Chapter 19 - 03 - Describe Incident Handling and Response Process - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Incident Response

Overview of IH&R Process Flow

Preparation for IH&R Notification e * Management and Other Depts,
Depts. I’

H 1$
vo '
""""""""" g el Containment
vi :
H
IT Support.- ¥v
Not Classified as e
u— it a Security Evidence
Evidence Gathering and
Gatheringand ForansiceDect! ‘
Forensic
Forensic Analysis
Analysis > ) Forensics
oren: f-’ Dept.
ep
Security Incident
Security Incident XX No
NO. Incident?
Incident?
i

Incident Recording
Incident Recording.
[
é se ’ '
Eraication
Eradication
Incid
ncident Discl
Incident Disclosure
Disclosure
and Asslgnment
and Assignment IH&R Team Assign
Assigned
& 1 Disclosure
Disclosure Procedure
Procedure
ii v
v 4W ves
Recovery ii ves
YE!
Incident Analysis and Validation OV

H ' Disclosure
3A
Post-Incident Activities Required?
Required?
Incident
Incident Triage
Triage Incident
Incident Classification
Classification I’ Incident Documentation

i i t¢
v v H

Incident Prioritization ' Incident Impact Assessment * Review
Review and Revise Policies +oovs » Close Incident
Close |

Copyright © by IEC cll. All Rights ReReserved.
cil. pserved. Reproduction is Strictly Prohibited

Overview of IH&R Process Flow

IH&R combines various cybersecurity processes under a single procedure for combating
incidents, quickening responses, improving controls and management processes, easing
communication, improving resource use, evenly distributing tasks, efficiently reporting
incidents and responses, and so on. Incident handling is like fighting a war, but on the cyber
front.

Preparation for IH&R Notification s
e * Management and Other Depts.

0' v
------------------ > Incident Recording
Containment

'v
IT Support s v
Not Classified as Sy
PP—— it a Security Evidence Gathering and
Forensics Dept.
Security Incident XA NO Incident? Forensic Analysis

Incident Recording
=
é W YES.
Eradication
Incident Disclosure
and Asslgnrnent
Asslgnment IH&R
IH&R Team
Team Assigned
Disclosure Procedure
i
v
«.
L4)
Recovery iVOYES
Incident Analysis and Validation
|
v d Post-Incident Activities
Disclosure
Required?
Incident Triage Incident Classification Incident Documentation

§{ Ht
v v
Incident Prioritization Incident Impact Asse t Review
Revi and Revise Policies + Close Incident
Close

Figure 19.1: IH&R process flow

Module 19 Page 2128 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

= Step 1: Preparation for IH&R

The first phase of IH&R is to prepare to face the security issue(s). Preparation includes
auditing the resources and assets to determine the purpose of the security response;
defining the rules, policies, and procedures that drive the IH&R process; building and
training an IR team; defining incident readiness procedures; gathering required tools;
and training employees to secure their systems and accounts.
= Step 2: Incident Recording and Assignment
The preparation phase is followed by an incident recording and assignment phase that
involves the initial reporting and recording of the incident. This phase includes
identifying the incident and defining a proper incident communication plan for
employees—notably, this latter element can include normalizing communication
methods that involve informing IT support personnel or raising an appropriate ticket.
When a user or an employee reports any suspicious behavior on his or her system to IT
support staff, a ticket or token is created about the irregular behavior and a member
from the IR team is assigned to analyze the issue. Based on the ticket or the IT
professional’s intimation, the IH&R team will look into the issue and, if the issue
qualifies as an incident, an IH&R team will be assigned to handle the incident, with the
compromised device sent to the IH&R team for further investigation. Otherwise, the
issue will be considered resolved and the ticket will be closed.
= Step 3: Incident Triage

In this phase, the incident will be analyzed, validated, categorized, and prioritized. The
IH&R team will further analyze the compromised device to find incident details, such as
the attack’s type, severity, target, impact, and method of propagation as well as the
vulnerabilities the attacker exploited. These details help the IH&R team to scale its
impact and determine what other targets were involved in the incident, what
techniques it must apply to contain the incident, and what it must prioritize to solve the
incident.

= Step 4: Notification
The notification phase involves the release of incident information to various
stakeholders, including management, third-party vendors, and clients. The notification
phase occurs as soon as the incident is confirmed and validated, with the incident
handlers first communicating the issue to management to gain necessary approvals and
permissions.

= Step 5: Containment

The containment phase—which occurs at the same time as the notification phase—
involves the IH&R team’s containment of the incident. Crucially, the containment phase
must be performed to stop the infection from spreading to other organizational assets.
Along these lines, the important take away here is that the containment phase helps an
organization stop a live attack from spreading and reduce damage and losses.

Module 19 Page 2129 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Step 6: Evidence Gathering and Forensic Analysis

The evidence gathering phase occurs after the containment phase and involves the
IH&R team collecting evidence. In this phase, the team will accumulate all possible
evidence related to an incident and submit it to the forensic department for
investigation. Such evidence may include details related to the method of attack as well
as the vulnerabilities exploited, security mechanisms averted, network devices infected,
and applications compromised that may have acted as pathways in the attack. Collecting
and analyzing this information helps the IH&R team to block propagation methods to
eradicate the incident and prevent it from reoccurring in the future.
Step 7: Eradication

The eradication phase involves the IH&R team removing or eliminating the root cause of
an incident and closing all attack vectors to prevent similar incidents in future.
Eradication methods may include patching vulnerabilities, replacing malfunctioning
devices, and installing better security mechanisms, including those that scan for
malware signatures.

Step 8: Recovery

After eliminating the causes of an incident, the IH&R team is responsible for restoring
the affected systems, services, resources, and data through a recovery process. It is the
responsibility of the IR team to ensure—to the extent possible—that the incident does
not disrupt the organization’s operations. Therefore, the IH&R team may need to
recover compromised devices, applications, systems, or terminals as soon as possible by
either replacing them or quickly fixing the issue.
Step 9: Post-Incident Activities

This stage occurs only after the incident has been contained and the systems recovered.
All tasks performed by IH&R personnel after this stage—such as incident
documentation, incident impact analysis, policy review and revision, and incident
disclosure—qualify as “post-incident activities.”
o Incident Documentation

Incident responders must document the complete IH&R process from detection to
recovery. Such documentation will serve as a future reference to facilitate
understanding of the practices employed to handle the incident. Notably, handlers
should present the report to legal counsel; submit it to management; and use it to
assess loss, review policies, change security norms, and reframe user protocols to
improve network security.

o Incident Impact Assessment

After completing the formal IH&R process from incident recording through
documentation, the IH&R team will analyze all information available to perform an
incident impact analysis that assesses the impact of the damages or losses the
organization suffered as a result of the incident.

Module 19 Page 2130 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

o Policy Review and Revision

After assessing the incident’s impact, the IH&R team will review and revise the
organization’s policies, preparation and protection procedures, and security controls
to prevent future incidents. They will also share the identified threat information
with threat intelligence teams.

o Closing the Investigation
By this phase, the incident will have been thoroughly investigated and documented
and appropriate policies will have been reviewed and revised. This phase involves
the official termination of the investigation and the planning of the implementation
of the incident evidence retention policy.
o Incident Disclosure

After formally closing the incident, the organization’s IH&R team and management
will discuss whether to disclose the incident’s details to the public (e.g., customers,
media, industry intelligence). Additionally, the incident handlers are also responsible
for communicating the issue to other departments in the organization (e.g., legal,
human resources, forensics).

Module 19 Page 2131 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.