Chapter 19 - 03 - Describe Incident Handling and Response Process - 05_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Related
- Chapter 19 - 01 - Understand Incident Response Concepts_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 01_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 02_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 03_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 04_ocred_fax_ocred.pdf
- Chapter 14 - Monitoring and Incident Response.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 3: Incident Triage...
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 3: Incident Triage ’ Incident Analysis and and Validation ’ ° Analysis and validation will help in determining the !' affected resources and data, systems, networks, servers, Ly services; impact on the business; and different types of Incident Analysis losses and Validation ‘h Incident Classification Incident Classification IH&R team classifies the incidents based on factors such as severity, affected resources, attack methodology, nature of iH the incident, crltical.lty of the systems impacted, and legal i. [ ves Nt Incident Fem Falls and regulatory requirements Departments Outside Purview Incident Prioritization ,X 'X NO Prioritization determines the sequential process of e A DT RITI s attending or responding to security incidents. Incidents are prioritized based on the potential technical impact, ;' criticality of the affected resources, and impact on the yhd business 3 ° Copyright ©© byby EC-Council. Copyright EL- All Rights acil. All Rights Reserved. Reserved. Reproduction Reproduction is Strictly Strictly Prohibited. Prohibited. Step 3: Incident Triage After incident recording and IH&R team assignment, an IH&R team is responsible for taking over and analyzing the incident with critical reasoning and good judgment. The incident triage consists of three steps: incident analysis and validation, incident classification, and incident prioritization. IH&R team will first assess the incident details and correlate the indicators with logs and other system files to validate the incident and determine the impacted systems, networks, devices, and applications. They then classify the incident depending on the type of incident. Some of the classification methods include comparing the standard criteria such as networks performance, system behavior, logs, event correlation, data packets, network traffic, files, and applications before and after the incident. Depending on the impacted resources or source of compromise or tools used to attack, the IH&R team also classifies the incident into types such as endpoint, network, malware, application, and browser incidents. Then the IH&R team manager prioritizes the incidents based on the level (high, medium, or low). The team attends to the high-priority incidents first, followed by medium- and low-priority incidents, respectively. The prioritization depends on the severity of impact and its effect on the business. Other factors that impact classification include the nature of the incident, criticality of the systems impacted, the number of systems impacted, as well as legal and regulatory requirements. If the incident falls outside the IH&R team’s purview, the IH&R team contacts other organizational departments. The complete process flow of the incident triage is displayed in the following figure. Module 19 Page 2142 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Incident Analysis and Validation dm—— Incident Classification 1 v Other Organizational YES Incident Falls Departments Outside Purview 1 ix NO Incident Prioritization m——— Figure 19.4: Process flow for incident triage Incident Analysis and Validation Incident responders need to analyze the indicators of a reported issue to verify if it is an information security incident or an error in the hardware or software components. The IH&R team should ideally evaluate each indication to determine if it is legitimate. They must find the different sources of indicators, examine the security solutions, verify the system and device logs, and identify the incident and its vectors. Even if an indication is accurate, it does not necessarily mean that an incident has occurred. All incidents cannot be security incidents; some incidents such as web server crash and modification of sensitive files could result from human errors. The incident analysis will help determine if the IH&R team needs to handle the incident, register the issue and take no further action, or pass it to other teams for processing. The IH&R team must perform various validation activities to determine the attack details such as type, vectors, duration, source, and evidence. Analysis and validation will help determine the affected resources and data, systems, networks, servers, services; impact on the business; and different types of losses. The IH&R team can use this data to classify and prioritize the incidents. Incident Classification The classification of an incident depends on the potential targets and the severity of its impact. The purpose of incident classification is to gather all required information to determine its category, time required for resolving, and other criteria. Module 19 Page 2143 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response The role played by the IH&R team and their activities in this stage are as follows: * The IH&R team evaluates the incident details and correlates them with indicators. = The IH&R team classifies the incidents based on their severity, affected resources, and attack methodology. Classifying the information security incident depends on several factors, including the following: o Nature of the incident o Criticality of the systems impacted o Number of systems impacted o Legal and regulatory requirements = |f the incident falls outside the IH&R team’s purview, the IH&R team contacts other organizational departments. The advantages of an effective incident classification are as follows: = Every incident is correctly forwarded to the respective department. = Enhances response times as the incidents are routed to the respective department = Aids in the development of an effective knowledge base = Increased customer satisfaction Incident Prioritization Prioritization of the incident is the most critical decision in the IR process as incidents must not be responded to on a first-come, first-served basis. Incident prioritization determines the sequential process of attending or responding to security incidents. The IH&R team needs to prioritize the incidents with the highest business impact so that the organization can continue to offer business services with minimal financial losses. The prioritization must depend on the severity of impact, importance of the compromised resources, disrupted operations, and losses incurred due to the incident. The incident responder is responsible for prioritizing the compromised elements and sorting them according to the most important devices or applications required for business continuity. The incident responder then assigns a team to respond to the incident by evaluating the impact and suggesting methods of detection and containment. Prioritization will also help the incident responder manage the available IR staff and resources. The incident responder assigns the level of priority, predefined criteria and requirement, and urgency in restoring the compromised resource. Working on the most severe incidents will also help the organization minimize business disruption and help reduce financial and reputational loss. It can also reduce the amount and time spent on IR functions such as containment, eradication, and recovery. It will help in scheduling the tasks and increasing the ease of the process of reporting the status to stakeholders and customers. Module 19 Page 2144 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response With the emerging number of diverse cyber security incidents, assigning a category to an incident has become an essential step of the incident management process in order to prioritize the incident. Once the incident is identified in an organization, the incident responder will categorize it. Organizations adopt a common set of terminology and categorize the incidents to clearly communicate security incidents and events across different departments in an organization or to members of an IH&R team. Incident categorization enables the team to prioritize the incidents and focus on the incidents that require more attention. The IH&R team should consider two basic elements in prioritizing incidents. 1. Impact: Offer an account of how severe an incident can be for the organization. It is measured in terms of the number of systems impacted by the incident, which increases the number of idle employees and, in turn, directly affects the organizational productivity. 2. Urgency: Usually defined in terms of the service level agreement (SLA). If an incident is raised within an organization, it should be resolved at the earliest opportunity. The importance of impact and urgency vary across organizations. However, generally, both impact and urgency have three levels, namely, high, medium, and low. Module 19 Page 2145 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
