Week 6 Flashcards
Incident
A violation (or threat of violation) of your computer security policies or standard security practices. Some common examples include distributed denial of service (DDOS) attacks.
They are a subset of events defined as any observable occurrence in a system or network.
Incident Response (IR)
The process of managing and containing the aftermath of a security incident.
The goal is to minimize the damage caused by the incident, restore normal operations as quickly as possible, and prevent similar incidents from happening in the future.
Incident Response Stages
Preparation,
Identification,
Containment,
Eradication,
Recovery,
Lessons Learned;
Preparation (IR)
This phase involves developing an incident response plan, identifying key stakeholders, and training personnel on how to respond to incidents.
Every security team should be prepared for an incident.
Identification (IR)
This is the first step in incidence response.
In this phase, the incident is identified, usually through monitoring and logging systems, and an initial assessment is made of the scope and nature of the incident.
Containment (IR)
This is the second step. Once the incident has been identified, the focus shifts to containing the damage and preventing the incident from spreading.
This might involve shutting down systems, disconnecting affected devices from the network, or blocking access to malicious domains or IP addresses.
Eradication (IR)
This phase involves identifying and removing the source of the incident.
This might involve cleaning up malware, patching vulnerabilities, or restoring backups.
Recovery (IR)
After the incident has been contained and eradicated, the focus shifts to restoring normal operations and services.
This might involve bringing systems and applications back online, testing to ensure they are working properly, and communicating with users and stakeholders about the incident.
Lessons Learned (IR)
In this phase, the incident is reviewed to determine what went well and what could be improved.
The incident response team will document lessons learned and make recommendations for future incident response.
Roles within an Incident Response Team
SOC analysts,
Malware reversal engineers,
Forensic experts,
Incident response managers,
Security analysts,
Threat researchers,
Other stakeholders,
Third parties.
Incident Response Plan (IRP)
A document that outlines the steps an organization will take when responding to a security incident.
It typically includes information on the roles and responsibilities of different team members, the procedures for responding to different types of incidents, and the communication protocols that will be used during an incident.
What types of incidents can occur?
Malicious code,
D/DOS,
Phishing
Unauthorized access,
Insider threat,
Data breach,
Targeted attack (often encompassing several of the above categories);
Incident : Ransomware Signs
Files became encrypted in real-time,
Computer became locked denying the user access to its device,
Web browser became locked;
Incident : Tools to analyze suspicious emails
PhishingEmail Analysis Tools,
URL/IP Reputation Check,
FIle/Attachment Analysis
Whois Record;
Incident : Examine the logs
During incident response, It is important to examine logs to look out for possible Indicators of Compromise (IOC’s)
There are several types of logs these days in most organization’s network environments:
Firewall,
Proxy,
DNS,
Windows,
Office 365 (admin access can see malicious email on recipients email),
SIEM tools like Splunk, Logrhythm, and ArcSight;