Incident Response Guidelines for Incident Containment PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Week 3 Lecture 1 Cybersecurity: Risk Management and Incident Response PDF
- ITSM Midterm Reviewer PDF
Summary
These guidelines describe the incident containment strategy in cybersecurity, focusing on controlling the attack's impact and restoring the information system. Key aspects include handling compromised code, secure data storage, and log acquisition. The guidelines also emphasize informing administrators about potential threats and implementing strong password policies.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Guidelines for Incident Containment...
Certified Cybersecurity Technician Exam 212-82 Incident Response Guidelines for Incident Containment ‘‘ Compromised code can undermine Identify the various risks, if operations security, so maintain caution are continued Administrators and system owners a n g::‘tzf:re?;]i; :;'::z;igf g:::f:re?;lii: :;kr::;igf the @ should be well informed about the latest L Lk information on the security incident Choose a safe location for Change all the necessary passwords storing the data and implement a strong password policy a System logs and router logs should Create documents and maintain. beacquired and reviewed records for every action Copyright © by EC- EE- acil. All Rights Rights Reserved. Reproduction ReproductionIs Strictly Prohibited. Guidelines for Incident Containment The main purpose of the containment strategy is to control the effects of the attack and restore the information system to its normal state. This is vital to ensure the organization’s business continuity. A few key considerations for an IH&R team in this crucial stage are as follows. = Compromised code: Compromised code can lead to a data breach, increasing the chances of an intrusion. It is important for the IH&R team to be cautious while working with the compromised code. A minor mistake can lead to code replication and can further affect the organizations’ network and functioning. =» Safe storage: Data should be stored in a safe location so that any intrusion or external threat does not affect or alter it. = Acquiring logs: The IH&R team must actively acquire and retrieve all system and router logs before, during, and after the time of occurrence of the incident. This will help the team analyze the changes the network or system underwent that caused the incident to occur. =* |dentifying |Identifying risk factors: It is important to identify the various risks if operations are to be continued. * Informing administrators and system owners: The keep the IH&R team should administrators and system owners updated about the latest security threats that can affect the system. This helps implement preventive measures, avoiding the occurrence of a major incident. = Strong password policy: After the IR is successfully completed, users must change their passwords. Administrators must implement a strong password policy in the organization. Module 19 Page 2151 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response * Maintaining records: It is important to maintain records of every action performed by the user or the system owners. Auditing and monitoring must be performed by administrators on a timely basis. Organizations face a lot of problems when incident containment guidelines are not in place. For example, if an organization that is not well-prepared gets infected and then attacked by malware, it cannot handle the situation as effectively as an organization that follows incident containment guidelines. At times, this lack of preparedness allows malware to spread like wildfire. In these cases, people act haphazardly to find solutions for such incidents, and none of them have any ideas about how to deal with it. This delay in finding a solution can bring an organization’s network, information systems, business, and reputation to the ground. Without proper guidelines in place, network administrators implement stopgap actions, trying everything they can to find the appropriate solution. This can cost the organization vast amounts of money and time. This situation can be avoided if an organization follows certain guidelines. = Dedicated team: A team containing technical experts must be dedicated to handle any type of security issue. This team acts as the first responder during the time of an incident. = Securing the affected area: In order to avoid any new changes being affected, the affected area must be secured. Review the information at the beginning of the identification phase. = Installation of honeypots: Honeypots are invisible traps that play a vital role in enhancing security. Implementing honeypots in the network will help network defenders trap the attacker. = Following standard procedures: Documented procedures are required, which the management, the IH&R TEAM, and administrators must follow. Module 19 Page 2152 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Step 6: Evidence Gathering and Forensic Analysis ’ ° p—— —— Perpetrator XK NO g§ External NO X ] 1ont |i Identified? -8 Q As part of the incident i i pheilkrondi response process, the IH&R team eam must mus CollectEudence. : - NOX Y ¥ i YES ?/vzs i H| collect evidence R S e Laww Enf -“. Hire Third Party Investigators related to the incident e cate a Chain it et iH :H from affected of Custody Document 77 YES vES v 1i v v resources using i Liaise with Third Party YESYT perpetrator different tools and Law Enforcement Agencies ' Identified? Analyze the Evidence techniques : FxNo ; H i X NO O Organizations can use i; T i this evidence toto Ce Team Handlesv thethe Case Case o Organizational [o] Disciplinary Di this evidence Create a Forensic Investigation Report Team Hand!u prosecute the Investigation Report prosecute the : ; attackers, claim | vH Management Receives Close the damages, and claim Rty lmfumon hooort. || B | investigation ) cyber insurance Copyright© by EC-Councll, All Rights Reserved. Reproduction Is Strictly Prohibited. Step 6: Evidence Gathering and Forensic Analysis After containing an incident, an IH&R team must concentrate on digging deep into the incident by gathering more information about it, identifying its root cause, uncovering threat actors behind it, and specifying its threat vectors. These objectives can be achieved in the evidence gathering and forensic analysis phase of the IH&R process. An IH&R team will collect crucial evidence about the incident and simultaneously create a chain of custody document. After collection and protection, investigators must analyze existing evidence to identify the cause and nature of the incident and trace the perpetrators of the crime. Moreover, they must also document the results of forensic analysis and submit them to management for further processing. If the analysis can identify the perpetrator, then the management will decide whether they will legally prosecute the perpetrator or let the organization’s disciplinary team handle the case. If there is need for law enforcement, then management or a designated authority will contact a third-party law enforcement agency. If the investigation fails to identify the perpetrator, then management must decide whether to close the investigation or to pass it to an external investigation agency for further investigation. If third-party investigators can investigate the incident and identify the perpetrator, then they will report such findings to management and management will make further decisions. Meanwhile, if third-party investigators also fail to identify the perpetrator, then the IH&R team or management can recommend an update to the IH&R processes that will enable them to carry out more successful investigations in the future. Module 19 Page 2153 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response The process flow of evidence gathering and forensics is displayed in the below figure. °5 N———— Perpetrator e A B XNo s > External NO X Investigation... A ol Required? v YES Collect Evidence 4 v 'V YES NO X R I Law Enforcement sy nin. Hire Third Party Investigators X Required? : Create a Chain : i of Custody Document 7 YES v 1 v ' Liaise with Third Party YESV Perpetrator Law Enforcement Agencies " E Identified? Analyze the Evidence X NO ; Organizational Disciplinary Create a Forensic Investigation Report Team Handl‘es the Case vs i Management Receives Close the Investigation Report Investigation Figure 19.7: Process flow of evidence gathering and forensic analysis More specifically, the IR team must gather evidence from victim resources using different tools and techniques and use it to eradicate the incident, create reports about the attack, and close the exploited vulnerabilities. The organization can then use this information to prosecute the attacker(s) and claim damages and cyber insurance. To be sure, evidence helps the organization find and patch any vulnerabilities exploited and other attack vectors. = To gather evidence effectively, the organization must: o Train employees in first responder services o Create and implement forensic readiness policies and procedures o Enable logins on all network devices and security systems = The process of collecting evidence includes: o ldentification of target resources, networks, and connected resources o Securing and documenting the crime scene o Extracting fragile and volatile evidence o Secure handling, packaging, and transportation of the evidence devices o Extracting static evidence stored as media and other resources Module 19 Page 2154 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Step 71: Eradication @ Q Inthe In the eradication phase, the IH&R team must remove or eliminate the root cause of the incident and close all attack Determine the Cause of PR e - Incident vectors to prevent similar incidents from occurring in the future ' ' | € v @ The possible countermeasures include: Eliminate Eliminate xX = N N Rthe Cause ea—— Escalate the the Problem Update antivirus software W ves v e X NO x no Verify if the ------- ------ Issues Exists in Policy n Similar System System Independent secur ! y. VW i,v ves YES Resolve and Patch the issue Reinstall compromised systems L. All Rights Reserved, Reproduction s Strictly Prohibited. Step I: Eradication After evidence gathering and forensic analysis, the IH&R team is responsible for completely eradicating the incident and its related causes, identified vulnerabilities, and so on. In the eradication phase, the IH&R team must remove or eliminate the root cause of the incident and close all attack vectors to prevent similar incidents from occurring in the future. The IH&R team must alert all service providers, developers, and manufacturers about the affected resource; check if the issue persists in similar resources across the organization; eliminate the issue from any such resources; and test whether the issue has been resolved before initiating the recovery process. The following countermeasures will help the IH&R team eradicate the incidents: = Update the antivirus software with new malware signature and patterns. = |nstall latest patches on systems and network devices. = Conduct independent security audits. = Check for policy compliance and update obsolete policies and procedures. = Disable any unnecessary services. = Change the passwords of all compromised systems, accounts, and network devices. = Eliminate the access paths and exploits. = |Install updated operating systems, software, and services in compromised systems only after removing traces of attack. = Rebuild the affected or compromised systems, servers, databases, and networks. = Validate the effectiveness of all corrective steps or countermeasures. Module 19 Page 2155 Certified Cybersecurity Technician Copyright © by EC-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Determine the Cause of < Incident P>~ ===~ Escalate the Problem v YES x NO Verify if the ------ Issues Existsin Similar System \i,V YES Resolve and Patch the issue Cmmmm - o Start Recovery Processes u Figure 19.8: Process flow of eradication v\4 Module 19 Page 2156 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.