Incident Response
What are the phases of the incident response process?
-Preparation. This phase occurs before an incident and provides guidance to personnel on how to respond to an incident. It includes establishing and maintaining an incident response plan and incident response procedures. It also includes establishing procedures to prevent incidents. -Identification. All events aren't security incidents so when a potential incident is reported, personnel take the time to verify it is an actual incident. -Containment. After identifying an incident, security personnel attempt to isolate or contain it. The goal of isolation is to prevent the problem from spreading to other areas or other computers in your network, or to simply stop the attack. -Eradication. After containing the incident, it's often necessary to remove components from the attack. Similarly, an attack might have been launched from one or more compromised accounts. Eradication would include deleting or disabling these accounts. -Recovery. During the recovery process, administrators return all affected systems to normal operation and verify they are operating normally. Additionally, if administrators have identified the vulnerabilities that caused the incident, they typically take steps to remove the vulnerabilities. -Lessons learned. After personnel handle an incident, security personnel perform a lessons learned review. It's very possible the incident provides some valuable lessons and the organization might modify procedures or add additional controls to prevent a reoccurrence of the incident.
chain of custody
A chain of custody is a process that provides assurances that evidence has been controlled and handled properly after collection. Forensic experts establish a chain of custody when they first collect evidence.
cyber-incident response team
A cyber-incident response team is composed of employees with expertise in different areas. Organizations often refer to the team as a cyber-incident response team, a computer incident response team (CIRT), or a security incident response team. Combined, they have the knowledge and skills to respond to an incident.
forensic image of a disk
A forensic image of a disk captures the entire contents of the drive. Some tools use bit-by- bit copy methods that can read the data without modifying it. Other methods include hardware devices connected to the drive to write-protect it during the copy process. These methods capture the entire contents of the disk, including system files, user files, and files marked for deletion but not overwritten. Similarly, many tools include the ability to capture data within volatile memory and save it as an image.
legal hold
A legal hold refers to a court order to maintain different types of data as evidence.
security incident
A security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within the organization, or that has the potential to do so.
active logging strategy
An active logging strategy increases the amount of logged data collected on a routine basis. Ideally, network administrators will have filters available so that they can view only the data they need for daily operations. However, if an attack begins, security professionals can view all the logged data.
incident response plan
An incident response plan (IRP) provides more detail than the incident response policy. It provides organizations with a formal, coordinated plan personnel can use when responding to an incident. The plan includes definitions of incident types, cyber incident response teams, roles and responsibilities, escalation, reporting requirements, and exercises.
Record Time Offset
An offset used by recorders to identify times on recordings. If you know when the recording started, you can use the offset to identify the actual time at any point in the recording.
How is data captured from a disk?
By capturing an image of the disk.
computer forensics
Computer forensics analyzes evidence from
What is the purpose of the reporting requirements section of an IRP?
Depending on the severity of the incident, security personnel might need to notify executives within the company of the incident. They would notify executives about serious incidents that have the potential to affect critical operations. If the incident involves a data breach, personnel need to identify the extent of the loss, and determine if outside entities are affected. The incident response plan outlines who needs to be notified and when.
data recovery
In the context of forensics, data recovery recovery goes further. Even without backups, it's often possible to recover data that has been intentionally or accidentally deleted. Even if the user empties the trash after deleting a file, forensic experts can use tools to undelete the files. Formatting a drive appears as though it has overwritten all the data on the drive. However, just as forensic experts have tools to undelete files, they also have tools they can use to unformat drives.
Why is hashing an important element of forensic analysis?
It provides proof that the collected data has retained integrity. A captured forensic image (from RAM or a disk) is just a file, and you can use hashing with forensic images to ensure image integrity.
What is the purpose of the roles and responsibilities section of the incident response plan?
Many incident response plans identify specific roles for an incident response team along with their responsibilities.
forensic evaluation
Once an incident has been contained or isolated, the next step is forensic evaluation. A forensic evaluation helps the organization collect and analyze data as evidence it can use in the prosecution of a crime. In general, forensic evaluations proceed with the assumption that the data collected will be used as evidence in court. Because of this, forensic practices protect evidence to prevent modification and control evidence after collecting it.
What is the purpose of the exercises section of an incident response plan?
One method of preparing for incident response is to perform exercises. These can test the response of all members of the team.
order of volatility
Order of volatility refers to the order in which you should collect evidence. Volatile doesn't mean it's explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile. For example, random access memory (RAM) is lost after powering down a computer. Because of this, it is important to realize you shouldn't power a computer down if you suspect it has been involved in a security incident and might hold valuable evidence. A processor can only work on data in RAM, so all the data in RAM indicates what the system was doing.
How do security professionals implement chain of custody?
Security professionals use a chain of custody form to document this control. The chain of custody form provides a record of every person who was in possession of a physical asset collected as evidence. It shows who had custody of the evidence and where it was stored the entire time since collection. Additionally, personnel often tag the evidence as part of a chain of custody custody process. A proper chain of custody process ensures that evidence presented in a court of law is the same evidence that security professionals collected.
What is the purpose of the escalation section of an incident response plan?
The escalation section identifies when an incident needs to be escalated to higher level personnel.
What is the difference between a standard system image and a forensic image?
The forensic image is an exact copy and does not modify the original.
Why is a copy of an image made for analysis?
They do not analyze the original disk and often don't even analyze the original image. They understand that by analyzing the contents of a disk directly, they can modify the contents. By creating and analyzing forensic copies, they never modify the original evidence.
incident response policy
This outlines how an organization will prepare for security incidents, and respond to them when they occur.
In the IRP what is the purpose of the section that defines the incident types?
This section helps employees identify the difference between an event (that might or might not be a security incident) and an actual incident.
What is the order from most volatile to least volatile?
• Data in cache memory, including the processor cache and hard drive cache • Data in RAM, including system and network processes • A paging file (sometimes called a swap file) on the system disk drive • Data stored on local disk drives • Logs stored on remote systems • Archive media