Chapter 19 - 03 - Describe Incident Handling and Response Process - 07_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Incident Response

Guidelines for Incident Containment ‘‘

Compromised code can undermine Identify the various risks, if operations
security, so maintain caution are continued

Administrators and system owners
a
n g::‘tzf:re?;]i; :;'::z;igf
g:::f:re?;lii: :;kr::;igf the @ should be well informed about the latest
L
Lk information on the security incident

Choose a safe location for Change all the necessary passwords
storing the data and implement a strong password policy

a System logs and router logs should Create documents and maintain. beacquired and reviewed records for every action

Copyright © by EC-
EE- acil. All Rights
Rights Reserved. Reproduction
ReproductionIs Strictly Prohibited.

Guidelines for Incident Containment

The main purpose of the containment strategy is to control the effects of the attack and restore
the information system to its normal state. This is vital to ensure the organization’s business
continuity. A few key considerations for an IH&R team in this crucial stage are as follows.
= Compromised code: Compromised code can lead to a data breach, increasing the
chances of an intrusion. It is important for the IH&R team to be cautious while working
with the compromised code. A minor mistake can lead to code replication and can
further affect the organizations’ network and functioning.
=» Safe storage: Data should be stored in a safe location so that any intrusion or external
threat does not affect or alter it.
= Acquiring logs: The IH&R team must actively acquire and retrieve all system and router
logs before, during, and after the time of occurrence of the incident. This will help the
team analyze the changes the network or system underwent that caused the incident to
occur.
=* |dentifying
|Identifying risk factors: It is important to identify the various risks if operations are to
be continued.
* Informing administrators and system owners: The
keep the IH&R team should
administrators and system owners updated about the latest security threats that can
affect the system. This helps implement preventive measures, avoiding the occurrence
of a major incident.
= Strong password policy: After the IR is successfully completed, users must change their
passwords. Administrators must implement a strong password policy in the
organization.

Module 19 Page 2151 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

* Maintaining records: It is important to maintain records of every action performed by
the user or the system owners. Auditing and monitoring must be performed by
administrators on a timely basis.

Organizations face a lot of problems when incident containment guidelines are not in place. For
example, if an organization that is not well-prepared gets infected and then attacked by
malware, it cannot handle the situation as effectively as an organization that follows incident
containment guidelines. At times, this lack of preparedness allows malware to spread like
wildfire. In these cases, people act haphazardly to find solutions for such incidents, and none of
them have any ideas about how to deal with it. This delay in finding a solution can bring an
organization’s network, information systems, business, and reputation to the ground. Without
proper guidelines in place, network administrators implement stopgap actions, trying
everything they can to find the appropriate solution. This can cost the organization vast
amounts of money and time. This situation can be avoided if an organization follows certain
guidelines.

= Dedicated team: A team containing technical experts must be dedicated to handle any
type of security issue. This team acts as the first responder during the time of an
incident.

= Securing the affected area: In order to avoid any new changes being affected, the
affected area must be secured. Review the information at the beginning of the
identification phase.
= Installation of honeypots: Honeypots are invisible traps that play a vital role in
enhancing security. Implementing honeypots in the network will help network
defenders trap the attacker.

= Following standard procedures: Documented procedures are required, which the
management, the IH&R TEAM, and administrators must follow.

Module 19 Page 2152 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Step 6: Evidence Gathering and
Forensic Analysis

’
° p——
—— Perpetrator XK NO g§ External NO X

]
1ont |i Identified? -8
Q As part of the incident i i
pheilkrondi
response process, the
IH&R team
eam must
mus
CollectEudence.
: -
NOX
Y
¥
i YES ?/vzs
i
H|

collect evidence R S e Laww Enf -“. Hire Third Party Investigators
related to the incident e
cate a Chain it
et iH :H
from affected of Custody Document 77 YES
vES v
1i v
v

resources using i Liaise with Third Party YESYT perpetrator
different tools and Law Enforcement Agencies ' Identified?
Analyze the Evidence
techniques : FxNo
;
H i X NO

O Organizations can use i; T i
this evidence toto Ce Team Handlesv thethe Case
Case
o Organizational
[o] Disciplinary
Di
this evidence Create a Forensic
Investigation Report Team Hand!u
prosecute the Investigation Report
prosecute the : ;
attackers, claim | vH
Management Receives Close the
damages, and claim Rty
lmfumon hooort. || B
| investigation )
cyber insurance

Copyright© by EC-Councll, All Rights Reserved. Reproduction Is Strictly Prohibited.

Step 6: Evidence Gathering and Forensic Analysis
After containing an incident, an IH&R team must concentrate on digging deep into the incident
by gathering more information about it, identifying its root cause, uncovering threat actors
behind it, and specifying its threat vectors. These objectives can be achieved in the evidence
gathering and forensic analysis phase of the IH&R process.
An IH&R team will collect crucial evidence about the incident and simultaneously create a chain
of custody document. After collection and protection, investigators must analyze existing
evidence to identify the cause and nature of the incident and trace the perpetrators of the
crime. Moreover, they must also document the results of forensic analysis and submit them to
management for further processing. If the analysis can identify the perpetrator, then the
management will decide whether they will legally prosecute the perpetrator or let the
organization’s disciplinary team handle the case. If there is need for law enforcement, then
management or a designated authority will contact a third-party law enforcement agency.
If the investigation fails to identify the perpetrator, then management must decide whether to
close the investigation or to pass it to an external investigation agency for further investigation.
If third-party investigators can investigate the incident and identify the perpetrator, then they
will report such findings to management and management will make further decisions.
Meanwhile, if third-party investigators also fail to identify the perpetrator, then the IH&R team
or management can recommend an update to the IH&R processes that will enable them to
carry out more successful investigations in the future.

Module 19 Page 2153 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

The process flow of evidence gathering and forensics is displayed in the below figure.

°5 N———— Perpetrator
e A B XNo
s >
External NO X
Investigation... A
ol Required?
v
YES
Collect Evidence 4 v 'V YES

NO X
R I Law Enforcement sy nin. Hire Third Party Investigators
X Required? :
Create a Chain : i
of Custody Document 7 YES v
1 v

' Liaise with Third Party YESV Perpetrator
Law Enforcement Agencies " E Identified?
Analyze the Evidence
X NO
;

Organizational Disciplinary
Create a Forensic
Investigation Report Team Handl‘es the Case

vs i
Management Receives Close the
Investigation Report Investigation

Figure 19.7: Process flow of evidence gathering and forensic analysis

More specifically, the IR team must gather evidence from victim resources using different tools
and techniques and use it to eradicate the incident, create reports about the attack, and close
the exploited vulnerabilities. The organization can then use this information to prosecute the
attacker(s) and claim damages and cyber insurance. To be sure, evidence helps the organization
find and patch any vulnerabilities exploited and other attack vectors.
= To gather evidence effectively, the organization must:
o Train employees in first responder services

o Create and implement forensic readiness policies and procedures
o Enable logins on all network devices and security systems
= The process of collecting evidence includes:
o ldentification of target resources, networks, and connected resources

o Securing and documenting the crime scene
o Extracting fragile and volatile evidence

o Secure handling, packaging, and transportation of the evidence devices

o Extracting static evidence stored as media and other resources

Module 19 Page 2154 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Step 71: Eradication

@
Q Inthe
In the eradication phase, the IH&R team must remove or
eliminate the root cause of the incident and close all attack Determine
the Cause of PR
e -
Incident
vectors to prevent similar incidents from occurring in the future '
'
|

€
v

@ The possible countermeasures include: Eliminate
Eliminate xX =
N N
Rthe Cause
ea—— Escalate the
the Problem

Update antivirus software W ves
v e
X NO
x no Verify if the
-------
------ Issues Exists in
Policy n Similar System
System

Independent secur !
y. VW
i,v ves
YES

Resolve and Patch the issue

Reinstall compromised systems
L. All Rights Reserved, Reproduction s Strictly Prohibited.

Step I: Eradication
After evidence gathering and forensic analysis, the IH&R team is responsible for completely
eradicating the incident and its related causes, identified vulnerabilities, and so on. In the
eradication phase, the IH&R team must remove or eliminate the root cause of the incident and
close all attack vectors to prevent similar incidents from occurring in the future. The IH&R team
must alert all service providers, developers, and manufacturers about the affected resource;
check if the issue persists in similar resources across the organization; eliminate the issue from
any such resources; and test whether the issue has been resolved before initiating the recovery
process.
The following countermeasures will help the IH&R team eradicate the incidents:
= Update the antivirus software with new malware signature and patterns.
= |nstall latest patches on systems and network devices.
= Conduct independent security audits.
= Check for policy compliance and update obsolete policies and procedures.
= Disable any unnecessary services.
= Change the passwords of all compromised systems, accounts, and network devices.
= Eliminate the access paths and exploits.
= |Install updated operating systems, software, and services in compromised systems only
after removing traces of attack.
= Rebuild the affected or compromised systems, servers, databases, and networks.
= Validate the effectiveness of all corrective steps or countermeasures.

Module 19 Page 2155 Certified Cybersecurity Technician Copyright © by EC-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Determine the Cause of <
Incident

P>~ ===~ Escalate the Problem

v YES

x NO Verify if the
------ Issues Existsin
Similar System

\i,V YES

Resolve and Patch the issue
Cmmmm

-
o Start Recovery Processes u

Figure 19.8: Process flow of eradication v\4

Module 19 Page 2156 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.