Chapter 19 - 03 - Describe Incident Handling and Response Process - 08_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Incident Response

Step 8: Recovery
After eliminating the cause of the incident from all systems and
resources, the IH&R team restores the affected systems, services,
resources, and data through recovery

vv

Eliminate the Cause of the Incident

v' e
W7 ves

~~~~~~~~~~~~~.............. Is Data Lost?
RECOVERY
* V YES
EVVB

D E] ’ Recover Data from Backup

i) — i
v

----- > Restart Services and Processes "

Copyright © by EC. All Rights Reserved. Reproduction Isis Strictly Prohibited.

Step 8: Recovery
After eliminating the cause of the incident from all systems and resources, an IH&R team has to
identify whether the data is lost. If the data is lost, then the IH&R team has to recover the data
from backups and restart the affected services and processes in order to maintain business
continuity.

Recovery is the process of restoring lost data from backup media. During this process, an IH&R
team has to make sure the backup does not have traces of malware or attack vectors before
performing the restore. The time it takes to recover a system generally depends on the extent
of the security breach. Recovery involves various techniques such as network perimeter
security, strengthening user ID credentials, effective patch management, renewing files and
software, and rebuilding systems. After recovering all lost data, the IH&R team must restart all
the withheld processes and services.

Recovering a system after an incident generally depends on the extent of the security breach.
An IH&R team should decide whether to restore the existing system or completely rebuild the
system—notably, the team can use the system backup for either process.

Therefore, the two steps in systems recovery are:

= Determine the Course of Action

Devise various strategies for system recovery according to the impact of the incident
and select an appropriate plan after considering the availability of resources, the
criticality of affected systems, and the results of a cost-benefit analysis.

Module 19 Page 2157 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Monitor and Validate the Systems

By monitoring and validating affected systems, the IH&R team can ensure that
recovered systems do not have any traces of incident causes and are operating within
normal conditions. Helpful to note here for our purposes is that validation also involves
checking the integrity of restored information from a backup. Teams should also be sure
to conduct regular vulnerability assessments and penetration testing to monitor system
behavior and possible vulnerabilities in the system or network. To be sure, it is
important to monitor the system for potential back doors, which can result in the loss of
data.

Notable actions the response team must perform during the recovery stage include:

Rebuilding the system by installing a new OS

Restoring user data from trusted backups
Examining protection and detection methods

Examining security patches before installation and enabling system logging
The IR team must also determine the integrity of the backup file by reading its data and
verifying its integrity before restoring it on the systems. It is also important for the team to
verify success of the operation and the normal condition of the system after installing the
backup. The team must monitor the system using network loggers, system log files, and
potential back doors after installation and during usage.

v

Eliminate the Cause of the Incident

-.............. Is Data Lost?

' &7 YES

Recover Data from Backup

v
§..... > Restart Services and Processes @ ireeeeeesssnennnnen ’o

Figure 19.9: Process flow of recovery

Module 19 Page 2158 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 CertifiedCybersecurit
Cybersecurit
Certified y yTechnician
Technician
Response
Incident Response Exam
Exam 212-82
Incident 212-82

Step 9:9: Post-
Step Incid
Post-I entt Activi
nciden Activities
ties
Q Q After
After eradicating
eradicating the
the incident,
incident, the
the IH&R
IH&R team
team 0
must perform
must perform certain
certain activities
activities toto improve
improve the
the Hv
response against
response against future
future attacks
attacks ki Dot
Incident Documentation
OO These
These activities
activities will
will help
help inin evaluating
evaluating and
and
improving the
improving the effectivene
effectivenessss ofof the
the incident
incident ''
response processes
response processes
Incident
Incident Impact
Impact Assessment
Assessment

QQ Post-inci
Post-incid ent activities
dent activities will
will help
help the
the responder
responderss
to assess ''
lags
to assess lags inin security
security posture,
posture, settings,
settings, and
and
configurations
-
configurations across the
across
s
the organization
organizati on Review
Review and
and Revise
Revise Policies
Policies.

QQ It1t will
will also
also help
help inin suggesting
suggesting measures
measures andand.v
secur ity produ
security products cts toto harden
harden the
the security
security and
and Close
review the the policies
policies Close the
the Investigation
Investigation
review
v-

Incident
Incident Disclosure
Disclosure

Copyright
Copyright ©© by EC EC cll.L All
by All Rights
Rights Reserved.
Reserved Reproduction
Reproduction Isis Strictly Prohibited.
Strictly Prohibited

Step 9:
Step 9: Post-I
Post-Inc ident Activit
nciden Activiti es
ies
After eradicati
After eradicating incident, an IH&R team must perform
ng the incident, perform certain
certain activities
activities toto improve
improve its
resp onse to futur its
response to futuree attacks.
attacks. Accordin
Accordingly, “post-in
“post-incident
cident activities
activities” refer to the actions
prec the actions and and
autions
precauti ons that an organiza
that an organization and resp response
onse team must perform
perform to be better prepared
hand le and
to be better prep ared to to
handle and resp ond to futu
respond re incidents
future incidents.. In this stage
stage,, the team will disc
discuss all the
the draw
drawbac ks
face uss backs itit
facedd duri ng the
during the resp onse func
response tions and try to elim
functions inate them
eliminat them..
Post -inciden
Post-inc identt activ itiess help in eval
activitie evaluati
uating and impr
improvi
ovinng effectiv
g the effe enesss of
of IRIR proc
processe
helping responders asses ctivenes essess by
by
helping responders assesss lags in secur ity post
security postures
ures, setti
settings, configur
ngs, and conf ations across
iguratio ns acro their
ss their
organization
organiza tion.. They
They also help in suggesti
suggesting meas
measure
uress and
and secur
security products
ity products an organiza tion can
organization can
use
use to
to harden its
harden its secur ity and
security and opti mize its
optimize its polic
policies.
ies.
To
To bebe sure,
sure, orga nization
organiza tionss shou
should
ld cond
conduct
uct meetmeetings with staff
ings with staff and
and othe
other involved parties
understand all lessons r invo lved parties toto
understand all lessons lear ned from
learned from the
the inci
incident
dent and
and impr
improve
ove inin any
any area
areas
falls s inin whic
which
h itit curr
currently
ently
falls behind. Thes
behind. e activ ities
These activities will
will help
help inin eval
evaluati
uating
ng and
and impr
improvin g the
oving the effe effectiv eness
processes by offering ctiv enes s ofof IRIR
processes by offering insig ht into
insight into how
how toto best
best update
upda policies,
te polic procedur
ies, proc es, secu
security
edures, postures,
rity post ures,
setti ngs, and
settings, and conf iguratio
configur ns acro
ations ss
across the
the organization
organiza tion toto build
build aa robu
robust network.
st network.
More over,, toto learn
Moreover learn from
from the
the expe rience,
experien ce, the
the IH&R
IH&R team
team must
must have
have a a docu
documen
incident that mentt abou
about the
t the
reve
incident that reveals any
als any detai
details
ls abou
aboutt thethe incid
incident, vulnerabi
ent, vuln lities
erabilit exploited
ies expl oited,, resp
response
onse
meas uress impl
measure emennted,
impleme ted, resul ts, pitfa
results, lls inin the
pitfalls the resp
response
onse procprocess,
ess, and drawbacks
and drawbacks inin
communication and
communication and mana gemeent.
managem nt. Acco rdingly,
Accordin gly, asas notenoted througho
d thro ut this
ughout this modu
module, the
le, the IH&R
team IH&R
team should document ever
should document everyy step
step ofof the
the IRIR asas well
well asas the
the less
lessons impleme
must
ons impl emennted.
ted. TheThe IH&R
IH&R team
team
must then
then comm uniccate
communi ate any any upda tes and
updates and new
new impl
impleme
emenntation
tationss toto clien
clients, customer
ts, cust s,
omers,
mana gemeent,
managem nt, and othe r stakeholders
and other stakehol.
ders.

Module 1919 Page
Module Page 2159
2159 Certified
Certif Cybersecurit
ied Cybers ecurity yTechni
Technician Copyright
cian Copyri ght © © byby EG-Cou
EC-Council
ncil
AllAllRights
RightsReserv
Reserved. Reproductio
ed. Repro duction n is isStrictl
Strictly Prohibited.
y Prohib ited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

The following figure displays the overall process flow of post-incident activities:

v

Incident Documentation

v
Incident Impact Assessment

v

Review and Revise Policies

v

Close the Investigation

¥

Incident Disclosure

Figure 19.10: Process flow of post-incident activities

Incident Documentation

As stated above, the IH&R team should document various processes while handling and
responding to an incident. The documentation should describe the security breach and detail
the measures taken in response, such as who handled the incident, when the incident was
handled, and the reasons behind the occurrence of the incident. The steps taken and
conclusions reached should be documented immediately after the forensic process.
Incident Impact Assessment

“Incident impact assessment” refers to the process of determining all types of losses that occur
due to an incident. Incident responders must find and list all affected devices, networks,
applications, and software to evaluate the impact of the incident. An incident impact
assessment must include details such as type of impact, method of detection, response process,
and eradication measures.
Review and Revise Policies

Reviewing and revising security policies is a key step in the IH&R process that helps prevent
future incidents. Helpful to note is that the review and revision of security policies is simply the
implementation of the lessons learned from previous incidents.

Module 19 Page 2160 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Incident Response

Close the Investigation
After conducting a detailed investigation, documenting the incident, and revising relevant
policies, the investigation can be officially closed; management should be informed that the
investigation has closed.
Incident Disclosure

After closing the investigation, the incident disclosure takes place. An organization hit by a
security incident needs to disclose the incident’s details to various entities. Ultimately, at this
stage an organization will decide what details to disclose to respective stakeholders. The
disclosure procedure varies by company and stakeholders. An IH&R team must consult its legal
department before sharing any information with external entities.
The following is a list of possible entities that may be interested in information related to such a
cyber incident:

= Law Enforcement
= Regional Judiciary
= Regulatory Authorities
= Media
= Stakeholders
= Stockholders
= Breach Victims
= Vendors
= Customers
= General Public
= Third Parties
= QOther CERTs/CSIRTs

Module 19 Page 2161 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.