Module 1, Unit 4 - Incident Response
The most important factor in prioritizing incidents will often be the value of data that is at risk.
Data integrity
Established policies and procedures for dealing with security breaches and the personnel and resources to implement those policies.
Incident Response Plan (IRP)
The actions and guidelines for dealing with security incidents.
Incident Response Procedures
Which eradication response is where further investigation is warranted due to the causes of the incident not being clear?
Investigation / escalation
What role does out-of-band messaging play in incident response?
It prevents alerting the attacker that their attack has been detected when CSIRT team member/Law enforcement/regulatory authorities are communicating.
Follow-up actions performed after an incident has been resolved, usually in the form of a meeting, to assess how processes and procedures can be improved.
Lessons Learned
Reviewing the security incidents to determining their cause and whether they were avoidable is known as?
Lessons learned
An employee or ex-employee who reports misconduct.
Whistleblower
What are the actions and guidelines for dealing with security incidents referred to as?
Incident Management / Incident response procedures
Within the incident response process, this is the process of making a system resilient to attack in the first place, including hardening, policies, procedures, etc.
Preparation Phase
Which recovery step ensures that the system is not vulnerable to another attack?
Re-audit security controls
Which recovery step removes the malicious files or tools from affected systems or restores the systems from secure backups?
Reconstitution of affected systems
Some incidents require lengthy remediation as the system changes required are complex to implement.
Recovery time
What will industries that have strict regulations regarding the safe processing of data set out for notifying affected customers as well as the regulator?
Reporting requirements
The tasks of various experts and business areas that are called upon during a respones
Role-based Responsibilities
The number of systems affected.
Scope
The process of organizing and labeling any significant data resource.
Classification
The critical first steps to take when a security incident is discovered, taken by the first appropriate individuals on the scene.
First Responder
Which eradication response is where a backup system is brought online and the live system frozen to preserve evidence of the attack?
Hot swap
What are the 4 phases of the incident response lifecycle defined by NIST?
Preparation, Identification/Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity
What is an incident response playbook?
A data-driven procedure to assist junior analysts in detecting and responding to quite specific cyber threat scenarios.
A test exercise of a mock incident to help staff develop competencies and identify deficiencies in procedures and tools.
Incident Response Exercise
What is a Computer Security Incident Response Team (CSIRT)?
A single point-of-contact for the notification of security incidents
The principle that something should not be so secure that it is completely inaccessible. This principle also involves protecting a resource against loss or damage or DoS attacks.
Availability
The team responsible for incident response. This team must have expertise across a number of business domains (IT, HR, Legal, and marketing for instance).
Cyber Incident Response Team (CIRT)/Computer Security Incident Response Team (CSIRT)
An attack that has been successful in obtaining information that should have been kept secret or confidential
Data Breach
What NIST special publication identifies the following stages in an accident response lifecycle?
Computer Security Incident Handling Guide
Which eradication response allows the attack to proceed but ensures that valuable systems or data are not at risk?
Containment
Within the incident response process, limiting the scope and impact of the incident.
Containment, Eradication, and Recovery Phase
Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents.
Incident Response Plan
The amount of time before a data breach is identified.
Detection Time
A disruption to business processes, caused by an incident.
Downtime
Data integrity and downtime will have effects in the short term by costs involved in incident response and lost of business, and in the long term by reputation and market standing.
Economic / Publicity
True or False? The "first responder" is whoever reports an incident to the CSIRT.
False (The appropriate person on the CSIRT to be notified when a suspicious event is detected so that they can take charge of the situation and formulate the appropriate response).
True or False? It is important to publish all security alerts to all members of staff.
False (You must avoid the inadvertent release of information beyond the team authorized to handle the incident as to not alert the attacker to the detection and remediation measures about to be taken against them.)
Company policy should set out the procedure for alerting the appropriate individuals of potential incidents, how quickly to do so, and in what matter.
Incident Reporting
Within the incident response process, determining whether an incident has taken place and assessing how severe it might be.
Identification/Detection and Analysis
What type of actions are appropriate to the containment phase of incident response?
If further evidence needs to be gathered the best approach would be to quarantine or sandbox the affected system or network; another option is to remove the device (pull the plug) in order to prevent the attacker from widening the attack; if an incident is too critical where senior staff becomes involved then it should be escalated; if its a data breach then affected parties must be notified
The act of violating an explicit or implied security policy, otherwise known as a breach or attempted breach.
Incident
Within the incident response process, analyzing the incident and responses to identify whether procedures or systems could be improved.
Post-incident Activity Phase
Which eradication response is where countermeasures to end the incident are taken on the live system even though it may destroy evidence?
Prevention
In terms of incident response, the number of systems affected, which describes the scale of the incident and its response.
Scope