Cyber Fundamentals Block 5 Unit 5

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Incident Handling Process-(4) Incident Analysis

-Analyze data to understand technical details, root cause(s), & potential impact

Incident Handling Process-(2) Preliminary Analysis & ID

-Categorize the activity (if upon initial analysis you cannot determine the cause, use Category 8: Investigating and update as required) -Gather additional info as required -Classify as required

Incident Handling Process-(3) Preliminary Response

-Contain incident/threat -Preserve data to allow for further incident anaylsis -Begin chain of custody docs

Root Cause Analysis-(3) Determine the Operational Impact

-Detrimental impacts on an organization's ability to perform its mission. -Coordinate as necessary w/ HQ USAF Damage Risk Assessment Office (AF-DAMO) when preparing an impact assessment

Incident Response Team-Team Leader

-Ensures all team members know their role when a security incident occurs. -Builds relationships w/ outside resources that may be called upon.

Computer Incident Response Team (CIRT)

-First thing to prepare for handling of security incident -Responsible for knowing how to handle security incidents that occur within the organization and for correcting & documenting the security issue.

Incident Handling Process-(1) Detection & Reporting of Events

-Intrusion & Detection Systems (IDS) or personnel reports. -Gather/report preliminary info -Begin coordinating reporting/response

Incident Response Team-Documentation Specialist

-Knows how to document entire response process. -Responsible for logging each incident, cause of problem, & solution.

Incident Handling Process-(5) Response & Recovery

-Prevent further damage -Restore integrity of systems -Implement follow-up strategies

Incident Handling Process-(6) Post-Incident Analysis

-Review lessons learned -Root Causes(s) -Problems executing COA's -Missing policies/procedures -Inadequate infrastructure

List the 6 Phases of the Incident Handling Process:

1. Detection & Report of Events 2. Preliminary Analysis & ID 3. Preliminary Response 4. Incident Analysis 5. Response & Recovery 6.. Post-Incident Analysis

List the 5 steps of Root Cause Analysis (RCA):

1. Gather Information 2. Validate The Incident 3. Determine the Operational Impact 4. Coordinate 5. Determine Reporting Requirements

Root Cause Analysis-(1) Gather Information

All involved personnel should identify & collect all relevant info abt the incident

Event

Any observable occurrence in a network or system. Sometimes provides indication that an incident is occurring.

Incident

Assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an info system.

Root Cause Analysis-(2) Validate The Incident

Continuously review, corroborate, & update the reported incident to ensure the accuracy.

Root Cause Analysis-(4) Coordinate

Coordinate w/ the victim systems owning support agencies (CFP, NOSC, & MCCC) to determine Mission Assurance category level.

Incident Response Actions-Roles & Responsibilities

Define team member roles & responsibilities

Incident Response Actions-Incident Categories

Define the different types of security incidents that can occur.

Category 4-Incident

Denial of Service Ex: Denies Normal Functionality

Cyber Incident Report (CIR)

Detailed analysis to include affected system, probable attacker, attack vector used, and technical and operational impacts (if known).

Root Cause Analysis-(5) Determine Reporting Requirements

Determine within one hour if the event or incident meets Commander's Critical Information Requirements (CCIR) reporting requirements

Category 9-Event

Explained Anomaly Ex: Event that is a False Alarm

First Responder/User

First individual user to ID & react to an incident. Goal is to contain the incident. -Should be trained to know how to immediately respond to basic problems.

Network Intelligence Report (NIR)

Focuses on an incident, group of incidents, or network activity or on a foreign individual, group, or organization identified as a threat or potential threat to DOD networks.

Incident Response Actions-Reporting Requirements/Escalation

ID how & when users are supposed to report potential security incidents

Postmortem

Includes lessons learned, root causes, problems executing courses of action (COA's), missing policies/procedures, & inadequate infrastructure defenses. -Results provided to affected MAJCOM/unit so that corrective actions can be taken, which could include revising existing COA's, figuring out why they failed, or creating new COA's.

Category 8-Event

Investigating Ex: Event undergoing Further review

Incident Response Team-Legal Advisor

Knows laws & regulations that organization must follow when it comes to computer forensics & incident response

Category 7-Incident

Malicious Logic Ex: Installation of a virus

Category 5-Event

Non-Compliance Activity Ex: Authorized user breaches AF policy

Incident Response Actions-Exercise Planning

Plan exercises to practice security incident response

Category 6-Event

Reconnaissance Ex: Activity that gathers info about Network

Category 1-Incident

Root-Level Intrusion Ex: Unauthorized access to Administrator functions

Root Cause Analysis (RCA)

Series of analytical steps taken to find out what happened in an incident, to include the root cause.

What is the Primary Goal of the First Responder?

To activate the CIRT & contain the incident, must know how to respond to an incident. ex: User discovers a virus on network, they should disconnect the network cable.

Category 0-Event

Training & Exercises. Ex: Related to Base Training Event

Category 3-Event

Unsuccessful Activity Attempt Ex: Failed attempt at Unauthorized access

System Behavior Deviations

Upon detection of event, appro operations center (OC) & AF Cyberspace Defense (ACD) will initiate notification procedures. In accordance w/ AFI 10-206. -Information requested during investigation typically includes affected systems, anti-virus & system log data, IDS & IPS logs, etc.

Category 2-Incident

User-Level Intrusion. ex: Unauthorized user access

Incident Response Team-Technical Specialist

Uses technical expertise to assess & ID scale of security incident & know how to correct issues.

Event vs Incident Categories

When investigating a possible event/incident, it will be given a category number identifying it for descriptive purposes and level of severity of potential impact to mission. -Reaction to diff categories will be diff.


Ensembles d'études connexes

U.S. History Chapter 22 Questions

View Set

BIO 168 Chapter 11: Functional Organization of Nervous Tissue

View Set

BUS 204 Ch. 10 The Formation of Traditional and E-Contracts

View Set

N487 Leadership in Nursing: Fiscal Planning and Responsibility

View Set

3.16 Unit Test: Circles - Part 1

View Set