Cyber Fundamentals Block 5 Unit 5
Incident Handling Process-(4) Incident Analysis
-Analyze data to understand technical details, root cause(s), & potential impact
Incident Handling Process-(2) Preliminary Analysis & ID
-Categorize the activity (if upon initial analysis you cannot determine the cause, use Category 8: Investigating and update as required) -Gather additional info as required -Classify as required
Incident Handling Process-(3) Preliminary Response
-Contain incident/threat -Preserve data to allow for further incident anaylsis -Begin chain of custody docs
Root Cause Analysis-(3) Determine the Operational Impact
-Detrimental impacts on an organization's ability to perform its mission. -Coordinate as necessary w/ HQ USAF Damage Risk Assessment Office (AF-DAMO) when preparing an impact assessment
Incident Response Team-Team Leader
-Ensures all team members know their role when a security incident occurs. -Builds relationships w/ outside resources that may be called upon.
Computer Incident Response Team (CIRT)
-First thing to prepare for handling of security incident -Responsible for knowing how to handle security incidents that occur within the organization and for correcting & documenting the security issue.
Incident Handling Process-(1) Detection & Reporting of Events
-Intrusion & Detection Systems (IDS) or personnel reports. -Gather/report preliminary info -Begin coordinating reporting/response
Incident Response Team-Documentation Specialist
-Knows how to document entire response process. -Responsible for logging each incident, cause of problem, & solution.
Incident Handling Process-(5) Response & Recovery
-Prevent further damage -Restore integrity of systems -Implement follow-up strategies
Incident Handling Process-(6) Post-Incident Analysis
-Review lessons learned -Root Causes(s) -Problems executing COA's -Missing policies/procedures -Inadequate infrastructure
List the 6 Phases of the Incident Handling Process:
1. Detection & Report of Events 2. Preliminary Analysis & ID 3. Preliminary Response 4. Incident Analysis 5. Response & Recovery 6.. Post-Incident Analysis
List the 5 steps of Root Cause Analysis (RCA):
1. Gather Information 2. Validate The Incident 3. Determine the Operational Impact 4. Coordinate 5. Determine Reporting Requirements
Root Cause Analysis-(1) Gather Information
All involved personnel should identify & collect all relevant info abt the incident
Event
Any observable occurrence in a network or system. Sometimes provides indication that an incident is occurring.
Incident
Assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an info system.
Root Cause Analysis-(2) Validate The Incident
Continuously review, corroborate, & update the reported incident to ensure the accuracy.
Root Cause Analysis-(4) Coordinate
Coordinate w/ the victim systems owning support agencies (CFP, NOSC, & MCCC) to determine Mission Assurance category level.
Incident Response Actions-Roles & Responsibilities
Define team member roles & responsibilities
Incident Response Actions-Incident Categories
Define the different types of security incidents that can occur.
Category 4-Incident
Denial of Service Ex: Denies Normal Functionality
Cyber Incident Report (CIR)
Detailed analysis to include affected system, probable attacker, attack vector used, and technical and operational impacts (if known).
Root Cause Analysis-(5) Determine Reporting Requirements
Determine within one hour if the event or incident meets Commander's Critical Information Requirements (CCIR) reporting requirements
Category 9-Event
Explained Anomaly Ex: Event that is a False Alarm
First Responder/User
First individual user to ID & react to an incident. Goal is to contain the incident. -Should be trained to know how to immediately respond to basic problems.
Network Intelligence Report (NIR)
Focuses on an incident, group of incidents, or network activity or on a foreign individual, group, or organization identified as a threat or potential threat to DOD networks.
Incident Response Actions-Reporting Requirements/Escalation
ID how & when users are supposed to report potential security incidents
Postmortem
Includes lessons learned, root causes, problems executing courses of action (COA's), missing policies/procedures, & inadequate infrastructure defenses. -Results provided to affected MAJCOM/unit so that corrective actions can be taken, which could include revising existing COA's, figuring out why they failed, or creating new COA's.
Category 8-Event
Investigating Ex: Event undergoing Further review
Incident Response Team-Legal Advisor
Knows laws & regulations that organization must follow when it comes to computer forensics & incident response
Category 7-Incident
Malicious Logic Ex: Installation of a virus
Category 5-Event
Non-Compliance Activity Ex: Authorized user breaches AF policy
Incident Response Actions-Exercise Planning
Plan exercises to practice security incident response
Category 6-Event
Reconnaissance Ex: Activity that gathers info about Network
Category 1-Incident
Root-Level Intrusion Ex: Unauthorized access to Administrator functions
Root Cause Analysis (RCA)
Series of analytical steps taken to find out what happened in an incident, to include the root cause.
What is the Primary Goal of the First Responder?
To activate the CIRT & contain the incident, must know how to respond to an incident. ex: User discovers a virus on network, they should disconnect the network cable.
Category 0-Event
Training & Exercises. Ex: Related to Base Training Event
Category 3-Event
Unsuccessful Activity Attempt Ex: Failed attempt at Unauthorized access
System Behavior Deviations
Upon detection of event, appro operations center (OC) & AF Cyberspace Defense (ACD) will initiate notification procedures. In accordance w/ AFI 10-206. -Information requested during investigation typically includes affected systems, anti-virus & system log data, IDS & IPS logs, etc.
Category 2-Incident
User-Level Intrusion. ex: Unauthorized user access
Incident Response Team-Technical Specialist
Uses technical expertise to assess & ID scale of security incident & know how to correct issues.
Event vs Incident Categories
When investigating a possible event/incident, it will be given a category number identifying it for descriptive purposes and level of severity of potential impact to mission. -Reaction to diff categories will be diff.