Section 13 - Describing the Incident Response Plan

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Lessons learned

The incident response team analyzes how and why the incident happened and performs an FMEA against it.

Eradication and recovery

The incident response team investigates to find the origin of the incident. The root cause of the problem and all traces of potentially malicious code are removed, which may also involve changing passwords for accounts, hardening systems, and so on

Reporting

- The incident response plan should include provisions concerning incident reporting. The reporting should also be immediate and occur at predefined intervals that are based on the incident severity - Contracts or other agreements may need to be put into place before external discussions occur. An example is an NDA to protect the confidentiality of the most sensitive information of the organization.

Primary incident response policy elements (7)

-Mission, strategies, and goals -Incident response approach -Buy-in from senior management -Communication -Metrics -Review -Organization missions

CAT 2

-Name: Denial of Service (DoS) -Description: An attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or applications by exhausting resources. This activity includes being the victim or participating in the DoS. -Reporting Timeframe: Within 2 hours of discovery and detection, if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.

CAT 0

-Name: Exercise/Network Defense Testing -Description: This category is used during state, federal, national, and international exercises and approved activity testing of internal and external network defenses or responses. -Reporting Timeframe: Not applicable; this category is for internal use of each agency during exercises.

CAT 4

-Name: Improper Usage -Description: A person violates acceptable computing use policies. -Reporting Timeframe: Weekly

CAT 6

-Name: Investigation -Description: Unconfirmed incidents that are potentially malicious or anomalous activity that is deemed by the reporting entity to warrant further review. -Reporting Timeframe: Not applicable; this category is for the use of each agency to categorize a potential incident that is currently being investigated.

CAT 3

-Name: Malicious Code -Description: Successful installation of malicious software (for example, virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are not required to report malicious logic that has been successfully quarantined by antivirus software. -Reporting Timeframe: Daily Note: Within 1 hour of discovery and detection if widespread across agency.

CAT 5

-Name: Scans/Probes/Attempted Access -Description: This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. -Reporting Timeframe: Monthly Note: If system is classified, report within 1 hour of discovery.

CAT 1

-Name: Unauthorized Access -Description: In this category, an individual will gain logical or physical access without permission to a federal agency network, system, application, data, or other resource -Reporting Timeframe: Within 1 hour of discovery and detection.

Impersonation (common method of attack)

An attack involving replacement of something benign with something malicious—for example, spoofing, MITM attacks, rogue wireless APs, and SQL injection attacks that involve impersonation

Other (common method of attack)

An attack that does not fit into another category

Attrition (common method of attack)

An attack that employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS that is intended to impair or deny access to a service or application, or a brute-force attack against an authentication mechanism

Web (common method of attack)

An attack that is executed from or against a website or web-based application—for example, an XSS attack that is used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware

External or removable media (common method of attack)

An attack that is executed from removable media or a peripheral device—for example, malicious code spreading onto a system from an infected USB flash drive

Email (common method of attack)

An attack that is executed via an email message or attachment—for example, exploit code that is disguised as an attached document or a link to a malicious website in the body of an email message

Improper usage (common method of attack)

Any incident resulting from violation the acceptable usage policies of an organization by an authorized user—for example, a user who installs file-sharing software that leads to the loss of sensitive data, or a user who performs illegal activities on a system

The US-CERT places security events into one of seven incident categories from

CAT 0 to CAT 6.

Containment

Incident containment is perhaps the hardest and most important decision that is made during an incident. -Without taking the time initially to understand each facet of containment, documenting them, testing them, and knowing the available fallback options, it is likely that the incident response team will falter in making such a critical decision.

Metrics

Metrics measure the incident response capability and its effectiveness. Time to detection, which is known as dwell time, is one of the most critical metrics in the organization

Buy-in from senior management

Once an organization develops the incident response plan, the plan must have management approval before it can be implemented.

Incident response approach

Organizations need to have a functional CSIRT that is composed of trained and dedicated incident responders who are committed to the role without a myriad of other IT or security responsibilities

incident response life cycle (7)

Preperation Identification Analysis Containment Eradication and REcovery Lessons Learned Reporting

FMEA (Failure Mode and Effects Analysis)

Qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process.

Communication

Representing the reporting phase of the incident response life cycle, the incident response team will continuously communicate with the rest of the organization and with other organizations.

Preparation

The goal of the preparation phase is to get the company team and resources ready to handle a security incident. 1. Educating the users and IT staff to respond to computer and network security incidents quickly and correctly. 2. Developing and maintaining all the proper documentation, such as network diagrams, configuration standards, change control documentation, and so on. 3. Planning for the logged and captured data retention period, who does what during an incident, and setting up the proper roles and responsibilities (RACI).

Analysis

The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step that is taken.

Loss or theft of equipment (common method of attack)

The loss or theft of a computing device or media that is used by the organization, such as a laptop, smart phone, or authentication token

Review

The organization should review the incident response plan at least annually to ensure that the organization is maturing the incident response capability and fulfilling the goals for incident response.

Mission, strategies, and goals

The organizational mission, strategies, and goals for incident response determine the structure of the incident response capability.

Organization missions

This element describes how the incident response policy supports the overall missions of the organization.

HIPPA

U.S. legislation that provides data privacy and security provisions for safeguarding medical information and ensures patient confidentiality for all health care-related data.

Here are four basic questions that each organization must answer when determining their incident response plan (4):

What are the assets that are being protected? What are the threats to the assets? How are threats detected? How will the organization respond to threats?

Identification

When a true positive incident has been detected, the incident response team is activated. During the investigation process, the SOC analyst or the incident response team may also contact the CERT/CC (or other security intelligence sources), which tracks Internet security activity and has the most current threat information.

What is a benefit of having an effective incident response plan?

faster recovery from security incidents

Sarbanes-Oxley Act of 2002 (SOX)

legislation that was passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.

What should be the long-term result after the incident response plan matures and becomes more effective?

lower dwell time

PHI

privacy rule protects all individually identifiable health information that is held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. -The past, present, or future physical or mental health or condition of the individual -The provision of health care to the individual -The past, present, or future payment for the provision of health care to the individual -Individually identifiable health information includes many common identifiers (full name, maiden name of mother, birth date, X-ray, fingerprint, driver license number, social security number, and so on).


Ensembles d'études connexes

Introduction to Archaeology Midterm Study Guide Instructor Jane A. Hill

View Set

World History - The Medieval World - Q2

View Set

Legal Environment of Business - Ch 8 Intellectual Property Rights

View Set

English 4 Unit 4 4-5 Structural Grammar

View Set

ATI Maternal Newborn Practice 2016B

View Set