication between the trusted parties of the CIRT is essential for managing incidents successfully. It is imperative that adversaries not be alerted to detection and remediation measures about to be taken against them. It may not be appropriate for all members of the CSIRT to be informed about all incident details.

The team requires an “out-of-band” or “off-band” communication method that cannot be intercepted. Using corporate email or VoIP runs the risk that the adversary will be able to intercept communications. One obvious method is cell phones but these only support voice and text messaging. For file and data exchange, there should be a messaging system with end-to-end encryption, such as Off-the-Record (OTR), Signal, or WhatsApp, or an external email system with message encryption (S/MIME or PGP). These need to use digital signatures and encryption keys from a system that is completely separate from the identity management processes of the network being defended.

19
Q

Disaster recovery plan

A

Disaster recovery plan—a disaster can be seen as a special class of incident where the organization’s primary business function is disrupted. Disaster recovery requires considerable resources, such as shifting processing to a secondary site. Disaster recovery will involve a wider range of stakeholders than less serious incidents.

20
Q

Business continuity plan

A

Business continuity plan (BCP)—this identifies how business processes should deal with both minor and disaster-level disruption. During an incident, a system may need to be isolated. Continuity planning ensures that there is processing redundancy supporting the workflow, so that when a server is taken offline for security remediation, processing can failover to a separate system. If systems do not have this sort of planned resilience, incident response will be much more disruptive.

21
Q

Continuity of operations planning (COOP)

A

Continuity of Operation Planning (COOP)—this terminology is used for government facilities, but is functionally similar to business continuity planning. In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.

22
Q

Incident response team

A 
Legal—it is important to have access to legal expertise, so that the team can evaluate incident response from the perspective of compliance with laws and industry regulations. It may also be necessary to liaise closely with law enforcement professionals, and this can be daunting without expert legal advice.
Human Resources (HR)—incident prevention and remediation actions may affect employee contracts, employment law, and so on. Incident response requires the right to intercept and monitor employee communications.
Marketing—the team is likely to require marketing or public relations input, so that any negative publicity from a serious incident can be managed.
23
Q

Retention policies

A

Retention policy is also important for retrospective incident handling, or threat hunting. A retention policy for historic logs and data captures sets the period over which these are retained. You might discover indicators of a breach months or years after the event. Without a retention policy to keep logs and other digital evidence, it will not be possible to make any further investigation.

Comptia (35 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions