CompTIA Security+ Study Notes
HomeBuy Me A CoffeeDiscordQuizlet
Search…
About
Donors
CompTIA Security+
Acronyms
Common Ports
Domain 1 - Threats, Attacks, & Vulnerabilities
Domain 2 - Technologies & Tools
Domain 3 - Architecture & Design
Domain 4 - Identity & Access Management
Domain 5 - Risk Management
Personnel Policies
Business Impact Analysis
Risk Assessment
Incident Response
Forensics
Disaster Recovery & Business Continuity Plans
Controls
Data Privacy
Domain 6 - Cryptography & PKI
Powered By GitBook
Incident Response

Incident Definition

  • NIST - 'An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.'
  • Cybrary - 'An incident is an unplanned disruption or degradation of a network or system service and needs to be resolved immediately.'

NIST Incident Response Process

Could not load image

Incident Response Plan

  • The documentation of a predetermined set of instructions or procedures to to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s). [NIST]
  • NIST Computer Security Incident Handling Guide (SP 800-61) provides guidance on exact elements to include:
    • Mission, strategies, and goals of incident response.
    • Senior management approval.
    • Approach to incident response.
    • Metrics for measuring response capabilities and effectiveness.
    • Roadmap for maturing response capability.
    • How the incident response program fits into the organization.

Incident Response Plan (IRP)

  • Documented incident types/category definitions.
    • Natural
    • Mechanical
    • Accidental / Human Error
    • Malicious / Compromise C-I-A
    • Policy Violation
  • Roles and responsibilities.
    • Granting clear authority for actions to be taken during an incident.
    • Who can/does perform IRP activities:
      • Incident Alerting
      • Identification / Triage
      • Decisions Making - Must be an organizational executive.
      • Equipment Collection / Confiscation
      • Forensics - Independence / Segregation of Duties
      • Repair / Recovery
      • Reporting
      • Communicating - Talking outside the organization.
  • Cyber-incident response teams.
    • Computer Emergency Response Team (CERT)
    • Cyber Incident Response Team (CIRT)
    • Computer Security Incident Response Team (CSIRT)
    • Formalized, standing, or ad-hoc.
    • Internal or external.
    • Central, distributed, or coordinating.
    • Includes:
      • Systems, network, database admins.
      • Legal
      • HR
      • Management
  • Reporting requirements/escalation.
    • Document.
    • Included in many help desk systems.
    • Collecting evidence (physical, virtual, etc.)
    • Reporting / Disclosing To:
      • Internal Management (Legal, HR, CEO, CFO)
      • Legal Authorities / Law Enforcement (Local, FBI)
      • Affected Organizations / Clients / Customers
      • CERT (www.cert.org)
      • Internet Crime Compliance Center (IC3) - www.ic3.org​
      • Insurance (Cyber)
    • Also needs to report what outside agencies (if any) should be notified.
    • Escalation guidelines would indicate under what circumstances you need to ask for additional assistance.
  • Testing, Exercises, and Training.
    • Be prepared.
    • Prepare each role with training.
    • Practice using real world scenarios.
    • Test systems and processes to find issues.
    • Tabletop and functional exercises.

Incident Preparation

  • Create an "Incident Response Plan" or IRP.
  • Hardware/Software/Communications
    • 'Jump Kit'
  • Testing & Exercises
  • Creating Checklists
    • Technical
    • Procedures
    • Contacts

Incident Detection / Identification / Analysis

  • Alerting
    • Logs - IDS, SIEM, AV
    • Humans
  • Incident triage / validation.
  • Determine incident scope.
    • What and who is affected.
    • Number of systems affected.
    • Identification type:
      • system
      • data
      • personnel
      • etc
  • Analysis - Impact and Recoverability Effort
  • Escalation
  • Documentation & Notification

Incident Containment

  • Ensuring incident doesn't continue or spread.
  • Securing the scene / limiting access / isolating systems (quarantine)
    • Physical
    • Network
    • Logical
  • Gathering Evidence

Eradication

  • Find and eliminate the root cause.
  • Removing elements of the incident, such as malware.
  • Actions:
    • AV Clean-Up
    • Patching / Updating Software
    • Re-Imaging Systems
    • Restoring from Backup

Incident Recovery

  • The process of restoring and returning affected systems and devices back into your business environment.
  • Repair
    • Restoring from backup
    • Patching
    • Hardening systems (using known baseline)
    • Access control (network or systems)
    • Authentication (change passwords)
  • Procedural Changes
  • Documentation

Post Incident

  • Lessons Learned
  • After-action meeting with all Incident Response Team members.
  • Capture actions such as the cause, the cost, and recommendations for preventing future incidents.
  • Discuss what you've learned from the data breach.
  • Regulatory or legal requirements.
  • Update IRP
​
​
Previous
Risk Assessment
Next
Forensics
Last modified 1yr ago
Copy link
On this page
Incident Definition
NIST Incident Response Process
Incident Response Plan
Incident Response Plan (IRP)
Incident Preparation
Incident Detection / Identification / Analysis
Incident Containment
Eradication
Incident Recovery
Post Incident