LabSim Chapter 9
.docx
keyboard_arrow_up
School
Nova Southeastern University *
*We aren’t endorsed by this school
Course
615
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
66
Uploaded by gioroa20 on coursehero.com
9.1.1 Incident Response Process
Click one of the buttons to take you to that part of the video.
Incident Response 00:00-00:22
Incident response is a systematic approach to handling and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Incident Response Lifecycle 00:22-00:45
The incident response lifecycle provides a structured approach to addressing and managing the aftermath of a security breach or cyberattack to limit damage and reduce recovery time and costs. The incident response lifecycle includes seven steps: preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
Preparation 00:45-01:17
Part of the preparation step is to ensure that systems are resilient to attack. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication.
The preparation step also includes creating incident response resources and procedures. An Incident Response Plan is like a fire drill for cyber threats. Just as a fire drill outlines steps to evacuate a building safely, an Incident Response Plan contains instructions on how to react when a cyber-attack occurs.
Detection 01:17-01:37
The detection step discovers indicators of threat actor activity. Indicators that an incident may have occurred could be generated from an automated intrusion system or other monitoring and alerting systems. Incidents can also be detected using threat hunting methods or by reports made by employees or customers.
Containment 01:37-02:08
The containment phase is where immediate action is taken to prevent further damage or compromise of the system. This could involve disconnecting affected systems or devices from the network to prevent the spread of the breach. It's the equivalent of stopping the bleeding in a medical emergency, a quick and temporary fix to halt the immediate threat. Containment strategies can vary based on the severity and nature of the incident. After containment, an in-depth investigation leads to the next phase—eradication.
Recovery 02:08-02:49
Next is the recovery phase. During this phase, systems and networks are returned to their normal function. All systems affected by the cyberattack are cleaned, restored, and put back into operation. Recovery may involve reinstalling system components, changing passwords, and
patching software. System administrators should carefully monitor systems during recovery for any signs of abnormal activity, as this could indicate that not all threat elements have been successfully eradicated. Regular operations can resume once the systems are deemed secure and functioning normally. The recovery phase isn't considered complete until all systems are back operational and all data has been recovered.
Lessons Learned 02:49-03:23
The last phase in the incident response lifecycle is the "lessons learned" stage. During this phase, the incident response team conducts a post-incident review. This review aims to identify what went well during the response, what could've been done better, and what improvements can be made to the incident response process. It provides an opportunity to learn from the incident and improve future response efforts. The lessons learned may include changes to policies, procedures, or infrastructure. They may lead to further security and awareness training for employees.
Summary 03:23-03:39
That's it for this lesson. In this lesson, we've discussed incident response. We looked at the seven steps of the incident response lifecycle: preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
9.1.2 Incident Response Process Facts
This lesson covers the following topics:
Security incident
Incident response process
Security Incident
A security incident is an event or series of events resulting from a security policy violation. The incident may or may not adversely affect an organization's ability to conduct business. It is crucial to organizations that security incidents are recognized and dealt with appropriately. The following table describes types of security incidents.
Type
Description
Employee errors
Unintentional actions by an employee that cause damage or leave network systems vulnerable to attack.
Unauthorized act by an employee
Intentional actions by an employee to cause harm to a company's network or data. This is also known as an insider threat.
External intrusion attempts Intentional actions by a threat actor not employed by or associated with an organization to exploit attack vectors. The threat actor's intent is to harm an organization or profit from access to an organization's resources.
Virus and harmful code Tools used by threat actors to disrupt company business, compromise data, or hurt the
Type
Description
attacks
company's reputation
Unethical gathering of competitive information
This is also known as corporate espionage. The goal is to obtain proprietary information to obtain a competitive advantage or steal clients.
Incident Response Process
A cybersecurity incident refers to either a successful or attempted violation of the security properties of an asset, compromising its confidentiality, integrity, or availability. Incident response (IR) policy sets the resources, processes, and guidelines for dealing with cybersecurity incidents. Management of each incident should follow a process lifecycle. CompTIA's incident response lifecycle is a seven-step process:
Preparation — makes the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.
Detection — discovers indicators of threat actor activity. Indicators that an incident may have occurred might be generated from an automated intrusion system. Alternatively, incidents might be manually detected through threat hunting operations or be reported by employees, customers, or law enforcement.
Analysis — determines whether an incident has occurred and performs triage to assess how severe it might be from the data reported as indicators.
Containment — limit the scope and magnitude of the incident. Incident response aims to secure data while limiting the immediate impact on customers and business partners. It is also necessary to notify stakeholders and identify other reporting requirements.
Eradication — removes the cause and restores the affected system to a secure state by applying secure configuration settings and installing patches once the incident is contained.
Recovery — reintegrates the system into the business process it supports with the cause of the incident eradicated. This recovery phase may involve restoring data from backup and security testing. Systems must be monitored closely to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to affect a complete resolution.
Lessons learned — analyzes the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. Outputs from this phase feed back into a new preparation phase in the cycle.
Incident response likely requires coordinated action and authorization from several departments or managers, which adds further complexity. The IR process is focused on cybersecurity incidents. There are also significant incidents that pose an existential threat to company-wide operations. These major incidents are handled by disaster recovery processes. However, a cybersecurity incident might lead to a major incident being declared.
9.1.3 Isolate and Contain
Click one of the buttons to take you to that part of the video.
Isolate, Containment and Segmentation 00:00-00:10
Today, we'll be discussing isolation, containment, and segmentation within network security. Let's get started.
Isolation 00:10-00:49
Isolation is limiting the ability of a compromised asset or application from doing more harm to the network or its assets. This can be accomplished in a few different ways. One way is to practice process isolation. This ensures that if a process is compromised, only the resources used by that process are at risk. This practice applies to operating systems as well as RAM. In other words, it prevents any process that is limited by access bounds from accessing the resources of another process. This is a trait of a stable operating system. Isolation is considered a preventative security measure since it's implemented before an event is detected.
Containment 00:49-01:53
Containment is the first step after an event has been detected and identified. This action can take a few forms. An IT admin may disconnect a machine from the network by simply unplugging the Ethernet cable or disabling the NIC. If this network is connected to other networks, this connection may be terminated. The decision to disconnect must be weighed against the amount of data being compromised and the potential loss of forensic evidence. No matter what, the goal of containment is to limit the damage potential of malicious activity.
Containment requires action. Once an IT security analyst detects and identifies a malicious event, they must act. In this scenario, the analyst is monitoring a physical server that must be manually disconnected from network. This means the on-site IT Admin must jump into action as quickly as possible. Time is of the essence since this event threatens the physical server and also the servers in the branch office. This is because the two networks are connected via a VPN. Containment requires that the damage be limited—even if it means taking a server down.
Segmentation 01:53-02:41
Segmentation is a strategic network design. The concept is simple: keep sections of a network separated so that malicious actors can't pivot within a network. Segmentation can be accomplished through VLANs, software-defined networks, switches, subnetting, or even physical segmentation.
But simply being on a different subnet is not enough. Rules must be implemented to control what kind of communications can occur between assets on the network. Many times, a network admin will
create a DMZ. This a virtual area where assets are kept separate from internal network assets. A network with a DMZ may have a single firewall or two firewalls depending on how secure this segment needs to be. No matter the topography, access between the DMZ and the internal network is secure and controlled.
Summary 02:41-02:58
That's it for this lesson. We discussed isolation and how it's used to protect a network. Next, we talked about containment, which is the first action taken once an event has been detected. We ended by discussing network segmentation and how it can prevent unauthorized access.
9.1.4 Isolate and Contain Facts
This lesson covers the following topics:
Isolation, containment, and segmentation
Security Orchestration, Automation, and Response (SOAR)
Incident plans
Isolation, Containment, and Segmentation
Data, whether good or malicious, must be handled correctly. You can use isolation and containment for malicious or suspect data. You can use segmentation as a strategic network architecture tool to prevent outside data from accessing internal network appliances.
Strategy
Description
Isolation
Isolation limits the ability of a compromised process or application to do more harm to the network or its assets. One way to protect the network is process isolation. This ensures that if a process is compromised, only the resources used by that process are at risk.
Containment
Containment is the first step after an event has been detected and identified. This action can take a few forms. You can disconnect a machine from the network by unplugging the Ethernet cable or disabling the NIC. If a network is connected to other networks, you can terminate those connections.
Segmentation Segmentation is a strategic network design. The concept is simple: separate the network sections so malicious actors cannot pivot within a network. You can segment using VLANs, software-defined networks, switches, subnetting, or physical segmentation. Being on a different subnet is not enough. You must implement rules to control the kind of communications that occur between assets on the network.
You can also create a demilitarized zone (DMZ). It is a virtual area where you separate assets from internal network assets. Depending on how secure the segment needs to be, a network with a DMZ may have a single firewall or two firewalls. No matter the topography, access between the DMZ and the internal network is access-controlled.
Security Orchestration, Automation, and Response (SOAR)
SOAR is a platform to compile security data generated by different security endpoints. This collected information is then sent to a security analyst for further action. SOAR frees an analyst from constantly receiving security alerts as they are generated. Analysts can use parameters to automate solutions for security incidents that meet specific criteria. SOAR:
Gathers alert data and places it in a specified location.
Facilitates application data integration.
Facilitates focused analysis.
Creates a single security case.
Allows for multiple playbooks and playbook step automation.
Incident Plans
As part of the incident response process, you can use playbooks and runbooks together
to achieve a more effective response that can be automated and include tasks automatically assigned to analysts to complete. These two plans can also help to meet and comply with regulatory frameworks like GDPR or NIST if necessary.
Plan Type
Description
Runbooks
Runbooks are a condition-based series of protocols you can use to establish automated processes for security incident response. Assessment, investigation, and mitigation are accelerated using a runbook. Even though processes are automated, human analysis is still used in some cases.
Playbooks
A playbook is a checklist-style document specifying how to respond to a threat or incident. The steps are listed in the order to be performed. A playbook ensures a consistent approach to security issues.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help