Certified Cybersecurity Technician Incident Response PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Incident Response Guidelines for Incident Containment PDF
- 5.1 Summarize Effective Security Governance PDF
- Lecture 12 - Ch19 - Security (2) PDF
- Information Security Management Study Material PDF
Summary
This document describes the incident handling and response process for certified cybersecurity technicians. It covers communication with stakeholders, incident notification, and coordination.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 4: Notification...
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 4: Notification QO Incidents are communicated to different © v internal and external stakeholders Notify the Management oo > o Plan forIR O QO Communicating incident helps in reducing , the impact of thv'e th'e incident by facilitating e X No NO ‘ better coordination between stakeholders Notification s > affected by the incident e e Notify the Required Stakeholders v¥ @l ] O External Support Xwo.g Q Q Naished Required ' e I o Lo vEs YES ' eooa — I I (4= L Contact External Agencies oo d Copyright © by EC- E L. All Rights Reserved. Reproduction is Strictly Prohibited. Step 4: Notification Communication plays a major role in swiftly responding to an incident. It helps in reducing the impact of the incident by facilitating better coordination between different stakeholders affected by the security incident. Communicate the IR process and results to the IH&R team members, so that they can understand the type of response and their responsibilities when responding to the incident. The detailed process flow of notification is displayed in the below figure: @ v Notify the Management oo > Plan for IR v § Approval for X no é Noliflcatlon Nolmcatlon................... > v L Yes LY Notify the Required Stakeholders v External Support Required v L YESYES L7 Contact External Agencies oo Figure 19.5: Process flow of notification Module 19 Page 2146 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Incident responders must communicate about the severity of the incident with the management or authorized persons to gather relevant approvals for performing IR procedures. The communication would include the first report, initial processes performed to assess the situation, detection methods applied, impacted resources, and management strategy. The IH&R team should discuss the incident with a legal representative to file a lawsuit against the perpetrators. After obtaining the approval, the IH&R team will communicate the relevant matters about the incident with the necessary stakeholders. All employees and other stakeholders must communicate with the IH&R team whenever they suspect a security breach. The IH&R team lead should discuss the breach with core team members and other members of the organization to respond to the incident effectively. Incident responders can communicate a part of the situation to an external party after approvals from management if they need external support for responding to the incident. After controlling and mitigating the incident, the IH&R team can disseminate the details of the incident and lessons learned in the organization and media to create awareness. Depending on the circumstances of the incident, the goal of the response strategy is to examine the most appropriate response procedure. The response plan should consider the political, technical, legal, and business factors of the incident. A response strategy generally depends on the circumstances of the incident. The factors that affect the resources required to investigate an incident include the following: = Forensic duplication of the related computer systems = Criminal referral = Civil litigation = QOther aspects o What is the range of impact of the incident on systems? o How sensitive is the compromised or stolen information? o Who are the attackers? o s the public aware of the incident? o What unauthorized access level have the attackers gained? o What skills do the attackers have? o What is the total downtime for the system and the user? o What is the total loss in dollars? The information gathered during the initial response is important for selecting a response strategy. Before selecting the response strategy, reinvestigate the details of the incident. An organization that is suffering from a security incident needs to notify the appropriate internal and external IH&R team to minimize any repercussions of the security event. Module 19 Page 2147 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response The IH&R team’s role in the notification and planning includes the following. Notifying management: The IH&R team is responsible for notifying the management about the incident that occurred. The management should also be informed about the effects of the incident. Communicating the incident: Before communicating any information about the incident, the IH&R team should obtain documented approval from the management. The incident information should not be hidden from the stakeholders and other people. People that are likely to be affected by the incident need to be informed about the incident. Disclosing the details of the incident: Apart from broadcasting about the incident, the IH&R team should also seek approval for disclosing the details of the incident. Disclosing the details of an incident is important, as certain stakeholders of the organization need to be aware of these details. Approval denied: If the management does not provide their approval for disclosing the incident details, the IH&R team should proceed with the procedure of IR. External support: Before proceeding with an in-depth investigation of the incident, the IH&R team checks if external support is required to handle the case. External support required: If external support is required, the IH&R team contacts external agencies for input. IH&R team and external support: Once the external support joins the investigation of the incident, the IH&R team and the management team proceed with handling the incident and the response plan. Module 19 Page 2148 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Step 5: Incident Containment Q Incic ent in\ Q At this phase, evidence Decide a Containment Strategy. External Support Inputs * \ v v s 7 $ ‘ Escalate the Containment Task Technical Response ~» Taskis Assigned to Technical Team I— 4 Required? X no no XX o no Management W ves Response Required? - * Taskis Assigned to Management Team I— d Incident Contained? NOXQ YES u‘l:;::;“ v. Task is Assigned to Legal Team |’fi |’*. noX Provide Initial Response and Close the Case Step 5: Incident Containment Containment focuses on limiting the scope and extent of an incident. The IH&R team plays a significant role in reducing an incident’s magnitude or complexity in preventing further damage to the organization. Containment focuses on limiting the scope and extent of an incident. The aim of the containment stage is to reduce any losses and/or damages from the attacks by mitigating vulnerabilities. If the systems, networks, or workstations are compromised by a security incident, the IH&R team must determine whether to shut down the system, disconnect the network, or continue with operations in order to monitor the system’s activities. The response to all these situations depends on the type and magnitude of the incident. Common techniques used in the containment phase are as follows. = Disabling of specific system services o Disable system services temporarily in order to reduce the impact of the incident and to continue system operations. o When an unknown vulnerability affects a computer, it is removed from the network until the problem is rectified. o Change the passwords, and disable the account. o Change passwords on all systems that interact with the affected system, so that there are no more infections. = Complete backups of the infected system o Back up data on the affected systems to reduce the damage during IR. Use a system backup for further investigation of the incident. Module 19 Page 2149 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Temporary shutdown of the compromised system o If the compromised computer systems have no alternate options to handle the situation, then shut them down temporarily. This shutdown limits the damage caused by the incident and provides extra time to analyze the problem. System restoration o Replace the recovered computers with a trusted and clean backup copy. o ldentify the incident sources such as vulnerabilities, threats, and access paths, and patch everything before restoring the system. Maintaining a low profile o When detecting network-based attacks, be careful to not tip off the intruder. This is because the intruder might do more harm to other systems in the network and/or erase everything they can to eliminate the chances of being traced. Maintain standard procedures, including continuing to use the IDS and the latest antivirus and anti-spam software. ‘ Return to v Containment Strategy Decide a Containment Strategy « External Support Inputs 4 y 8 W YES Escalate the Containment Task Technical Response ~» Task is Assigned to Technical Team l - Required? b X no NOo X Management & YES Response Required? ~» Task is Assigned to Management Team l i Incident Contained? NO A v 7 YES YES A4 Legal Response v > Task is Assigned to Legal Team l Required? nNo X Provide Initial Response and Close the Case Figure 19.6: Process flow of incident containment Module 19 Page 2150 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.