Chapter 19 - 02 - Understand the Role of First Responder in Incident Response_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 19 - 01 - Understand Incident Response Concepts_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 01_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 03_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 05_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 06_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 07_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Module Flow @ 1 ) Understand Incident Response Concepts...
Certified Cybersecurity Technician Exam 212-82 Incident Response Module Flow @ 1 ) Understand Incident Response Concepts z > Understand the Role of First Responder in Incident Response 3 > Describe Incident Handling and Response Process Understand the Role of First Responder in Incident Response The objective of this section is to understand the role of the first responder in incident response (IR). The first responder plays a crucial role by proving a quick initial response to the incidents of threats or attacks in the organization. This section deals with the roles and responsibilities of the first responder. Module 19 Page 2118 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response First Responder INCIDENT \/RESPONSE Q A first responder is an individual who arrives first at the crime scene and brings the incident to the attention of others O The first responder could be an end user, network administrator, or any other individual who is involved in the day-to-day network operations, spends a lot of time in network environments, and is familiar with the organization’s assets, network traffic, performance and utilization, network topology, location of each system, security policy, etc. Q The first responder play a key key role role in incident response and forensic investigation process. He/she can provide great help in early detection of incident, source of the incident, impact of incident, evidence collection and preservation, etc. First Responder The IH&R team works on the pretext of the first responder of the incident. The term “first responder” refers to the individuals who arrive first at the crime scene and gain access to the victim’s computer system after the incident report. A first responder may be a user, network administrator, law enforcement officer, or investigation officer. They are responsible for protecting, integrating, and preserving any evidence obtained from the crime scene. The first responder plays a key role in incident response and forensic investigation process. He/she can provide great help in early detection of incident, source of the incident, impact of incident, evidence collection and preservation, etc. The time gap between the occurrence of an incident and transference of evidence is an important aspect in incident response. It is the responsibility of the first responder to ensure the reliability and liability of the evidence. The method used by any first responder is very important in preserving the evidence and finding the attackers. First responders should be trained to gather evidence without modifying any of the services running at that moment. This is a critical task for the first responders as they have to gather evidence before it is lost. The first responder needs to have a dedicated and well-organized plan when responding to any type of incident as they collect the initial information and determine the extent and impact of the attack or incident. This allows other people involved in handling the incident to effectively determine other courses of action that may be required for investigating the incident. The first responder should be aware of the incident response and forensics investigation procedure, otherwise response to the incidents can be delayed. The delay in incident response can increase the potential impact of incident or even evidence can be corrupted and/or lost. An experienced first responder can easily apply good forensic techniques when they respond to an incident in the initial stages. They can predict the extent to which any change in the evidence Module 19 Page 2119 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response may affect the further investigation. This proficiency is an extra add-on in maintaining the availability, integrity, and reliability of the evidence. The first responder needs to always understand the importance of their role as it highly affects the security and efficiency of the organization. Module 19 Page 2120 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response First Responder Roles and Responsibilities Reporting the incident LR EEH Alerting the management and incidence response teams Containing incident Identifying the crime scene Collecting the complete information about the incident Protecting the crime scene Documenting all the findings Preserving temporary and fragile evidence (? Packaging and transporting the electronic evidence Copyright © by EE- acil, All Rights Reserved. Reproduction ReproductionIs Strictly Prohibited. First Responder Roles and Responsibilities = Reporting the incident = Alerting the management and incidence response teams * Containing incident * |dentifying the crime scene = Collecting the complete information about the incident = Protecting the crime scene * Documenting all the findings * Preserving temporary and fragile evidence = Packaging and transporting the electronic evidence First Response Rule = Under no circumstances should anyone except forensic analysts make any effort to collect or recover the data from any computer system or electronic device that holds electronic information. = Remember that any information present inside the collected electronic devices is probable evidence and should be treated accordingly. = Any attempts to retrieve data by unqualified individuals should be avoided. These attempts could either compromise the integrity of the files or result in the files becoming inadmissible in legal or administrative proceedings. = The workplace or office must be secured and protected to maintain the veracity and quality of the crime scene and the electronic storage media. Module 19 Page 2121 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Things to Know before First Response QO As a first responder, you should review the organization’s , Which includes: Copyright Copyright ©© by by LL.. All All Rights Rights Reserved. Reserved. Reproduction Reproduction isis Strictly Strictly Prohibited. Prohibited. Things to Know before First Response The first responder should review the incident plan of their organization and suggest or implement changes to the incident response plan (IRP) as required. A typical IRP includes the following: = Contacts of IH&R Team: It will help a first responder to immediately contact the IH&R (Contacts team when an incident occurs. Having an IH&R team immediately on the location of the incident will help minimize any delay in responding to an incident. = Escalation procedures: First responders should know whom to contact and report the incident. There will be certain escalation procedures for the first responder that will help them report the incident without any delay. First responders collect and document the following information before escalating the incident: o IP address and physical location of the affected systems o Type of data on the systems o Timeline of activities the system/user went through before the incident o How the incident was detected o Number of users affected = Procedure for reporting and handling an incident: First responders should be aware of reporting and IR procedures. Module 19 Page 2122 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response = Containment actions: The IRP includes containment actions for all types of security incidents. Different containment actions are required for different types of incidents. The first responder should be aware of the containment actions for various types of security incidents, as it helps prevent further damage to an organization. Module 19 Page 2123 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
