Ch. 12 Section 1 Incident Reponse
Live analysis
An incident investigation that examines an active (running) computer system to analyze the live network connection, memory contents, and running programs
Stakeholder Management Communication Target: Business Unit Managers
Communicate with business unit managers -keep open lines of communication with unit managers -Be willing to accept their input -These are the people you will work with the most
What are the four internal policies to handle incidents and respond to them appropriately
Communication plan Disaster Recovery Plan Business Continuity plan Incident Response Team Charter
What is the purpose of audit trails
Detect security-violating events
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
Disconnect the access point from the network; first step in responding to an incident is to stop the attack and contain or limit the damage
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?
Document what is on screen. Any attempt to collect evidence may actually destroy the very data necessary to identify an attack or attacker
Corroborative evidence
Evidence or information that supports another fact or detail.
Cyber Kill Chain developed by
Lockheed Martin
As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims
Mitre Att@cks & Diamond Model of Intrusion Analysis
Business continuity plan
More detailed and longer than the disaster recover plan, the business continuity plan has procedures and policies for each business unit. The policies and procedures are written by each business unit with guidelines from corporate management. This document includes organization charts, phone lists, order of restore, and vendor contact information
Why are the four points of the Diamond Model of Intrusion Analysis significant ?
Normally the analysts and first responders use these points (called meta or core features) to find and predict attacks. All four points are connected to each other
What are the seven steps of an attack to help a security analyst to identify the phases of an attack in progress
Reconnaissance Weaponization delivery Delivery Exploitation Installation Command and control Action on objectives
First responder
The first person on the scene after a security incident has occurred.
What is the best definition of a security incident? Interruption of productivity Compromise of the CIA Criminal activity Violation of a security policy
Violation of a security policy
MITRE ATT@CK framework
universally accessible database. This database contains techniques, tactics and other operational information about malicious actors. This data has been gathered and aggregated using empirical observations. All of this data are available to anyone for free
Communication plan
A plan to effectively communicate important company information in the case of an emergency.
What are the five types of security incidents
Employee errors Unauthorized act by an employee External intrusion attempts Virus and harmful code attacks Unethical gathering of competitive information
Hearsay Evidence
Evidence that is obtained from a source who doesn't have personal, firsthand knowledge.
Stakeholder Management Communication Target: C level Executive
Keep incident response awareness a priority with C level executives. Their support will help to garner support from other employees.
What are the three common attack frameworks that can be utilized for incident response
MITRE ATT@CK Diamond Model of Intrusion Analysis Cyber Kill Chain
Stakeholder management communication target: Internal stakeholders
Maintain an open dialogue with all internal departments about development, implementation, testing, etc., of incident response.
Unethical gathering of competitive information is also known as
Corporate espionage - goal is to obtain proprietary info in order to obtain a competitive advantage or steal clients
Ex of Diamond Model Of Intrusion Analysis in use
by identifying the types of victims and why they were attacked, —-the analyst/first responder can make an educated guess as to who is behind the attack and who are potential victims. This information can then be used to compare information in the MITRE ATT@CK database. ——Since there are always unknowns, the database helps to fill in some of the unknowns.
Cyber kill chain def
identify and provide visibility of the hurdles a malicious actor must overcome to achieve the objective to exploit or attack. This makes the malicious actor's moves highly visible to a first responder or security analyst and is valuable in the defense of assets.
Damage assessment
preliminary onsite evaluation of damage or loss caused by a security incident.
Incident response
The action taken to deal with an incident, both during and after the incident
Incident response team charter
A document that describes the creation and function of a specialized team trained to identify malicious actions against a network. The charter documents the funding, reporting hierarchy, authority, and responsibility of the team designated to stop an attack, investigate incidents, and collect evidence.
Disaster recovery plan
A documented plan of policies and procedures that are executed in the event of a disruption of business.
What are the four points of the Diamond Model of Intrusion Analysis
Adversary Victim Capabilities Infrastructure
Security incident
An event, or series of events, resulting from of a security policy violation. has adverse effects on a company's ability to proceed with normal business.
big data analytics
An incident investigation that examines all types of data used in the organization, including text, audio, video, and log files. The investigation identifies anomalies that led up to the security incident.
Dead analysis
An incident investigation that examines data at rest, such as analyzing hard drive contents
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?
Back up all logs and audits regarding the incident
What are the 8 step process of an incident response
Define what is considered an incident. Identify who should handle the response to the incident. This person is designated as the first responder. Describe what action should be taken when an incident is detected. Provide a detailed outline of steps to efficiently and effectively handle an incident while mitigating its effects. Explain how and to whom an incident should be reported. Explain when management should be notified of the incident and also outline ways to ensure that management is well-informed. Be legally reviewed and approved. Be fully supported by senior management and administration with appropriate funding and resources such as camera equipment, forensic equipment, redundant storage, standby systems, and backup services.
