Chapter 19 - Incident Handling and Response Process PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Incident Response Guidelines for Incident Containment PDF
Summary
This document describes the incident handling and response process, specifically focusing on the recovery process after eliminating the cause of an incident. It details how to restore data from backups, validate systems, and monitor for potential issues. The document concludes with a section on post-incident evaluation and activities.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 8: Recovery...
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 8: Recovery After eliminating the cause of the incident from all systems and resources, the IH&R team restores the affected systems, services, resources, and data through recovery vv Eliminate the Cause of the Incident v' e W7 ves ~~~~~~~~~~~~~.............. Is Data Lost? RECOVERY * V YES EVVB D E] ’ Recover Data from Backup i) — i v ----- > Restart Services and Processes " Copyright © by EC. All Rights Reserved. Reproduction Isis Strictly Prohibited. Step 8: Recovery After eliminating the cause of the incident from all systems and resources, an IH&R team has to identify whether the data is lost. If the data is lost, then the IH&R team has to recover the data from backups and restart the affected services and processes in order to maintain business continuity. Recovery is the process of restoring lost data from backup media. During this process, an IH&R team has to make sure the backup does not have traces of malware or attack vectors before performing the restore. The time it takes to recover a system generally depends on the extent of the security breach. Recovery involves various techniques such as network perimeter security, strengthening user ID credentials, effective patch management, renewing files and software, and rebuilding systems. After recovering all lost data, the IH&R team must restart all the withheld processes and services. Recovering a system after an incident generally depends on the extent of the security breach. An IH&R team should decide whether to restore the existing system or completely rebuild the system—notably, the team can use the system backup for either process. Therefore, the two steps in systems recovery are: = Determine the Course of Action Devise various strategies for system recovery according to the impact of the incident and select an appropriate plan after considering the availability of resources, the criticality of affected systems, and the results of a cost-benefit analysis. Module 19 Page 2157 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Monitor and Validate the Systems By monitoring and validating affected systems, the IH&R team can ensure that recovered systems do not have any traces of incident causes and are operating within normal conditions. Helpful to note here for our purposes is that validation also involves checking the integrity of restored information from a backup. Teams should also be sure to conduct regular vulnerability assessments and penetration testing to monitor system behavior and possible vulnerabilities in the system or network. To be sure, it is important to monitor the system for potential back doors, which can result in the loss of data. Notable actions the response team must perform during the recovery stage include: Rebuilding the system by installing a new OS Restoring user data from trusted backups Examining protection and detection methods Examining security patches before installation and enabling system logging The IR team must also determine the integrity of the backup file by reading its data and verifying its integrity before restoring it on the systems. It is also important for the team to verify success of the operation and the normal condition of the system after installing the backup. The team must monitor the system using network loggers, system log files, and potential back doors after installation and during usage. v Eliminate the Cause of the Incident -.............. Is Data Lost? ' &7 YES Recover Data from Backup v §..... > Restart Services and Processes @ ireeeeeesssnennnnen ’o Figure 19.9: Process flow of recovery Module 19 Page 2158 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. CertifiedCybersecurit Cybersecurit Certified y yTechnician Technician Response Incident Response Exam Exam 212-82 Incident 212-82 Step 9:9: Post- Step Incid Post-I entt Activi nciden Activities ties Q Q After After eradicating eradicating the the incident, incident, the the IH&R IH&R team team 0 must perform must perform certain certain activities activities toto improve improve the the Hv response against response against future future attacks attacks ki Dot Incident Documentation OO These These activities activities will will help help inin evaluating evaluating and and improving the improving the effectivene effectivenessss ofof the the incident incident '' response processes response processes Incident Incident Impact Impact Assessment Assessment QQ Post-inci Post-incid ent activities dent activities will will help help the the responder responderss to assess '' lags to assess lags inin security security posture, posture, settings, settings, and and configurations - configurations across the across s the organization organizati on Review Review and and Revise Revise Policies Policies. QQ It1t will will also also help help inin suggesting suggesting measures measures andand.v secur ity produ security products cts toto harden harden the the security security and and Close review the the policies policies Close the the Investigation Investigation review v- Incident Incident Disclosure Disclosure Copyright Copyright ©© by EC EC cll.L All by All Rights Rights Reserved. Reserved Reproduction Reproduction Isis Strictly Prohibited. Strictly Prohibited Step 9: Step 9: Post-I Post-Inc ident Activit nciden Activiti es ies After eradicati After eradicating incident, an IH&R team must perform ng the incident, perform certain certain activities activities toto improve improve its resp onse to futur its response to futuree attacks. attacks. Accordin Accordingly, “post-in “post-incident cident activities activities” refer to the actions prec the actions and and autions precauti ons that an organiza that an organization and resp response onse team must perform perform to be better prepared hand le and to be better prep ared to to handle and resp ond to futu respond re incidents future incidents.. In this stage stage,, the team will disc discuss all the the draw drawbac ks face uss backs itit facedd duri ng the during the resp onse func response tions and try to elim functions inate them eliminat them.. Post -inciden Post-inc identt activ itiess help in eval activitie evaluati uating and impr improvi ovinng effectiv g the effe enesss of of IRIR proc processe helping responders asses ctivenes essess by by helping responders assesss lags in secur ity post security postures ures, setti settings, configur ngs, and conf ations across iguratio ns acro their ss their organization organiza tion.. They They also help in suggesti suggesting meas measure uress and and secur security products ity products an organiza tion can organization can use use to to harden its harden its secur ity and security and opti mize its optimize its polic policies. ies. To To bebe sure, sure, orga nization organiza tionss shou should ld cond conduct uct meetmeetings with staff ings with staff and and othe other involved parties understand all lessons r invo lved parties toto understand all lessons lear ned from learned from the the inci incident dent and and impr improve ove inin any any area areas falls s inin whic which h itit curr currently ently falls behind. Thes behind. e activ ities These activities will will help help inin eval evaluati uating ng and and impr improvin g the oving the effe effectiv eness processes by offering ctiv enes s ofof IRIR processes by offering insig ht into insight into how how toto best best update upda policies, te polic procedur ies, proc es, secu security edures, postures, rity post ures, setti ngs, and settings, and conf iguratio configur ns acro ations ss across the the organization organiza tion toto build build aa robu robust network. st network. More over,, toto learn Moreover learn from from the the expe rience, experien ce, the the IH&R IH&R team team must must have have a a docu documen incident that mentt abou about the t the reve incident that reveals any als any detai details ls abou aboutt thethe incid incident, vulnerabi ent, vuln lities erabilit exploited ies expl oited,, resp response onse meas uress impl measure emennted, impleme ted, resul ts, pitfa results, lls inin the pitfalls the resp response onse procprocess, ess, and drawbacks and drawbacks inin communication and communication and mana gemeent. managem nt. Acco rdingly, Accordin gly, asas notenoted througho d thro ut this ughout this modu module, the le, the IH&R team IH&R team should document ever should document everyy step step ofof the the IRIR asas well well asas the the less lessons impleme must ons impl emennted. ted. TheThe IH&R IH&R team team must then then comm uniccate communi ate any any upda tes and updates and new new impl impleme emenntation tationss toto clien clients, customer ts, cust s, omers, mana gemeent, managem nt, and othe r stakeholders and other stakehol. ders. Module 1919 Page Module Page 2159 2159 Certified Certif Cybersecurit ied Cybers ecurity yTechni Technician Copyright cian Copyri ght © © byby EG-Cou EC-Council ncil AllAllRights RightsReserv Reserved. Reproductio ed. Repro duction n is isStrictl Strictly Prohibited. y Prohib ited. Certified Cybersecurity Technician Exam 212-82 Incident Response The following figure displays the overall process flow of post-incident activities: v Incident Documentation v Incident Impact Assessment v Review and Revise Policies v Close the Investigation ¥ Incident Disclosure Figure 19.10: Process flow of post-incident activities Incident Documentation As stated above, the IH&R team should document various processes while handling and responding to an incident. The documentation should describe the security breach and detail the measures taken in response, such as who handled the incident, when the incident was handled, and the reasons behind the occurrence of the incident. The steps taken and conclusions reached should be documented immediately after the forensic process. Incident Impact Assessment “Incident impact assessment” refers to the process of determining all types of losses that occur due to an incident. Incident responders must find and list all affected devices, networks, applications, and software to evaluate the impact of the incident. An incident impact assessment must include details such as type of impact, method of detection, response process, and eradication measures. Review and Revise Policies Reviewing and revising security policies is a key step in the IH&R process that helps prevent future incidents. Helpful to note is that the review and revision of security policies is simply the implementation of the lessons learned from previous incidents. Module 19 Page 2160 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Close the Investigation After conducting a detailed investigation, documenting the incident, and revising relevant policies, the investigation can be officially closed; management should be informed that the investigation has closed. Incident Disclosure After closing the investigation, the incident disclosure takes place. An organization hit by a security incident needs to disclose the incident’s details to various entities. Ultimately, at this stage an organization will decide what details to disclose to respective stakeholders. The disclosure procedure varies by company and stakeholders. An IH&R team must consult its legal department before sharing any information with external entities. The following is a list of possible entities that may be interested in information related to such a cyber incident: = Law Enforcement = Regional Judiciary = Regulatory Authorities = Media = Stakeholders = Stockholders = Breach Victims = Vendors = Customers = General Public = Third Parties = QOther CERTs/CSIRTs Module 19 Page 2161 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.