WGU C842 (ECIH 212-89)

Items included in Incident Response

1. A step-by-step response plan to address the incident(s) in question 2. Ensuring minimum loss and disruption resulting from interruption in services 3. Preparing for handling future incidents through the lessons learned from current/past incidents 4. Legal preparedness for issues that arise while handling incidents

Policy can be defined by...

1. Attributes - Management approval | Usability 2. Content - Role identification | Glossary of terms 3. Validation - Use cases 4. Implementation, maintenance and enforcement - Feedback loops

Incident Identification Actions Taken

1. Audit log collection 2. Incident reporting and assessment 3. Collection and protection of system information 4. Incident Severity level identified

Strategies for Addressing Risk

1. Avoidance 2. Acceptance 3. Mitigation 4. Transference

Two phases of Incident Investigation

1. Data Collection 2. Forensic Analysis

Incident Documentation

1. Description of the security breach 2. Details of action takes place such as: a. Who was involved with the incident b. Incident timeline 3. Root cause analysis of the incident

Four important elements of any security awareness and training programs

1. Designing and planning of the awareness and training program 2. Development of the awareness and training materials 3. Implementation of the awareness and training program 4. Measuring the effectiveness of the program and updating it as needed

Incident management activities

1. Development of policies and procedures to manage incidents 2. Vulnerability analysis 3. Intrusion detection 4. Incident detection and recording 5. Identification and training of qualified staff for handling security incidents 6. Assignment of roles and responsibilities to the incident response team 7. Incident classification 8. Initial incident support 9. Prioritization of incident based on impact and urgency 10. Incident analysis 11. Security awareness training 12. System recovery after an incident 13. Monitoring, tracking, and communications about incidents 14. Information about incident management quality and support

Steps to Managing Risk

1. Establishing a Context - Provides the criteria on which the risk evaluation must be established and the risk analysis structure is defined 2. Risk Identification 3. Risk Analysis - Focuses on the determination of risk and the examination the existing controls/countermeasures already in place. The level of risk is estimated by combining the effects and their probability of occurrence. 4. Risk Evaluation - The estimated risk levels are examined against the established criteria which allows for prioritization of the risks. 5. Treating the risks - Risk management plans are developed for the risk(s) with the highest priority, and low priority risks are monitored. 6. Monitor and Review 7. Communication and Consultation csrc.nist.gov/publications/PubsSPs.html

Three areas of evidence

1. Host-based 2. Network-based 3. Other

Steps for Risk Assessment in the Workplace

1. Identify hazards 2. Determine who will be harmed and how 3. Analyze risks and check for precautions 4. Implement results of risk assessment 5. Review risk assessment

Incident Response Plan Purpose

1. Identify the scope and intensity of the incident 2. Safeguard sensitive information stored on the computer system 3. Secure the operational environment 4. Recover the systems affected by the incidents 5. Gather information to identify the occurrence of an incident 6. Take legal action against the offenders

Incident Response Team Roles

1. Incident Coordinator 2. Incident Manager 3. Incident Analyst 4. Constituency 5. Administration 6. Human Resources 7. Public Relations

Incident Response Team Members

1. Information Security Officer (ISO) 2. Information Technology Officer 3. Information Privacy Officer (IPO) 4. Network Administrator/System Administrator 5. Internal Auditor

Initial Response

1. Initial investigation 2. Storing the details of incident 3. Building incident response team 4. Determining the type of the incident occurred 5. Assessing the impact of the incidents 6. Reporting the individuals about the occurrence of the incidents Initial response forms the basis of a comprehensive incident response. Communicating the incident helps to reduce the impact of an incident by facilitating better coordination between different stakeholders.

Items included in Incident Report

1. Intensity of the security breach 2. Circumstances which revealed the vulnerability 3. Shortcomings in the design and impact or level of weakness 4. Logs related to the intruder's activity 5. Correct time information for the affected system via NTP (Network Time Protocol)

Types of CSIRT's

1. Internal CSIRT 2. National CSIRT 3. CSIRT as an analysis center 4. CSIRT as a vendor team/incident response team which provides services to client for a fee

CSIRT Case Management Steps

1. Keep a log 2. Inform appropriate people 3. Maintain list of contacts 4. Release information 5. Follow up analysis 6. Report

Risk Assessment

A set of guidelines and procedures to identify and assess the risks that pose a threat to the business or project environment. It involves identifying and prioritizing security risks to the critical information assets and key business processes. It determines the probability and magnitude of the possible threats, vulnerabilities, and risk associated with an IT system. It also determines the level of risk and the resulting security requirements for each system.

Incident Handling

A set of procedures and policies used to prepare for, detect and remediate security incidents. Incident handling helps to analyze an intruder's activity and attack vector, while also providing a framework for recovery, containment, and protection. Incident handling also includes procedures for reporting and analysis on an incident so that exact trends and pattern can be recognized and recommended strategies can be employed.

OCTAVE-Allegro

A streamlined variant of the OCTAVE method and it mainly focuses on information assets. It can be performed in a workshop-style, collaborative setting. The assets of the organization are identified and assessed based on the information assets to which they are connected.

Incident Response

A structured approach to address and manage various security incidents.

Signs of an Incident Occurring

Accurately detecting and assessing incidents is the most challenging and essential part of the incident response process.

Information System

Allows users to share and process information (data).

ARO

Annualized Rate of Occurrance

Threat

Any circumstance or event with the potential to adversely impact organizational operations, assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Computer Security Incident

Any real or suspected adverse event in relation to the security of computer systems or networks.

Asset

Anything of value to the business

Steps to be implemented in classification process

Categorization: This step identifies the services that are affected by the incident. Priority Level: The incidents are grouped based on the level of priority. Resource Allocation: Assigning appropriate resources to incident resolution.

Incident Response Team structure

Centralized vs. Decentralized Coordination Team

Common Alternate Names for a CSIRT

Computer Incident Response Team (CIRT) Incident Handling Team (IHT) Incident Response Team (IRT) Security Emergency Response Team (SERT) Security Incident Response Team (SIRT)

Information Warfare

Conflict that makes use of information & Information Systems as weapons for both offensive and defensive purpose. Examples of items used as weapons in information warfare include: Viruses, Worms, Trojan horses, Logic bombs, Trap doors, Rootkits

Attack

Deliberate action that causes harm to a computer system by exploiting known vulnerabilities and threats. (Violating the security of the system).

Community Emergency Response Team (CERT)

Designed to provide aid and assistance to communities.

Containment

Focuses on limiting the scope and extent of an incident.

The relationship that the CSIRT has to its constituency may be...

Full - Complete authority to act on behalf of the constituency as needed for response Shared - Act in partnership with constituency to achieve desired outcomes None - Act strictly in an advisory capacity if asked to

Goal of Risk Assessment

Identify and measure the risks involved in any activity in the whole IT system infrastructure and to take appropriate action to reduce or eliminate the threat sources. Risk assessment also involves training staff to understand the risks in business operations and make them aware of best practices that would help to secure sensitive information. The output of the risk assessment process enables the identification of security measures to minimize risk and aid in the risk mitigation process.

Incident Reporting

Incident reporting is the process of reporting the information regarding the encountered security breach in a proper format.

Relationship between Incident Response, Incident Handling and Incident Management

Incident response is a function carried out by incident handling and incident handling is one of the services provided by incident management.

Risk Analysis

It involves identifying the risks and potential losses resulting from those risks. Risk Analysis = Risk Assessment + Risk Management + Risk Communication

OCTAVE-S

Makes use of a streamlined process and different worksheets but produces the same result as the OCTAVE method. It requires a team of 3-5 people having understanding on all the aspects of the company. Limited exploration of the computer infrastructure.

Types of Computer Security Incidents

Malicious Code or Insider Threat Unauthorized Access Unauthorized Use of Services or Assets Espionage Fraud / Theft Employee Sabotage and abuse Denial of Service (DoS) Misuse

CERT OCATVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). It is a set of tools, techniques, and methods for risk-based information security strategic assessment and planning. It is a method used for information security risk evaluations which is comprehensive, systematic, context- driven, and self-directed.

Categories and Signs of Incidents

Precursor: Indicate the possibility of occurrence of a security incident. Indication: Implies that an incident has probably occurred or is in progress. In general, incidents are categorized into three different levels as follows: Low level - Least harmful, and should be handled within one business day Middle level - More serious and should be handled within a few hours of occurrence High level - Most serious and should be handled immediately, as they can threaten a company's operations

Safeguards

Preventive measures against Vulnerabilities

Data Classification

Provides a framework for the understanding of data criticality and level of protection required for different types of business data.

Incident Management

Provides end-to-end management support to handle security incidents or events. Main objectives of incident management are: 1. Prevent incidents and attacks by tightening the physical security of the system or infrastructure 2. Create awareness by conducting training for employees and users on security issues and response plans 3. Monitor and test the organization's infrastructure to identify weaknesses and vulnerabilities 4. Communicate information about incidents with other teams as needed

Incident Management Team

Provides support to all users in the organization that are affected by an incident.

Annualized Loss Expectancy (ALE)

Single Loss Expectancy (SLE) * Annualized

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.

Incident Prioritization

The most critical function in the incident handling process. The priority of the incident should be determined based on the impact and the importance of the incident. Incident prioritization helps to reduce impact and minimize loss. Incidents are prioritized based on two factors: Technical Effect(s) of the Incident Criticality of the Affected Resources The criticality of resources is determined with the help of Business Continuity Planning(BCP) and Service Level Agreements (SLA's), which identify the maximum time that should be taken to restore them to normal functioning. The business impact of an incident is determined by gathering both technical effects and criticality of the resources.

Information Custodian

The person who controls and implements security required to protect the information assets classified by the information owner.

Information Owner

The person who first creates, or initiates the creation or storage of the data. They are responsible for the classification of data. The owner controls access to the data and is responsible for the security and integrity of the files.

CSIRT Constituency

The region or group/audience that the CSIRT is set up to serve

What is the CSIRT's place in the organization?

This depends on several variables including the mission statement of the CSIRT and the capabilities of the IT and security functions of the organization. Whatever the role, it should be supported by management and well understood by the parties involved.

Disruptive events

Threats to an Organization

Goal of Incident Response

To handle the security incident in such a way that it reduces the damage and minimizes the cost and time to recover from the incident. Incident response is generally carried out by the incident response team of an organization. An incident response generally depends on: 1. How the security team reacts 2. What actions they carry out to minimize the damage 3. How quickly they are able to achieve restoration

Data Classification Levels

Top secret Highly confidential information Proprietary information Information for internal use Public documents

Unauthorized Access

Unauthorized access can be gained by various means such as: 1. Exploiting vulnerabilities in Operating System 2. Exploiting vulnerabilities or misconfiguration of software applications 3. Stealing user authentication credentials such as login names and passwords 4. Using social engineering tricks 5. Insider threats

Incident Identification

Validating an incident Identifying the nature of an incident Identifying and protecting the evidence Logging and making a report of whatever anomalies are observed

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Vulnerabilities

Weaknesses in an Organization

Incident handling

a set of procedures used to address the consequences of a threat source taking advantage of a vulnerability.

Incident Classification

allows for the information security manager to classify incidents based on their appropriate levels such as high, medium, or low level.

Incident Response Plan

consists of a set of instructions to detect and respond to an incident. It defines the areas of responsibility and creates procedures for handing various computer security incidents. The roles and responsibilities of the incident response team should be identified and described in the incident response plan. The response team should ensure that the plan is properly prepared, supported, implemented, and updated. The incident response plan determines required resources to address incidents in an organized manner.

Incident Response Team

dedicated to understanding the incident response process and taking necessary actions when needed to minimize the effects of an incident on the organization.

Formulating a Response Strategy

focused on developing the most appropriate response to the incident. The response plan should consider political, technical, legal, and business factors of the incident. A response strategy generally depends on the circumstances of the incident.

Eradication

involves removal of the cause(s) of the incident.

Systems Recovery

involves restoring an affected system to normal operations.

main purpose of incident response

minimize loss and ensure recovery from a security incident in the shortest time possible.

Evidence Protection

needs to be considered at every stage of the Incident response process.

Incident Investigation

plays a major role in identifying the perpetrators of the incident. The investigation phase is capable of determining: Who is responsible for the incident? What is the reason behind the incident? When the incident occurred? Where exactly the incident happened? How to recover from the incident?

Data Collection

process of gathering known facts and evidence that is required for forensic analysis. The success of an investigation depends on the effectiveness and validity of the data collection.

Notification of External Agencies

should be undertaken based on internal policies of the organization, and should include any/all agencies that may be able to offer assistance as appropriate.

Computer Security Incident Response Team (CSIRT)

team of trained professionals who are responsible for responding to an incident encountered by an organization. The primary job function of CSIRT is to review, receive, and respond to incidents.

Forensic analysis

the process of analyzing and reviewing the data gathered from computer systems in a manner that preserves the integrity of the evidence.

OCTAVE

uses a three-phased approach to examine organizational and technology issues. It is comprised of a series of workshops that are conducted by interdisciplinary analysis team of three to five persons of the organization. Phase 1: Build Asset Based Threat Profiles Process 1: Identify Senior Management Knowledge Process 2: Identify operational area management knowledge Process 3: Identify staff knowledge Process 4: Create threat profiles Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify key components Process 6: Evaluate selected components Phase 3: Develop Security Strategy Plans Process 7: Conduct risk analysis Process 8: Develop protection strategy

Risk Formula

(Attack Success + Criticality) - (Countermeasures)

Residual Risk

(Inherent Risk) X (Control Risk), where inherent risk = (threats x vulnerability) The risk left over after all controls are in place

Goals of incident response

01. Determining whether the incident has occurred 02. Limiting the impact of the incident on business and network operations 03. Preventing future attacks or incidents 04. Supporting communication of accurate information 05. Creating guidelines and control measures for proper recovery and handling of evidence 06. Safeguarding privacy rights recognized by law and policy 07. Identifying illegal activity and taking legal action against perpetrators 08. Providing useful recommendations 09. Swift detection, reporting, containment and recovery after an incident 10. Limiting the exposure and compromise of the business data 11. Securing the organization's reputation and assets

Incident Response/Handling Steps

01. Identification 02. Incident Recording 03. Initial Response 04. Communicating the Incident 05. Containment 06. Formulating a Response Strategy 07. Incident Classification 08. Incident Investigation 09. Data Collection 10. Forensic Analysis 11. Evidence Protection 12. Notifying External Agencies 13. Eradication 14. Systems Recovery 15. Incident Documentation 16. Incident Damage and Cost Assessment 17. Review and Update Response Policies

Incident Management Team Activities

1. Manage both internal and external communications 2. Direct the response and recovery activities to top management 3. Monitor the status of the recovery process 4. Provide or modify the recovery resources 1. Develop or examine the processes and procedures to be followed while responding to a computer security incident 2. Manage the response to an incident and ensure that all procedures and process are followed accurately 3. Examine changes in legal and regulatory requirements to ensure that all process and procedures are valid 4. Review and recommend technologies to manage and counteract incidents 5. Establish relationship with local law enforcement agency, government agencies, key partners, and suppliers 6. Review and suggest the technologies that are required to mitigate the incident

CSIRT Goals

1. Manage the problems associated with an incident 2. Reduce and control the damage caused to an organization 3. Provide effective response and recovery

Best Practice Steps to follow for creation of a CSIRT

1. Obtain management support 2. Determine strategic plan 3. Gather relevant information 4. Design the vision 5. Communicate the vision 6. Implement CSIRT 7. Announce CSIRT operation

Incident Management Process Steps

1. Preparation 2. Protection 3. Detection 4. Triage 5. Response

NIST approach to Controls Implementation

1. Prioritize Actions 2. Evaluate Recommended Control Options 3. Conduct Cost-Benefit Analysis 4. Select Control 5. Assign Responsibility 6. Develop a Safeguard Implementation Plan 7. Implement Selected Controls

CSIRT Strategy

1. Provide a single point of contact for all incident reporting 2. Identify and analyze the impact caused by a particular threat 3. Finds or develop solution and mitigation strategies for a particular problem 4. Share response options, information, and lessons learned with stakeholders in the organization

CSIRT Services

1. Reactive - Incident handling | Alerts 2. Proactive - Audits | IDS 3. Quality Management - Risk Analysis | BCDR

Three functions of incident handling

1. Response 2. Analysis 3. Reporting

Nine Steps of NIST Risk Assessment

1. System characterization - Identifying and profiling the system 2. Threat identification - Threats only present an immediate risk if there is a vulnerability that the threat source can exploit. Threat types: Human | Technical. Threat identification is a two step process: Threat source identification | Determination of motivation and threat actions. 3. Identify Vulnerabilities - Identifying as many potential vulnerabilities as possible given current state of system. Vulnerability assessments, Penetration Testing and System Testing are all methods used to aid in vulnerability identification. 4. Control analysis - Identification and examination of controls/countermeasures already in place, or planned for deployment. Control Methods are Technical Controls and Non-technical Controls. Control Categories are Preventative and Detective. 5. Likelihood determination - Factors to consider include: Capability of threat source | Vulnerabilities identified in system | Current controls. 6. Impact analysis - How badly will threat hurt us if successfully executed. Qualitative and Quantitative risk assessments should be taken into account. 7. Risk determination - Overall perception of the risk within the organization, shaped by the following: Probability of occurrence | Hard (tangible) & soft (intangible) costs | Controls/Countermeasures deployed. 8. Control recommendations - Controls should be recommended based on the likelihood, impact and criticality of risk for business operation. 9. Results documentation - Thorough communication with all stakeholders.

Incident Recording

1. The date and time of the incident occurred 2. The date and time the incident was detected 3. Who has reported the incident 4. Details of the incident including: a. Description of the incident b. Systems involved 5. Backup information such as error messages, log files, etc.

Incident Handling Preparation for Unauthorized Access Attacks

1. The network based and host based intrusion detection and prevention system (IDS/IPS) should be configured to identify and alert when the illicit attempts to gain unauthorized access are detected. 2. A Security Information Event Management (SIEM) system should be used so that important information from hosts across the organization is securely preserved at a particular location. 3. A procedure should be created such that all users change their passwords in case of a compromise. This should be based on the organization's password policy. 4. Whenever an unauthorized access incident happens, discuss it with the network security administrators so that they can recognize their responsibility in the incident handling process. 5. Protect and secure remote access via VPNs and encryption 6. Place the publicly accessible services on secured DMZ network segments 7. Disable all unused services 8. Use host-based firewalls to reduce the attack surface

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: the adverse impacts that would arise if the circumstance or event occurs; and the likelihood of occurrence.

Assets

Resources of an Organization

OCTAVE-Allegro Steps

Step 1: Establishing a risk assessment criteria Phase 2: Step 2: Develop information asset profile Step 3: Identify information asset containers Phase 3: Step 4: Identify areas of concern Step 5: Identify threat scenarios Phase 4: Step 6: Identify risks Step 7: Analyze risks Step 8: Select mitigation approaches

Types of Incident Costs

Tangible vs. Intangible

Importance of the CSIRT Mission Statement

The CSIRT's mission statement should have support of the senior management in the parent organization. A mission statement is necessary for CSIRT to establish: 1. A service and quality framework 2. The definition of its policies and procedures 3. The quality of service

Availability

The ability to ensure that data will be accessible/useable by those authorized to do so at any time required. Typically implemented through protection mechanisms (controls) such as redundancy in system design.

Confidentiality

The ability to provide protection for data that is only to be seen/used by authorized users, preventing disclosure, unauthorized access and use. (keeping good data away from bad people). Typically implemented through protection mechanisms (controls) such as encryption.

Integrity

The ability to validate that data has not been changed/modified in any way without the owners approval and knowledge and includes ensuring information non-repudiation and authenticity. Typically implemented through protection mechanisms (controls) such as digital signatures.