Incident response Flashcards
(27 cards)
Responsible for knowing how to handle security incidents
that occur within the organization and for correcting and
documenting the security issue
Computer incident Response Team (CIRT)
Ensures all team members know their role when a security incident occurs.
CIRT Team Leader
builds relationships with outside resources that may be called upon
CIRT Team Leader
Uses technical expertise to assess and ID scale of security incident and know how to correct issues.
CIRT Technical specialist
knows how to document entire response process.
CIRT Documentation Specialist
Responsible for logging each incident, causes of problem and solution
CIRT Documentation specialist
Knows the laws and regulations that organization must follow when it comes to computer forensics and incident response
CIRT Legal Advisor
Document created by every organization which
Define incident categories
defines team member roles and responsibilities
ID’s how/when users are supposed to report potential security incident.
plane exercises to practice for security incidents
Incident Response Plan
First individual user to ID and react to an incident
Goal is to contain the incident
should be trained to know to to immediately respond to basic problems
first responder
Any observable occurrence in a system/network. sometimes provides indication that an incident is occurring
Event
Assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system.
Incident
the Phases of Incident handling process?
Detection and reporting of events
preliminary Analysis and ID
preliminary response
Incident Analysis
Response and recovery
Post incident analysis
Intrusion detection systems or personnel reports
gather/report preliminary information
begin coordinating reporting/ response
Detection and reporting of events
categorize the activity(if upon initial analysis you cannot determine the cause, use category 8: Investigating and update as required)
gather additional info as required
classify as required
send notification messages per SOPs
preliminary analysis and ID
Contain incident/threat
preserve data to allow for further incident analysis
begin chain of custody docs
preliminary Response
Analysis data to understand technical details, root causes and potential impact
Incident analysis
prevent further damage
restore integrity of systems
implement follow up strategies
Response and recovery
review lessons learned
root causes
problems executing COAs
missing policies/ procedures
inadequate infrastructures
post-incident analysis
Series of analytical steps taken to find out what happened in an incident, to include to root cause
The cyber incident analysis process is outlined in AFI 17-203
Incident analysis/ root cause analysis
Incident analysis Steps?
Gather Information
Validate the incident
determine the operational impact
coordinate
determine reporting requirement
all involved personnel should identify and collect all relevant information about the incident. what Incident analysis step is this?
Gather Information
Continuously review, corroborate, and update the reported incident to ensure the accuracy. what incident analysis step is this?
Validate the Incident
Operational impact refers to detrimental impacts on an organizations ability to perform its mission. what incident analysis step is this?
determine the operational impact
Coordinate with the victim systems owning support agencies. what incident analysis step is this?
Coordinate
