Incident response

Question 1

What is an incident response

Answer 1

Set of procedures that an investigator follows when examining a computer security incident

Question 2

what is an IMP

Answer 2

Incident management program - program consisting of the monitoring and detection of security events on a computer network and the execution of proper responses to those events

Question 3

What are the steps to an IMP

Answer 3

Preparation
Identification
Containment
Eradication
Recovery
Lessons learned

Question 4

Explain the preparation stage of IMP

Answer 4

Create and maintain a security posture, create a detailed IRP, and have solid repeatable procedures

Question 5

Explain the identification stage of IMP

Answer 5

recognizing whether an event should be be classified as an incident

Question 6

Explain the containment stage of IMP

Answer 6

focused on isolating the incident. If a PC is infected with virus, important to airgap the machine to prevent spread

Question 7

Explain the eradication stage of IMP

Answer 7

Remove the threat or attack

Question 8

Explain the recovery stage of IMP

Answer 8

data restoration, system repair, re-enabling any items that were taken offline during the attack

Question 9

Explain the lessons learned stage of IMP

Answer 9

document the incident response process
make changes to the process and procedures to make sure that next time you are better prepared

Question 10

What are some questions commonly posed in the lessons learned stage of an IMP

Answer 10

Was the threat detected
How was event detected
Did we respond, and how
Were our eradication methods successful

Question 11

What is an IRT

Answer 11

Incident response teams consists of key people who must respond to any incident that meets severity and priority thresholds outlined by the IMP

Question 12

Describe the roles within an IRT

Answer 12

Incident response manager
Security analysts acting as either a Triage or forensic analyst
Threat researcher

Question 13

Describe the role of the incident response manager

Answer 13

Oversee and prioritize actions during detection, analysis and containment of incidents

Question 14

Describe the role of the triage security analyst

Answer 14

assigned to work on the network during the response, help filter out false positives by using IPD/IDS to monitor, analyze, and detect instrustions

Question 15

Describe the role of the forensic analyst

Answer 15

detective work to piece together what has occurred on the network.
Focus on recovering artifacts and evidens from the network and use this to build a timeline of events that led up to the incident.

Question 16

What is a threat researcher

Answer 16

provide threat intelligence and context during incident response. Tasked with keeping up to date

Question 17

Describe cross functional support

Answer 17

People from executive management, HR, Attourneys that assist in incident response

Question 18

What is a CSIRT

Answer 18

Computer security IRT - Single point of contact for security incidents and may be part of the SOC or independant

Question 19

Best practices for a CSIRT include:

Answer 19

Out of band comms.
Up to date contact lists
Planning for how far comms go \

Question 20

True or False; It is essential to prevent unauthorized release of infomration outside the CSIRT

Answer 20

True

Question 21

Who should be identified and notified in the event of a breach or incident

Answer 21

The affected stakeholders

Question 22

What are some examples of affected stakeholders

Answer 22

Operations affected - Senior Leadership
Compliance affected - Regulatory Bodies
Risk of lawsuit - Legal
Insider threat - Human Resources
When there may be damage to image - Public Relations

Question 23

What role does LE play in incident response and who calls them

Answer 23

Law Enforcement - May provide incident handling, or gathering evidence for prosecution. Senior leadership will decide when to involve LE with guidance from Legal