Certified Cybersecurity Technician Incident Response PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 04_ocred_fax_ocred.pdf
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
Summary
This document provides an overview of the incident handling and response process (IH&R). It outlines the steps involved in preparing for, recording, and handling incidents, as well as the roles of different parties in the process. The summary highlights the use of evidence gathering, forensic analysis, eradication, and recovery as crucial steps in the process.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Overv...
Certified Cybersecurity Technician Exam 212-82 Incident Response Overview of IH&R Process Flow Preparation for IH&R Notification e * Management and Other Depts, Depts. I’ H 1$ vo ' """"""""" g el Containment vi : H IT Support.- ¥v Not Classified as e u— it a Security Evidence Evidence Gathering and Gatheringand ForansiceDect! ‘ Forensic Forensic Analysis Analysis > ) Forensics oren: f-’ Dept. ep Security Incident Security Incident XX No NO. Incident? Incident? i Incident Recording Incident Recording. [ é se ’ ' Eraication Eradication Incid ncident Discl Incident Disclosure Disclosure and Asslgnment and Assignment IH&R Team Assign Assigned & 1 Disclosure Disclosure Procedure Procedure ii v v 4W ves Recovery ii ves YE! Incident Analysis and Validation OV H ' Disclosure 3A Post-Incident Activities Required? Required? Incident Incident Triage Triage Incident Incident Classification Classification I’ Incident Documentation i i t¢ v v H Incident Prioritization ' Incident Impact Assessment * Review Review and Revise Policies +oovs » Close Incident Close | Copyright © by IEC cll. All Rights ReReserved. cil. pserved. Reproduction is Strictly Prohibited Overview of IH&R Process Flow IH&R combines various cybersecurity processes under a single procedure for combating incidents, quickening responses, improving controls and management processes, easing communication, improving resource use, evenly distributing tasks, efficiently reporting incidents and responses, and so on. Incident handling is like fighting a war, but on the cyber front. Preparation for IH&R Notification s e * Management and Other Depts. 0' v ------------------ > Incident Recording Containment 'v IT Support s v Not Classified as Sy PP—— it a Security Evidence Gathering and Forensics Dept. Security Incident XA NO Incident? Forensic Analysis Incident Recording = é W YES. Eradication Incident Disclosure and Asslgnrnent Asslgnment IH&R IH&R Team Team Assigned Disclosure Procedure i v «. L4) Recovery iVOYES Incident Analysis and Validation | v d Post-Incident Activities Disclosure Required? Incident Triage Incident Classification Incident Documentation §{ Ht v v Incident Prioritization Incident Impact Asse t Review Revi and Revise Policies + Close Incident Close Figure 19.1: IH&R process flow Module 19 Page 2128 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response = Step 1: Preparation for IH&R The first phase of IH&R is to prepare to face the security issue(s). Preparation includes auditing the resources and assets to determine the purpose of the security response; defining the rules, policies, and procedures that drive the IH&R process; building and training an IR team; defining incident readiness procedures; gathering required tools; and training employees to secure their systems and accounts. = Step 2: Incident Recording and Assignment The preparation phase is followed by an incident recording and assignment phase that involves the initial reporting and recording of the incident. This phase includes identifying the incident and defining a proper incident communication plan for employees—notably, this latter element can include normalizing communication methods that involve informing IT support personnel or raising an appropriate ticket. When a user or an employee reports any suspicious behavior on his or her system to IT support staff, a ticket or token is created about the irregular behavior and a member from the IR team is assigned to analyze the issue. Based on the ticket or the IT professional’s intimation, the IH&R team will look into the issue and, if the issue qualifies as an incident, an IH&R team will be assigned to handle the incident, with the compromised device sent to the IH&R team for further investigation. Otherwise, the issue will be considered resolved and the ticket will be closed. = Step 3: Incident Triage In this phase, the incident will be analyzed, validated, categorized, and prioritized. The IH&R team will further analyze the compromised device to find incident details, such as the attack’s type, severity, target, impact, and method of propagation as well as the vulnerabilities the attacker exploited. These details help the IH&R team to scale its impact and determine what other targets were involved in the incident, what techniques it must apply to contain the incident, and what it must prioritize to solve the incident. = Step 4: Notification The notification phase involves the release of incident information to various stakeholders, including management, third-party vendors, and clients. The notification phase occurs as soon as the incident is confirmed and validated, with the incident handlers first communicating the issue to management to gain necessary approvals and permissions. = Step 5: Containment The containment phase—which occurs at the same time as the notification phase— involves the IH&R team’s containment of the incident. Crucially, the containment phase must be performed to stop the infection from spreading to other organizational assets. Along these lines, the important take away here is that the containment phase helps an organization stop a live attack from spreading and reduce damage and losses. Module 19 Page 2129 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Step 6: Evidence Gathering and Forensic Analysis The evidence gathering phase occurs after the containment phase and involves the IH&R team collecting evidence. In this phase, the team will accumulate all possible evidence related to an incident and submit it to the forensic department for investigation. Such evidence may include details related to the method of attack as well as the vulnerabilities exploited, security mechanisms averted, network devices infected, and applications compromised that may have acted as pathways in the attack. Collecting and analyzing this information helps the IH&R team to block propagation methods to eradicate the incident and prevent it from reoccurring in the future. Step 7: Eradication The eradication phase involves the IH&R team removing or eliminating the root cause of an incident and closing all attack vectors to prevent similar incidents in future. Eradication methods may include patching vulnerabilities, replacing malfunctioning devices, and installing better security mechanisms, including those that scan for malware signatures. Step 8: Recovery After eliminating the causes of an incident, the IH&R team is responsible for restoring the affected systems, services, resources, and data through a recovery process. It is the responsibility of the IR team to ensure—to the extent possible—that the incident does not disrupt the organization’s operations. Therefore, the IH&R team may need to recover compromised devices, applications, systems, or terminals as soon as possible by either replacing them or quickly fixing the issue. Step 9: Post-Incident Activities This stage occurs only after the incident has been contained and the systems recovered. All tasks performed by IH&R personnel after this stage—such as incident documentation, incident impact analysis, policy review and revision, and incident disclosure—qualify as “post-incident activities.” o Incident Documentation Incident responders must document the complete IH&R process from detection to recovery. Such documentation will serve as a future reference to facilitate understanding of the practices employed to handle the incident. Notably, handlers should present the report to legal counsel; submit it to management; and use it to assess loss, review policies, change security norms, and reframe user protocols to improve network security. o Incident Impact Assessment After completing the formal IH&R process from incident recording through documentation, the IH&R team will analyze all information available to perform an incident impact analysis that assesses the impact of the damages or losses the organization suffered as a result of the incident. Module 19 Page 2130 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response o Policy Review and Revision After assessing the incident’s impact, the IH&R team will review and revise the organization’s policies, preparation and protection procedures, and security controls to prevent future incidents. They will also share the identified threat information with threat intelligence teams. o Closing the Investigation By this phase, the incident will have been thoroughly investigated and documented and appropriate policies will have been reviewed and revised. This phase involves the official termination of the investigation and the planning of the implementation of the incident evidence retention policy. o Incident Disclosure After formally closing the incident, the organization’s IH&R team and management will discuss whether to disclose the incident’s details to the public (e.g., customers, media, industry intelligence). Additionally, the incident handlers are also responsible for communicating the issue to other departments in the organization (e.g., legal, human resources, forensics). Module 19 Page 2131 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.