Chapter 19 - 03 - Describe Incident Handling and Response Process - 06_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Incident Response

Step 4: Notification

QO Incidents are communicated to different
© v

internal and external stakeholders Notify the Management oo >
o Plan forIR

O
QO Communicating incident helps in reducing ,
the impact of thv'e
th'e incident by facilitating e X No
NO ‘
better coordination between stakeholders Notification s >
affected by the incident
e
e Notify the Required Stakeholders

v¥

@l
] O External Support Xwo.g
Q
Q Naished
Required

' e I o
Lo vEs
YES
' eooa
— I I
(4= L
Contact External Agencies oo
d

Copyright © by EC-
E L. All Rights Reserved. Reproduction
is Strictly Prohibited.

Step 4: Notification
Communication plays a major role in swiftly responding to an incident. It helps in reducing the
impact of the incident by facilitating better coordination between different stakeholders
affected by the security incident. Communicate the IR process and results to the IH&R team
members, so that they can understand the type of response and their responsibilities when
responding to the incident. The detailed process flow of notification is displayed in the below
figure:

@ v

Notify the Management oo > Plan for IR

v §

Approval for X no é
Noliflcatlon
Nolmcatlon................... >

v
L Yes
LY
Notify the Required Stakeholders

v

External Support
Required

v
L YESYES
L7
Contact External Agencies oo

Figure 19.5: Process flow of notification

Module 19 Page 2146 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Incident responders must communicate about the severity of the incident with the
management or authorized persons to gather relevant approvals for performing IR procedures.
The communication would include the first report, initial processes performed to assess the
situation, detection methods applied, impacted resources, and management strategy. The IH&R
team should discuss the incident with a legal representative to file a lawsuit against the
perpetrators.
After obtaining the approval, the IH&R team will communicate the relevant matters about the
incident with the necessary stakeholders. All employees and other stakeholders must
communicate with the IH&R team whenever they suspect a security breach. The IH&R team
lead should discuss the breach with core team members and other members of the
organization to respond to the incident effectively.

Incident responders can communicate a part of the situation to an external party after
approvals from management if they need external support for responding to the incident.
After controlling and mitigating the incident, the IH&R team can disseminate the details of the
incident and lessons learned in the organization and media to create awareness. Depending on
the circumstances of the incident, the goal of the response strategy is to examine the most
appropriate response procedure. The response plan should consider the political, technical,
legal, and business factors of the incident. A response strategy generally depends on the
circumstances of the incident.
The factors that affect the resources required to investigate an incident include the following:

= Forensic duplication of the related computer systems
= Criminal referral
= Civil litigation

= QOther aspects
o What is the range of impact of the incident on systems?

o How sensitive is the compromised or stolen information?

o Who are the attackers?

o s the public aware of the incident?

o What unauthorized access level have the attackers gained?

o What skills do the attackers have?

o What is the total downtime for the system and the user?

o What is the total loss in dollars?
The information gathered during the initial response is important for selecting a response
strategy. Before selecting the response strategy, reinvestigate the details of the incident.
An organization that is suffering from a security incident needs to notify the appropriate
internal and external IH&R team to minimize any repercussions of the security event.

Module 19 Page 2147 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

The IH&R team’s role in the notification and planning includes the following.

Notifying management: The IH&R team is responsible for notifying the management
about the incident that occurred. The management should also be informed about the
effects of the incident.

Communicating the incident: Before communicating any information about the
incident, the IH&R team should obtain documented approval from the management.
The incident information should not be hidden from the stakeholders and other people.
People that are likely to be affected by the incident need to be informed about the
incident.

Disclosing the details of the incident: Apart from broadcasting about the incident, the
IH&R team should also seek approval for disclosing the details of the incident. Disclosing
the details of an incident is important, as certain stakeholders of the organization need
to be aware of these details.
Approval denied: If the management does not provide their approval for disclosing the
incident details, the IH&R team should proceed with the procedure of IR.
External support: Before proceeding with an in-depth investigation of the incident, the
IH&R team checks if external support is required to handle the case.

External support required: If external support is required, the IH&R team contacts
external agencies for input.
IH&R team and external support: Once the external support joins the investigation of
the incident, the IH&R team and the management team proceed with handling the
incident and the response plan.

Module 19 Page 2148 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Step 5: Incident Containment
Q Incic ent in\
Q At this phase, evidence

Decide a Containment Strategy. External Support Inputs *

\
v v s 7
$
‘

Escalate the Containment Task
Technical Response ~» Taskis Assigned to Technical Team I—
4
Required?
X no
no XX o
no
Management W ves
Response Required? - * Taskis Assigned to Management Team I— d Incident Contained?

NOXQ
YES
u‘l:;::;“ v. Task is Assigned to Legal Team |’fi
|’*.

noX
Provide Initial Response
and Close the Case

Step 5: Incident Containment
Containment focuses on limiting the scope and extent of an incident. The IH&R team plays a
significant role in reducing an incident’s magnitude or complexity in preventing further damage
to the organization. Containment focuses on limiting the scope and extent of an incident. The
aim of the containment stage is to reduce any losses and/or damages from the attacks by
mitigating vulnerabilities. If the systems, networks, or workstations are compromised by a
security incident, the IH&R team must determine whether to shut down the system, disconnect
the network, or continue with operations in order to monitor the system’s activities. The
response to all these situations depends on the type and magnitude of the incident.
Common techniques used in the containment phase are as follows.
= Disabling of specific system services
o Disable system services temporarily in order to reduce the impact of the incident
and to continue system operations.
o When an unknown vulnerability affects a computer, it is removed from the network
until the problem is rectified.

o Change the passwords, and disable the account.

o Change passwords on all systems that interact with the affected system, so that
there are no more infections.

= Complete backups of the infected system

o Back up data on the affected systems to reduce the damage during IR. Use a system
backup for further investigation of the incident.

Module 19 Page 2149 Certified Cybersecurity Technician Copyright © by EG-Council
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Temporary shutdown of the compromised system
o If the compromised computer systems have no alternate options to handle the
situation, then shut them down temporarily. This shutdown limits the damage
caused by the incident and provides extra time to analyze the problem.
System restoration

o Replace the recovered computers with a trusted and clean backup copy.
o ldentify the incident sources such as vulnerabilities, threats, and access paths, and
patch everything before restoring the system.
Maintaining a low profile

o When detecting network-based attacks, be careful to not tip off the intruder. This is
because the intruder might do more harm to other systems in the network and/or
erase everything they can to eliminate the chances of being traced. Maintain
standard procedures, including continuing to use the IDS and the latest antivirus and
anti-spam software.

‘ Return to
v Containment Strategy
Decide a Containment Strategy « External Support Inputs 4

y 8
W YES Escalate the Containment Task
Technical Response ~» Task is Assigned to Technical Team l -
Required?
b X no
NOo X

Management & YES
Response Required? ~» Task is Assigned to Management Team l i Incident Contained?

NO A v
7 YES
YES A4
Legal Response v > Task is Assigned to Legal Team l
Required?

nNo X
Provide Initial Response
and Close the Case

Figure 19.6: Process flow of incident containment

Module 19 Page 2150 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.