Domain 7: Security Operations: Incident Management
Incident Response Steps
1. Detect the incident. 2. Respond to the incident. 3. Report the incident to the appropriate personnel. 4. Recover from the incident. 5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed. 6. Review the incident, and document all findings.
An event is a?
A change of state that occurs. Whereas events include both negative and positive events, incident response focuses more on negative events—events that have been deemed as negatively impacting the organization.
An incident is a?
A series of events that negatively impact an organization's operations and security. Whereas events include both negative and positive events, incident response focuses more on negative events—events that have been deemed as negatively impacting the organization.
Report
All incidents should be reported within a timeframe that reflects the seriousness of the incident. In many cases establishing a list of incident types and the person to contact when that type of incident occurs is helpful. Exercising attention to detail at this early stage while time-sensitive information is still available is critical.
Mitigate
Although mitigation is a standard part of incident response, it is not listed as a separate step. However, security professionals should understand the importance of mitigation as part of any incident response. Mitigation is actually part of responding to an incident and includes limiting the scope of what the attack might do to the organization's assets. If damage has occurred or the incident may broaden and affect other assets, proper mitigation techniques ensure that the incident is contained to within a certain scope of assets. Mitigation options vary, depending on the kind of attack that has occurred. Security professionals should develop procedures in advance that detail how to properly mitigate any attacks that occur against organizational assets. Preparing these mitigation procedures in advance ensures that they are thorough and gives personnel a chance to test the procedures.
Rules of Engagement, Authorization, and Scope
An organization ought to document the rules of engagement, authorization, and scope for the incident response team. The rules of engagement define which actions are acceptable and unacceptable if an incident has occurred. The authorization and scope provide the incident response team with the authority to perform an investigation and with the allowable scope of any investigation they must undertake. The rules of engagement act as a guideline for the incident response team to ensure that they do not cross the line from enticement into entrapment. Enticement occurs when the opportunity for illegal actions is provided (luring) but the attacker makes his own decision to perform the action, and entrapment means to encourage someone to commit a crime that the individual might have had no intention of committing. Enticement is legal but does raise ethical arguments and might not be admissible in court. Conversely, entrapment is illegal.
Lessons Learned and Review
Finally, review each incident to discover what could be learned from it. Changes to procedures might be called for. Share lessons learned with all personnel who might encounter this type of incident again. Complete documentation and analysis is the goal of this step
Incident Response Procedures
When performing incident response, it is important that the incident response team follow incident response procedures. Depending on where you look, you might find different steps or phases included as part of the incident response process.
Event Versus Incident
In regard to incident response, a basic difference exists between events and incidents. An event is a change of state that occurs. Whereas events include both negative and positive events, incident response focuses more on negative events—events that have been deemed as negatively impacting the organization. An incident is a series of events that negatively impact an organization's operations and security. Events can only be detected if an organization has established the proper auditing and security mechanisms to monitor activity. A single negative event might occur. For example, the auditing log might show that an invalid login attempt occurred. By itself, this login attempt is not a security concern. However, if many invalid login attempts occur over a period of a few hours, the organization might be undergoing an attack. The initial invalid login is considered an event, but the series of invalid login attempts over a few hours would be an incident, especially if it is discovered that the invalid login attempts all originated from the same IP address.
Incident Management
Incident response is vital to every organization to ensure that any security incidents are detected, contained, and investigated. Incident response is the beginning of any investigation. After an incident has been discovered, incident response personnel perform specific tasks. During the entire incident response, the incident response team must ensure that they follow proper procedures to ensure that evidence is preserved. As part of incident response, security professionals must understand the difference between events and incidents (see the following section). The incident response team must have the appropriate incident response procedures in place to ensure that the incident is handled, but the procedures must not hinder any forensic investigations that might be needed to ensure that parties are held responsible for any illegal actions. Security professionals must understand the rules of engagement and the authorization and scope of any incident investigation.
Recover
Recovery involves a reaction designed to make the network or system that is affected functional again; it includes repair of the affected assets and prevention of similar incidents in the future. Exactly what recovery means depends on the circumstances and the recovery measures that are available. For example, if fault-tolerance measures are in place, the recovery might consist of simply allowing one server in a cluster to fail over to another. In other cases, recovery could mean restoring the server from a recent backup. The main goal of this step is to make all resources available again. Delay putting any asset back into operation until it is at least protected from the incident that occurred. Thoroughly test assets for vulnerabilities and weaknesses before reintroducing them into production.
Detect
The first step is to detect the incident. Prior to any incident response investigation, security professionals must first perform the appropriate triage for the affected assets. This includes initially detecting the incident and determining how serious the incident is. In some cases, during the triage phase, security professionals may determine that a false positive has occurred, meaning that an attack really did not occur, even though an alert indicated that it did. If an attack is confirmed, then the incident response will progress into investigative actions. All detective controls, such as auditing, are designed to provide this capability. The worst sort of incident is the one that goes unnoticed.
Incident Response Management
Security events will inevitably occur, and the response to these events says much about how damaging the events will be to the organization. Incident response policies should be formally designed, well communicated, and followed. They should specifically address cyber-attacks against an organization's IT systems.
The actual investigation of the incident occurs during which steps of incident response?
The respond(Step 2), report(Step 3), and recover (Step 4) steps. Following appropriate forensic and digital investigation processes during the investigation can ensure that evidence is preserved.
Respond
The response to the incident should be appropriate for the type of incident. Denial-of-service (DoS) attacks against the web server would require a quicker and different response than a missing mouse in the server room. Establish standard responses and response times ahead of time. Response involves containing the incident and quarantining the affected assets to reduce the potential impact by preventing other assets from being affected. Different methods can be used, depending on the category of the attack, the asset affected, and the data criticality or infection risk.
The incident response team should have access to the incident response plan.
This plan should include the list of authorities to contact, team roles and responsibilities, an internal contact list, securing and preserving evidence procedures, and a list of investigations experts who can be contacted for help. A step-by-step manual should be created that the incident response team must follow to ensure that no steps are skipped. After the incident response process has been engaged, all incident response actions should be documented. If the incident response team determines that a crime has been committed, senior management and the proper authorities should be contacted immediately.
Remediate
This step involves eliminating any residual DoS attacks danger or damage to the network that still might exist. For example, in the case of a virus outbreak, it could mean scanning all systems to root out any additional effected machines. These measures are designed to make a more detailed mitigation when time allows.
Response involves containing the?
incident and quarantining the affected assets to reduce the potential impact by preventing other assets from being affected.
Mitigation is actually part of?
responding to an incident and includes limiting the scope of what the attack might do to the organization's assets.