Chapter 19 - 03 - Describe Incident Handling and Response Process - 04_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Related
- Chapter 19 - 01 - Understand Incident Response Concepts_ocred_fax_ocred.pdf
- Chapter 19 - 02 - Understand the Role of First Responder in Incident Response_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 01_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 02_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 03_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 08_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Training and Preparing IH&R Personnel O Maintain sufficient overall staff so that O Rotate team members...
Certified Cybersecurity Technician Exam 212-82 Incident Response Training and Preparing IH&R Personnel O Maintain sufficient overall staff so that O Rotate team members through incident the team members have uninterrupted response team tasks to build confidence work time A in various roles Q Provide hardware and software i~ Previously Previously? Closed Incident + XNO | IT Dept. Detects Security Alerts. - the Incident Record IH&R Team IH&R Team Analyzes andValidates and Validates Incident ~ W YES Close Incident Report Close Report -~ X ¥"Req:nred?k Response s i + IRTeam IR Team Assigned Step 2: Incident Recording and Assignment After preparation, the next step in the IH&R process is incident recording and assignment. In an organization, the incident is recorded by IT support personnel who raise an appropriate ticket after a user or employee finds an abnormal change or indicators of an incident on his/her system. At times, incidents are recoded through Security Information and Event Management (SIEM), IDS, antivirus, and integrity checking software, among others. However, there are certain incidents that are recorded because they are clearly noticeable. When is an incident recorded? = Detection of anomaly in data packets sent across the network through the alarm generated by the IDS and firewall = Antivirus alert being displayed while scanning a computer system = System and network logs show repeated, unsuccessful login attempts. = Data are unexpectedly corrupted or deleted. * Unusual system crashes can indicate attacks. Attackers or intruders can damage the system that contains important data for the network. = Audit logs show suspicious activity on the systems or network. = System and security log files log suspicious activity either on the network or security devices. = A staff member identifies unusual or suspicious activity on aa computer system. Module 19 Page 2139 Certified Cybersecurity Technician Copyright © by EG-Bouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response = A staff member identifies content on a colleague’s computer that violates the organization’s security policy. = Phishing emails are received, or the company’s website is defaced. = History of activities during non-working hours shows that unauthorized access to systems has occurred. = Social engineering attempts When an employee of the organization finds abnormal issues pertaining to systems, network, or applications, then they immediately call IT support to inform them about the issue. IT support records the call and tries to identify the issue using the preempted questionnaire that is based on the type of incident. If IT support suspects that the issue is a security incident, then they will assign it to the IR team using a ticketing system. The tech support or help desk personnel should analyze the event by enquiring for more details and interviewing the victim or the person who reported the incident. This will help in assessing the incident type and whether the victim had accessed some triggers accidentally. The help desk sends all report and interview details through a ticketing system to the incident handler who assigns a first responder from the IH&R team members for analysis and validation. The first responder also analyzes the compromised systems, network, databases, and other devices to validate the incident. This helps identify the compromised systems, applications, services, and devices. The first responder lists the compromised elements and updates the incident handler about all incident details through the same ticketing system. Incident Occurrence ¥ End Users Call Help Desk A Close Incident REPOrt Assigne Figure 19.3: Process flow of incident recording and assignment The tech support or help desk personnel try to determine whether the incident is the reflection of any previous incidents and conduct further examination. If it is found to be a previous Module 19 Page 2140 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response incident, then they reopen the previously closed incident to update in the IR. Otherwise, they create a record by collecting information about the incident such as security alerts and indicators from the IT department. This incident record is sent to the IR department to analyze and validate the incident. If they find the incident to be validated, then they immediately assign the IH&R team for further analysis. The IH&R team is responsible for taking over and analyzing the incident with fine sense of judgement making and critical reasoning. The IH&R team should have a structured approach to efficiently respond to an incident. The IR team manager should classify and prioritize the incidents based on the level (high, medium, or low). The team should classify and attend to the high-priority incidents first, followed by medium- and low-priority incidents, respectively. Module 19 Page 2141 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
