Section 3- Incident Response

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Map elements to these steps of analysis based on the NIST.SP800‐61 r2

Preparation Detection and analysis Containment, eradication, and recovery Post‐incident analysis (lessons learned)

Map the organization stakeholders against the NIST IR steps

-Decision makers [executives] who control the allocation of resources and the management of organizations; typically senior leaders -Leaders with responsibility for managing organizational resources and operations associated with the domains of this model -Practitioners with responsibility for supporting organization in the use of this model (planning and managing changes in the organization based on the model) -Facilitators with responsibility for leading a self-evaluation of the organization based on this model and the associated toolkit and analyzing the self-evaluation results.

Preparation may include

1. Educating users to respond to computer and network security incidents quickly and correctly. 2. Developing and maintaining all the proper documentation, such as network diagrams, configuration standards, change control documentations, and so on. 3. Planning for the logged and captured data retention period, who does what during an incident, and setting up the proper roles and responsibilities (RACI).

Map data types to SOX

Combination of encryption, integrated key management & access controls meets the needs for creating & maintaining access controls to financial data.

Containment

Decision points for containment may include: 1. What is the scope of the incident? 2. What is the type of advice? 3. What is the network reachability of the device that has been affected by the incident? 4. How quickly the incident response team can get containment in place? 5. How quickly containment is needed?

Describe the goals of the given CSIRT

Internal CSIRT National CSIRT Coordination centers Analysis centers Vendor teams Incident response providers (MSSP)

Identify these elements used for server profiling

Listening ports Logged in users/service accounts Running processes Running tasks Applications

Map data types to HIPAA

Physical or mental health or condition of an individual. Provision of health care to individual by hospital or doctor Payment for the provision of health care to the individual.

C2M2 [Cybersecurity Capability Maturity Model program]

Public-private partnership effort established as a result of the Administration's efforts to improve electricity subsector cybersecurity capabilities, & to understand the cybersecurity posture of the grid

Elements that should be included in an incident response plan as stated in NIST.SP800‐61 r2

Statement of management commitment Purpose & objectives Scope Definition of computer security incidents and related terms Organizational structure Prioritization or severity ratings of incidents Performance measures Reporting and contact forms

Detection

The SOC analyst performs continuous monitoring, and active cyber threat hunting. When a true positive incident has been detected, the incident response team is activated. During the investigation process, the SOC analyst or the incident response team may also contact the CERT/CC, or other security intelligence sources, which tracks Internet security activity and has the most current threat information.

Post‐incident analysis (lessons learned)

The incident response team analyzes how and why the incident happened and performs an FMEA against it. FMEA is a qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process. This phase includes documenting how the incident was handled, recommendations for better future response, and how to prevent a recurrence.

Eradication & recovery

The incident response team investigates to find the origin of the incident. The root cause of the problem and all traces of potentially malicious code are removed, which may also involve changing passwords for accounts, hardening systems, and so on. Data and software are restored from clean backup files, ensuring that no vulnerabilities remain. After recovery, the systems are monitored for any sign of weakness and incident recurrence. Recovery may also involve tactical fixes including user account changes, patching software, and device hardening, and prioritizing strategic fixes such as process changes.

Analysis

The initial analysis may include: 1. Which networks, systems, or applications are affected? 2. Who or what originated the incident? 3. What tools or attack methods are being used? 4. Which vulnerabilities are being exploited?

Identify these elements used for network profiling

Total throughput- maximum rate at which something can be processed Session duration Ports used Critical asset address space- IP address

Coordination centers

coordinate and facilitate the handling of incidents across various CSIRTs

Analysis centers

focus on synthesizing data from various sources to determine trends and patterns in incident activity

Vendor teams

handle reports of vulnerabilities in their software or hardware products

Incident response providers (MSSP)

offer incident handling services as a for-fee service to other organizations

Identify data elements that must be protected with regards to a specific standard (PCIDSS)

primary account number [PAN], cardholder name and expiration date

National CSIRT

provide incident handling services to a country

Internal CSIRT

provide incident handling services to their parent organization, which could be a CSIRT for a bank, a manufacturing company, a university, or a federal agency


Set pelajaran terkait

LC3: LearningCurve - Ch. 3: Supply and Demand

View Set

Cerebrospinal Fluid & Blood-brain Barrier

View Set

EVOLVE: Chapter 44- Genitourinary Dysfunction

View Set

Mots d'amour en petites phrases romantiques pour dire je t'aime

View Set

Exam 3: Shock, SIRS, Sepsis, MODS, Burns, & MSK

View Set

GI Questions, Key terms and Points

View Set

Chapter 12: Connect Master Intro to Business

View Set

unit 2 progress check pt 1 - ap gov

View Set