Chapter 19 - 03 - Describe Incident Handling and Response Process - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Incident Response

Module Flow

@ 1 > Understand Incident Response Concepts

@ 2 )> Understand the Role of Fixst
Fixrst Responder in Incident Response

’; 3 >) Describe Incident Handling and Response Process

Copyright © by EC-Councll, All Rights Reserved,
Reserved. Reproduction Is Strictly Prohibited.

Describe Incident Handling and Response Process
“Incident handling and response” (IH&R) is the practice of managing the processes involved in
responding to an incident—such as preparation, detection, containment, eradication, and
recovery—to overcome the impact of an incident quickly and efficiently. The objective of this
section is to introduce you to the complete incident handling and response (IH&R) process.

Module 19 Page 2124 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Importance of IH&R Process
QO
O Incidents can happen , at and can
leading to heavy losses, in terms of both finance
and reputation

O Wwith the rapid increase in threats and incidents, the need for
With
and incident handling and response has become mandatory
for every organization

Purpose of IH&R process is to:

v’ Protect networks and systems
|
v issues
Address legal issues
RN

¥’ Ensure
Ensure timely
timely incidents
incidents handling
handling vv Comply
Comply with
with local,
local, national,
national, and
and international
international
v Ensure the gathering of appropriate information guidelines
A TRA S IS

v Identify false positives v’ Train and protect personnel
v use resources
Efficiently use
Efficiently resources v Develop comprehensive documentation
| -— _—
— | e— —
—

Importance of IH&R Process
The exponentially rapid progress of technology for organizations has given rise to new
technologies capable of serving diverse sectors. However, this technological diversity has
notably intensified the frequency, diversity, severity, and approach of security threats,
indicating the need for every organization to mandate effective and structured IH&R processes.
Incidents that can compromise crucial business data and cause heavy financial and reputational
losses can happen on any day and at any time. To avoid such losses, organizations should
prepare to efficiently handle any incidents.
Organizations therefore employ the IH&R process to:
= Protect Networks and Systems
With technology continuously evolving, attackers are finding new ways to damage
businesses. In such a scenario, it is difficult to completely secure systems and data even
after instituting expensive high-level security features such as special access controls on
various computing resources. The best strategy for securing computer systems and
protecting networks is to quickly detect any indicators of compromise and recover from
the security incident. An efficient IR procedure ensures the proper maintenance of all
critical business operations during and after an incident.
= Ensure Timely Incident Handling

During any incident situation, time is the most important factor: as time increases,
damage increases. Therefore, IH&R processes should always encourage organizations to
adopt various time management techniques and tools for detecting, validating, and
containing incidents before it is too late.

Module 19 Page 2125 Certified Cybersecurity Technician Copyright © by EG-Council
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

= Ensure the Gathering of Appropriate Information

The IH&R process ensures the gathering of appropriate and accurate information
necessary for understanding a security incident, building an IH&R team from existing
employees, clarifying standard security procedures, developing knowledge of required
tools, and deploying the latest security measures to handle any future information
security incidents.

= |dentify False Positives
Detecting an incident is an arduous process; however, it becomes even more difficult
when it is necessary to identify false positives—even simple mistakes, such as
application program errors, human errors, hardware failure errors, and system
configuration errors, can generate alarms. IR processes crucially help organizations
differentiate actual incidents from false alarms and advise best practices for handling
both.

= Efficiently Use Resources

The technical and managerial resources required for incident handling are often limited.
The best way to use these resources is to respond to incidents as quickly as possible.
Information gained during the incident handling process can help to prevent incidents or
enhance an organization’s ability to handle future incidents and implement strong
security for systems and data.
= Address Legal Issues
Organizations must abide by the laws of their jurisdictions when dealing with security
incidents; otherwise, they may face legal issues. Sometimes, for example, incident
handling requires the investigation of private information, and such processes can
conflict with individual privacy rights—according to the U.S. Department of Justice, it is
illegal for organizations to use certain monitoring techniques to identify an information
security incident. To be sure, then, IH&R processes must comply with different laws and
acts, such as the Health Insurance Portability and Accountability Act (HIPAA) and the
Federal Information Security Management Act (FISMA). Moreover, IH&R processes
should also be sure to advise incident responders to attain proper permissions and
approvals from concerned authorities. In addition, IH&R processes may also define a
strategy for identifying and prosecuting the perpetrators of security incidents. The key
takeaway here is that aligning incident procedures with relevant laws fortifies an
organization against legal and public liabilities.

= Comply with Local, national, and International Guidelines
An IH&R process can help an organization comply with local and international protocols,
policies, control measures, and guidelines set by various Community Emergency
Response Teams (CERTSs), while at once enabling it to handle and recover from any type
of information security incident.

Module 19 Page 2126 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

®* Train and Protect Personnel

A good IH&R process requires an organization to build a good team capable of
accelerating analysis, limiting damage to a minimal level, completely eradicating the
incident, and restoring operations. This team will also help the organization learn from
the incident and implement such knowledge to improve network safety. A swift IR helps
to protect an organization’s human resources from any physical consequences of a
workplace incident.
= Develop Comprehensive Documentation
IH&R processes must advise the documentation of the whole scenario starting from the
alert generation to the identification of the best solution to the incident. This
documentation will serve as a reference for analyzing the mistakes, threats, or
vulnerabilities that paved the way for the incident and will thus offer insights helpful for
future prevention, especially when they inform which advanced security measures may
best prevent future attacks.

Module 19 Page 2127 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.