Section 3- Incident Response
Map elements to these steps of analysis based on the NIST.SP800‐61 r2
Preparation Detection and analysis Containment, eradication, and recovery Post‐incident analysis (lessons learned)
Map the organization stakeholders against the NIST IR steps
-Decision makers [executives] who control the allocation of resources and the management of organizations; typically senior leaders -Leaders with responsibility for managing organizational resources and operations associated with the domains of this model -Practitioners with responsibility for supporting organization in the use of this model (planning and managing changes in the organization based on the model) -Facilitators with responsibility for leading a self-evaluation of the organization based on this model and the associated toolkit and analyzing the self-evaluation results.
Preparation may include
1. Educating users to respond to computer and network security incidents quickly and correctly. 2. Developing and maintaining all the proper documentation, such as network diagrams, configuration standards, change control documentations, and so on. 3. Planning for the logged and captured data retention period, who does what during an incident, and setting up the proper roles and responsibilities (RACI).
Map data types to SOX
Combination of encryption, integrated key management & access controls meets the needs for creating & maintaining access controls to financial data.
Containment
Decision points for containment may include: 1. What is the scope of the incident? 2. What is the type of advice? 3. What is the network reachability of the device that has been affected by the incident? 4. How quickly the incident response team can get containment in place? 5. How quickly containment is needed?
Describe the goals of the given CSIRT
Internal CSIRT National CSIRT Coordination centers Analysis centers Vendor teams Incident response providers (MSSP)
Identify these elements used for server profiling
Listening ports Logged in users/service accounts Running processes Running tasks Applications
Map data types to HIPAA
Physical or mental health or condition of an individual. Provision of health care to individual by hospital or doctor Payment for the provision of health care to the individual.
C2M2 [Cybersecurity Capability Maturity Model program]
Public-private partnership effort established as a result of the Administration's efforts to improve electricity subsector cybersecurity capabilities, & to understand the cybersecurity posture of the grid
Elements that should be included in an incident response plan as stated in NIST.SP800‐61 r2
Statement of management commitment Purpose & objectives Scope Definition of computer security incidents and related terms Organizational structure Prioritization or severity ratings of incidents Performance measures Reporting and contact forms
Detection
The SOC analyst performs continuous monitoring, and active cyber threat hunting. When a true positive incident has been detected, the incident response team is activated. During the investigation process, the SOC analyst or the incident response team may also contact the CERT/CC, or other security intelligence sources, which tracks Internet security activity and has the most current threat information.
Post‐incident analysis (lessons learned)
The incident response team analyzes how and why the incident happened and performs an FMEA against it. FMEA is a qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process. This phase includes documenting how the incident was handled, recommendations for better future response, and how to prevent a recurrence.
Eradication & recovery
The incident response team investigates to find the origin of the incident. The root cause of the problem and all traces of potentially malicious code are removed, which may also involve changing passwords for accounts, hardening systems, and so on. Data and software are restored from clean backup files, ensuring that no vulnerabilities remain. After recovery, the systems are monitored for any sign of weakness and incident recurrence. Recovery may also involve tactical fixes including user account changes, patching software, and device hardening, and prioritizing strategic fixes such as process changes.
Analysis
The initial analysis may include: 1. Which networks, systems, or applications are affected? 2. Who or what originated the incident? 3. What tools or attack methods are being used? 4. Which vulnerabilities are being exploited?
Identify these elements used for network profiling
Total throughput- maximum rate at which something can be processed Session duration Ports used Critical asset address space- IP address
Coordination centers
coordinate and facilitate the handling of incidents across various CSIRTs
Analysis centers
focus on synthesizing data from various sources to determine trends and patterns in incident activity
Vendor teams
handle reports of vulnerabilities in their software or hardware products
Incident response providers (MSSP)
offer incident handling services as a for-fee service to other organizations
Identify data elements that must be protected with regards to a specific standard (PCIDSS)
primary account number [PAN], cardholder name and expiration date
National CSIRT
provide incident handling services to a country
Internal CSIRT
provide incident handling services to their parent organization, which could be a CSIRT for a bank, a manufacturing company, a university, or a federal agency