M5 - Incident Response

Questions and Answers

What aspect is considered the most critical component of an Incident Response Plan?

• Human capital (correct)
• Technology infrastructure
• Incident detection tools
• Communication protocols

Which phase of the General Incident Response Plan focuses on ensuring no further damage occurs?

• Detection
• Containment (correct)
• Eradication
• Preparation

Which type of incident response team is best suited for an organization with geographically widespread operations?

• Emergency Response Team
• Centralized Incident Response Team
• Distributed Incident Response Team (correct)
• Coordinating Team

What is an observable occurrence that does not always pose a threat termed as?

Event (B)

In the context of incident response, what does the 'Learning' phase aim to achieve?

Improving response for future incidents (C)

What does 'Mean Time to Acknowledge' measure in incident response metrics?

The time taken to recognize a threat (B)

Which of the following is NOT a category of losses usually covered by cyber insurance policies?

System Upgrade Costs (D)

What is the primary purpose of performing simulations or tabletop exercises on an incident response plan?

To ensure procedures are current and effective (B)

Which of the following metrics does NOT measure the time related to incident response?

System Availability (A)

In the context of incident response, what does 'Mean Time to Contain' refer to?

The time taken to start remedying an issue (A)

Flashcards

Incident Response Plan (IRP)

A set of documented procedures, personnel, and information to detect, respond to, and limit the consequences of a cyberattack on an organization.

Incident Response Timeline

A chart within an IRP that outlines the timeline for incident response, including detection, containment, eradication, recovery, and normal business operations restoration.

Centralized Incident Response Team

A type of incident response team where a single team handles all incidents, suitable for smaller organizations.

Event

An observable event that doesn't necessarily pose a threat to an organization.

Computer Security Incident

An event caused by malicious intent or human error that may harm an organization.

SANS

An organization that publishes cybersecurity standards and guidelines, focusing on security awareness and IT risk management.

NIST

A US government agency that develops cybersecurity standards and best practices, with a focus on risk management and incident response.

Simulations/Table Top Exercises

Testing your Incident Response Plan using hypothetical scenarios to evaluate the effectiveness of your procedures and team.

Mean Time to Repair

A metric used to measure the time it takes to completely restore a system back to a functional state after an incident.

Insurable Losses

Financial losses incurred due to cyberattacks, encompassing a range of expenses related to recovery, legal costs, and reputation damage

Study Notes

Incident Response Plan (IRP)

• Detailed set of procedures, personnel, and information to detect, respond to, and limit consequences of cyberattacks.
• Human capital is the most crucial aspect of an effective IRP.

Incident Response Timeline

• Visual representation (often a Gantt chart) of the IRP, showing the stages from incident occurrence to resolution and return to normal operations.

NIST Response Team Models

• Centralized: Single team, best for smaller organizations.
• Distributed: Multiple teams, suitable for geographically dispersed organizations.
• Coordinating: Secondary function, responsible for deploying teams to resolve incidents in specific departments.

Events vs. Incidents

• Event: Observable occurrence, not necessarily a threat.
• Adverse Event: Intentional or unintentional event with negative consequences (e.g., system crashes, floods, unauthorized access).
• Computer Security Incident: Adverse event related to computer security and driven by malicious intent.

General Incident Response Plan (PDCERRL)

• Preparation: Assembling personnel, tools, and processes.
• Detection: Recognizing deviations from normal operations.
• Containment: Preventing further damage.
• Eradication: Removing threats and restoring systems.
• Reporting: Communication.
• Recovery: Returning to normal IT operations.
• Learning: Improving future responses.

Frameworks Created by Other Organizations

• SANS
• NIST
• ISO
• ITIL
• US-CERT
• PCI-DSS

Testing IRP Plans

• Simulations: Hypothetical scenarios to test procedures.
• IRP Metrics: Key performance indicators (KPIs) to track effectiveness.
• Post-incident review: Analyzing the response.
• Periodic audits: Regular checks on the plan.
• Continuous monitoring: Ongoing surveillance.

Simulating IRPs (Table Top Exercises)

• Annual testing: Evaluating plan effectiveness and accuracy in handling hypothetical situations.

IRP Metrics

• Mean Time to Detect (MTTD): Time to identify an incident.
• Mean Time to Acknowledge (MTTA): Time to recognize an incident as a threat.
• Mean Time to Contain (MTTC): Time to limit further damage.
• Mean Time to Repair (MTTR): Time to fully fix the issue.
• Mean Time Between Failures (MTBF): Tracking consecutive incident occurrences.
• System Availability or Downtime: Measures system stability.
• Service Level Agreement (SLA) Compliance: Evaluating adherence to performance standards.

Insurable Losses in Cyberattacks

• Business Interruption Losses: Lost revenue during disruption.
• Cyber Extortion Losses: Ransom payments and associated expenses.
• Incident Response Costs: Expenses incurred during the response phase.
• Information/Identity Theft Costs: Legal and replacement expenses.
• Reputation Damage: Cost of damage to a company's image.
• Replacement Costs for Information Systems: Replacing systems damaged in a breach.
• Litigation and Attorney Fees: Costs associated with legal proceedings.

Cyber Extortion Losses

• Ransom payments: Direct payments to attackers.
• Attorney fees: Legal expenses to navigate negotiations and legal issues.
• Negotiation fees: Costs associated with dealing with attackers.