Incident Response Process Flashcards
What is the incident response process based on the SANS Incident Handler’s handbook? Name them as they go from the first action until the last action.
PICERL acronym
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
What’s part of the Detection
phase in IR?
- monitoring tools
- IPS
- firewalls
- user notification to management and/or helpdesk
What’s part of the Response
phase in IR?
- triage - determination whether it is really an incident; it is a decision to declare
- limiting damage
What does CSIRT
stand for?
Computer Security Incident Response Team
or Cyber Security Incident Response Team
If incident is determined to be major, what team is usually engaged?
CSIRT
Which plan includes instructions about who engages CSIRT and under what conditions?
formal Incident Response Plan
What is the goal of containment in the Mitigation
phase?
lay the foundation for the effective and permanent resolution of the incident
What is the main goal of the Mitigation
phase?
- conduct a more comprehensive investigation into the root cause of the incident and develop a long-term strategy for remediation
- contain an incident in a strategic way
In what phase is a cybersecurity incident response team formed?
Response
What’s part of the Reporting
phase in IR?
- reporting to relevant stakeholders (customers, vendors, law)
- management decisions
What’s part of the Recovery
phase in IR?
- returning to normal operations
- management decisions
What’s part of the Remediation
phase in IR?
- root cause being addressed
- includes root cause analysis
What is the main goal of the Lessons Learnd
phase?
help prevent recurrence, improve IR process
What is security event?
a security log that needs to be invevstigated further whether it is a real security incident or a false positive
What should be included in an organization’s emergency response guidelines?
- immediate response procedures
- list of individuals who should be notified of the emergency
- secondary response procedures for incident responders
During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?
Remediation Phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed
Which NIST standard is considered to be “the gold standard” for incident response?
NIST 800-61r2
What has to be done continuously during the incident response so proper decisions can be made?
documentation; when decision points
are reached, the management needs to be accurately informed about the situation
What are the first questions that need to be asked during the Response
phase, that then influence company’s operational and strategic response?
- Is it really an incident?
- Should devices stay connected?
- Are there any signs of live network activity?
- What is the intent of the malicious activity?
What usually trigers an investigation?
-
EDR or AV Alert
- create an alert for anomalous activity that has occurred on a specific host
-
Network Alerts
- provide alerts for anomalous network activity
-
SIEM Alerts
- could alert on a custom rule that was created by the analysts
-
user alert
- users themselves can raise an alert about suspicious activity on their computer
What step is required next, if the alert information is not sufficient and we have to gather more information than what is currently provided?
Digital Forensics
In order to address and close an incident, what has to be understood?
what is the scope of the incident
What can happen if the scope of the incident is misunderstood?
- if more drastic actions are authorized than necessary, it can damage the business
- if not enough actions are taken to eradicate the infection, the threat actor might remain in the network
What is covered by Incident Management? What question does it try to address?
the process aspect of dealing with an incident; answers How do we respond to what happened?
What is covered by Incident Response? What question does it try to address?
technical aspect of dealing with an incident; answers What happened?
What are the things that Incident Management
needs to take care of?
- triaging the incident to accurately update the severity of the incident as new information becomes available and getting more stakeholders involved to help deal with the incident
- guiding the incident actions through the use of playbooks
- deciding which containment, eradication, and recovery actions will be taken to deal with the incident
- deciding the communication that will be sent internally and externally while the team deals with the incident
- documenting the information about the incident, such as the actions taken and the effect that they had on dealing with the incident
- closing the incident and taking the information to learn from the incident and improve future processes and procedures