1.4 Incident Response

What are the 4 phases of the incident response lifecycle defined by NIST?

Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-incident Activity.

What is a CSIRT?

A Computer Security Incident Response Team - the first point of contact for incident notification and the people primarily responsible for managing incident response.

What is an incident response playbook?

A Standard Operating Procedure (SOP) designed to guide incident responders through each phase of incident response in defined intrusion scenarios.

What role does out-of-band messaging play in incident response?

Establishes a secure channel for incident responders to communicate over without alerting the adversary.

True or false? It is important to publish all security alerts to all members of staff.

False - security alerts should be sent to those able to deal with them at a given level of security awareness.

True or false? The "first responder" is whoever first reports an incident to the CSIRT.

False - the first responder would be the member of the CSIRT to handle the report.

What type of actions are appropriate to the containment phase of incident response?

Firstly, prevent the malware or intrusion from affecting other systems by halting execution, stopping the system as a whole, quarantining the affected systems from the rest of the network, and so on. Secondly identify whether a data breach has taken place and assess any requirements for escalation and notification.