13- Describing the Incident Response Plan

Ace your homework & exams now with Quizwiz!

2 tasks typically done during Incident Response Life Cycle

1. Document network topologies 2. Monitor security intelligence sources for latest threat info

Review

The organization should review the incident response plan at least annually to ensure that the organization is maturing the incident response capability, and fulfilling the goals for incident response.

CAT 6

Unconfirmed incidents that are potentially malicious or anomalous activity that is deemed by the reporting entity to warrant further review. Reporting not necessary.

Eradication and recovery possible tasks

-all traces of potentially malicious code are removed -changing passwords for accounts -user account changes -patching software -hardening systems -Data and software are restored from clean backup files

Incident response plan is used to

-prevent or minimize disruption of critical computing services -minimize loss of proprietary & confidential info -facilitate info exchange among groups responsible for security incidents

Preparation may include

1. Educating users to respond to security incidents quickly & correctly. 2. Developing & maintaining documentation, e.g., network diagrams, configuration standards. 3. Planning for data retention period, who does what during an incident, and setting up proper roles & responsibilities (RACI)

Incident Response Life Cycle [PIA CERLR]

1. Preparation 2. Identification 3. Analysis 4. Containment 5. Eradication & Recovery 6. Lessons Learned 7. Reporting

Analysis may include

1. Which networks, systems, or applications are affected? 2. Who or what originated the incident? 3. What tools or attack methods are being used? 4. Which vulnerabilities are being exploited?

Decision points for containment may include:

1. scope of incident? 2. type of device? 3. network reachability of device affected by the incident? 4. How quickly can the IR team can get containment in place? 5. How quickly is containment needed?

CAT 4

A person violates acceptable computing use policies. Timeframe to report is weekly.

FMEA- Failure Mode and Effects Analysis

A tool created in a spreadsheet to help anticipate what might go wrong with a product/process. This includes documenting how incident was handled, recommendations for better future response, & how to prevent a recurrence.

US-CERT 7 incident categories

CAT 0 Exercise/Network Defense Testing CAT 1 Unauthorized Access CAT 2 Denial of Service (DoS) CAT 3 Malicious Code CAT 4 Improper Usage CAT 5 Scans/Probes/Attempted Access CAT 6 Investigation

Lessons learned task

FMEA [Failure Mode and Effects Analysis]

Metrics

Metrics measure the incident response capability and its effectiveness. Time-to-detection, which is known as dwell time, is one of the most critical metrics in the organization. Dwell time is the concept that a host is compromised at a point in time and the compromise is not detected until some further point in time. Organizations should aim to continually decrease dwell time.

Communication

Representing the reporting phase of the incident response life cycle, the incident response team will continuously communicate with the rest of the organization and with other organizations.

During identification

SOC analyst or IR team may contact CERT/CC or other security intelligence sources, which track Internet security activity & have most current threat info.

CAT 3

Successful installation of malicious software (for example, virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are not required to report malicious logic that has been successfully quarantined by antivirus software. Timeframe to report is daily or within 1 hour of discovery/detection if widespread across agency

CAT 5

This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Timeframe to report is monthly, except if system is classified, report within one (1) hour of discovery

Organization missions

This element describes how the incident response policy supports the overall missions of the organization.

Reporting

To CIO, the head of information security, the system owner, HR, public affairs, the legal department, and law enforcement

AAR- After Action Report

another term for "Lessons Learned"

CAT 2

attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Timeframe to report is Within 2 hours of discovery/detection, if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.

The hardest and most important decision that is made during an incident=

containment

Benefit of a good incident response plan

faster recovery from security incidents

Incident classifications are typically based on

incident severity.

CAT 1

individual will gain logical or physical access without permission to a federal agency network, system, application, data, or other resource. Timeframe is Within 1 hour of discovery/detection

What should be the long term result after incident response plan matures and becomes more effective?

lower dwell time

HIPAA

protects PHI- protected health info

SOX- Sarbannes-Oxley

protects company's financial data and ensures its integrity

PCI DSS

protects credit card holder account data

The incident response plan

provides info to enable efficient recovery from security incidents

RACI=

responsible, accountable, consulted, and informed

CAT 0

used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. No timeframe because it's confidential.

What is needed in regard to incident response policy

•Buy-in from senior management before implementation •Communication •Metrics •Regular Review •Organization missions

Attack vectors

•External/removable media •Attrition: brute-force methods •Web: e.g., XSS •Email •Impersonation: e.g., spoofing, MITM •Improper usage: violation of acceptable usage policies by an authorized user. •Loss or theft of equipment •Other: attack that doesn't fit into another category.

Incident Response Policy Elements

•Mission, strategies, goals: determine the structure of the IR capability. •Incident response approach: need a team committed to IR role without a myriad of other IT or security responsibilities.

4 basic questions that each organization must answer when determining their incident response plan

•What are the assets that are being protected? •What are the threats to the assets? •How are threats detected? •How will the organization respond to threats?


Related study sets

Exam 1 Leadership CH6 Patient, Subordinate, Workplace, and Professional Advocacy

View Set

Accounting Exam 1 final chapter 3

View Set

SOCR 330 (Genetics) - Exam 1, Set 3

View Set

History: Triangle Shirtwaist Fire

View Set

Chemistry of Life quizzes 1 and 2

View Set

Types of informative presentations

View Set