ITSM Midterm Reviewer PDF

Summary

This document details an incident response plan (IRP), outlining processes for detecting and responding to various cyber threats and security breaches within an organization. It explores key aspects of incident response, including roles, responsibilities, and steps in the incident lifecycle, such as preparation, containment, eradication, and recovery. The document also covers before-incident and post-incident phases.

Full Transcript

I.) Incident Response Plan (IRP) 2.) Update policies and procedures based on the
A.) Incident Response (or Cybersecurity Incident retrospective meeting.
Response) 3.) Communicate the findings to your staff.
An organization’s processes and technologies for G.) An IRP includes:
detecting and responding to cyberthreats, 1.) An incident response methodology that details
security breaches or cyberattacks. the specific steps to be taken at each phase of
A formal incident response plan enables the incident response process, and by whom.
cybersecurity teams to limit or prevent damage 2.) A communications plan for informing company
B.) Security Incidents (or Security Events) leaders, employees, customers and law
Any digital or physical breach that threatens the enforcement about incidents.
confidentiality, integrity, or availability of an 3.) Instructions for collecting and documenting
organization’s information systems or sensitive information about incidents for postmortem
data review and (if necessary) legal proceedings.
Can be intentional (cyberattacks by H.) Steps in Incident Response (NIST)
unauthorized users) or unintentional (violations of 1.) Preparation
IT policies by legitimate authorized users) CSIRT selects the best possible procedures,
C.) Overview tools and techniques to respond, identify,
Plans are created and executed by a computer contain and recover from an incident
security incident response team (CSIRT) made up quickly and with minimal business disruption.
of stakeholders from across the organization. A continuous phase
A written document, formally approved by the 2.) Detection and Analysis
senior leadership team, that helps your Security team members monitor the network
organization before, during, and after a for suspicious activity and potential threats.
confirmed or suspected security incident. Today, most organizations use one or more
Will clarify roles and responsibilities and will security solutions—such as security
provide guidance on key activities, as well as information and event management (SIEM)
include a cybersecurity list of key people who and endpoint detection and response
may be needed during a crisis. (EDR)—to monitor security events in real time
D.) Before a Cybersecurity Incident and automate response efforts.
1.) Train the staff The communication plan also comes into
2.) Review your plan with an attorney play during this phase.
3.) Meet up with your local anti-cybercrime police 3.) Containment
unit/NBI cybercrime group. The incident response team takes steps to
4.) Print these documents and the associated stop the breach or other malicious activity
contact list and give a copy to everyone you from doing further damage to the network.
expect to play a role in an incident. The emergency incident response plans
5.) Develop an incident staffing and stakeholder then go into action
plan. There are two categories of containment
6.) Review this plan quarterly. activities: Short-term mitigation and Long-
7.) Prepare press responses in advance. term containment
8.) Select an outside technical resource/firm that will 4.) Eradication
investigate potential compromises. The team moves on to full remediation and
9.) Conduct an attack simulation exercise, complete removal of the threat from the
sometimes called a tabletop exercise, or TTX; A system
TTX is a roleplaying game where a facilitator The team also reviews both affected and
presents a scenario to the team. unaffected systems to help ensure that no
E.) During a Cybersecurity Incident traces of the breach are left behind.
1.) Assign an Incident Manager (IM). This person 5.) Recovery
leads the response, manage communication The incident response team restores
flows, update stakeholders, and delegate tasks. affected systems to normal operations.
The IM does not perform any technical duties. This might involve deploying patches,
2.) Assign Tech Manager (TM). The TM will serve as rebuilding systems from backups and
the subject matter expert. They will bring in other bringing systems and devices back online.
internal and possibly external technical experts A record of the attack and its resolution are
3.) Assign Communications Manager (CM) that will kept for analysis and system improvements
interact with reporters, post updates on social 6.) Post Incident Review (PIR)
media, and interact with external stakeholders Throughout each phase of the incident
F.) After a Cybersecurity Incident response process, the CSIRT collects
1.) Hold a formal retrospective meeting (sometimes evidence of the breach and documents the
called a “postmortem”).
 steps it takes to contain and eradicate the compromised insider credentials—that can
threat. elude other security tools
The CSIRT reviews this to better understand UEBA functions are often included in SIEM,
the incident and gather “lessons learned. EDR and XDR solutions.
The CSIRT seeks to determine the root cause, 6.) XDR (extended detection and response)
how it successfully breached the network, A cybersecurity technology that unifies
and resolve vulnerabilities so that future security tools, control points, data and
incidents of this type don't reoccur. telemetry sources and analytics across the
I.) Incident Response Technologies hybrid IT environment
1.) ASM (Attack Surface Management) Creates a single, central enterprise system
Refers to the processes, tools, and strategies for threat prevention, detection and
that organizations use to identify, monitor, response
and reduce the potential attack surfaces— Can help overextended security teams and
vulnerabilities and exposed entry points— SOCs by eliminating silos between security
across their digital environment tools and automating responses across the
ASM solutions - automate the continuous entire cyberthreat kill chain
discovery, analysis, remediation and II.) AI and Incident Response
monitoring of vulnerabilities and potential A.) Benefits
attack vectors across all the assets in an Quickly detect and control incidents before
organization’s attack service escalation.
Can uncover previously unmonitored Faster detection of anomalies
network assets and map relationships More proactive response processes
between assets Prediction of likely attack channels
2.) EDR (endpoint detection and response) B.) Automated Threat Detection
Provides comprehensive monitoring, Real-Time Monitoring: AI can analyze network
detection, investigation, and response traffic, logs, and other data sources in real time
capabilities to help organizations protect to identify anomalies and patterns that could
their endpoints from malicious activities. indicate a cybersecurity threat
Is software designed to automatically Behavioral Analysis: AI can monitor user
protect an organization's users, endpoint behavior and system interactions, looking for
devices and IT assets against cyberthreats deviations from normal patterns that might
Collects data continuously from all suggest a compromised account or system.
endpoints on the network and analyzes it in C.) Threat Intelligence and Analysis\
real time for evidence of known or Data Correlation: AI can process large amounts
suspected cyberthreats. of unstructured data from multiple sources and
3.) SIEM (security information and event correlate them to identify emerging threats or
management) attack vectors.
Aggregates and correlates security event Malware Analysis: AI can automatically analyze
data from disparate internal security tools suspicious files or URLs to determine if they are
and from devices on the network malicious.
Can help incident response teams fight D.) Incident Prioritization
“alert fatigue” by distinguishing indicators of Risk Scoring: AI can help prioritize incidents
actual threats from the huge volume of based on their severity, potential impact, and
notifications that security tools generate likelihood of exploitation.
4.) SOAR (security orchestration, automation and Automated Triage: AI can classify and
response) categorize incidents, streamlining the triage
Enables security teams to define playbooks, process and ensuring that resources are
formalized workflows that coordinate allocated to the most important incidents first.
different security operations and tools in E.) Incident Response Playbooks
response to security incidents. Automated Playbook Execution: AI can trigger
SOAR platforms can also automate portions predefined incident response actions, such as
of these workflows where possible. isolating compromised systems, blocking
5.) UEBA (user and entity behavior analytics) malicious IP addresses, or disabling accounts.
Uses behavioral analytics, machine learning Adaptive Playbooks: AI can learn from previous
algorithms and automation to identify incidents, evolving response playbooks to
abnormal and potentially dangerous user improve over time.
and device behavior. F.) Forensics and Root Cause Analysis
Effective at identifying insider threats— Data Mining: AI can assist in forensic
malicious insiders or hackers that use investigations by analyzing large amounts of
 historical data to identify the root cause of an 2.) Improving Detection and Response: Allows the
incident. Blue Team to practice detecting and responding
Pattern Recognition: AI can look for patterns to attacks in real-time.
and commonalities across incidents, potentially 3.) Identifying Weaknesses: Organizations can identify
identifying trends or tactics used by attackers vulnerabilities they may not have been aware of.
G.) Speed and Scalability 4.) Enhancing Communication: It helps foster better
Scalable Analysis: AI can process vast amounts coordination between security teams and other
of data much faster, helping organizations scale parts of the organization.
their incident response efforts. 5.) In some cases, there may also be a White Team,
Reducing Time to Resolution: By automating which oversees the exercise and ensures that the
repetitive and low- value tasks AI reduces the rules are followed, and possibly a Purple Team,
time it takes to identify, investigate, and which combines the efforts of both Red and Blue
mitigate threats Teams for cooperative learning and improvement.
H.) Communicating and Reporting 6.) Train the security team on real-world attack
Automated Reporting: AI can help generate tactics and defense strategies.
detailed reports on incidents, including 7.) Strengthen overall resilience to cyber threats.
timelines, impact assessments, and 8.) To identify vulnerabilities, improve detection and
recommendations for improvement. response capabilities, and strengthen overall
Collaboration: AI can enhance communication security strategies, whether physical or digital.
and collaboration within teams by providing C.) Red Team
real-time updates, suggestions, and insights 1.) Definition
I.) Predictive Capabilities Red Teams’ ideas will likely sort into two
Threat Forecasting: AI can use machine learning broad categories:
models to predict potential attack methods or a.) Direct attacks: Plans that rely on directly
targets based on historical data, threat pursuing the secret or attempting brute
intelligence, and current network activity force; and
Vulnerability Management: AI can predict b.) Indirect attacks: Plans that rely on
which vulnerabilities are most likely to be tricking the people involved into
exploited, allowing organizations to patch breaking protocol or exposing
critical systems before they are attacked. vulnerabilities.
J.) Post-Incident Learning and Continuous Improvement 2.) Responsibilities
Incident Review and Analysis: AI can analyze Determine objectives: Identifying target
past incidents to identify areas for improvement, systems, networks, resources, or data
including response time, effectiveness of Exploit vulnerabilities: Using weaknesses in
mitigation strategies, and gaps in security the organization’s technology stack to gain
controls. unauthorized access
Training and Simulation: AI-driven simulation Compromise security: Using unauthorized
tools can create realistic attack scenarios for access to achieve the identified objective
training purposes Evade detection: Compromising security
K.) Limitations and Challenges without triggering security alerts
False Positives: AI may sometimes generate Develop report: Documenting findings and
false positives that need to be validated by recommendations for improvement
human analysts. 3.) Skillsets
Complexity: Setting up AI-driven incident Competitiveness: Want to achieve their
response systems requires expertise and objectives without getting caught or “losing”
continuous tuning to ensure optimal Creativity: They think about new ways to get
performance. around the organization’s controls and
Human Oversight: AI should assist human detections.
experts, not replace them entirely. Complex Cunning: They understand the psychology of
decisions should still involve human judgment. social engineering and can talk people into
III.) Red Team/Blue Team Exercise taking actions against their best interests
A.) Definition Software development: Can develop own
A structured simulation used to test and improve tools or scripts to use as part of their attacks
an organization's security defenses which involves and can find vulnerabilities in code-based
two opposing groups: the Red Team (attackers) infrastructures and resources.
and the Blue Team (defenders). System knowledge: They have deep
B.) Purpose knowledge about computer systems,
1.) Testing Security Posture: Helps evaluate how well protocols, libraries, servers, and technology
an organization can defend itself against different trends so they can find vulnerabilities.
types of attacks.
 Reverse threat engineering: They can use Meticulous: Detail-oriented to identify
information about known attacks and deviations from normal data patterns
identify adversary attack paths Risk aware: Ability to identify risk and create
Penetration testing: They know how to threat profiles across various scenarios to
identify and exploit different types of system prepare against future attacks
and network vulnerabilities. Investigative: Using threat intelligence to
Research: They know how to gather and use mitigate identified risks and uncover new
information about potential attacks to ones
emulate them Technical hardening techniques:
A deep awareness of computer systems and understanding technical weaknesses and
protocols, security techniques, tools and remediating them to reduce the attack
safeguards surface
Strong software development skills in order Experience with detection systems:
to develop custom made tools Knowledge of various detection
Experience in penetration testing technologies
Social engineering skills that allow the team A full understanding of the organization’s
member to manipulate others into sharing security strategy across people, tools and
information or credentials technologies
D.) Blue Team Analysis skills to accurately identify the most
1.) Definitions and Terms dangerous threats and prioritize responses
Consists of incident response consultants who accordingly
provide guidance to the IT security team on Hardening techniques to reduce the attack
where to make improvements surface, particularly as it relates to the
The IT security team is then responsible for domain name system (DNS)
maintaining the internal network against Keen awareness of the company’s existing
various types of risk. security detection tools and systems and
Blue Teams may attempt to reduce their risk their alert mechanisms
of direct or indirect attacks. E.) High Level Ideas That May Emerge
Detection and remediation are equally as It’s tough to cover every possible attack.
important as prevention to overall defense It’s easier to think of attacks than it is to think of
capabilities protection measures.
One key metric is the organization’s Brainstorming attacks and protections feels
“breakout time” — the critical window disorganized.
between when an intruder compromises the Both sides may have lots of open questions about
first machine and when they can move what’s possible or answers that begin with “It
laterally to other systems on the network depends”
1-10-60 rule - organizations should be able to F.) Benefits
detect an intrusion in under a minute, assess Identify misconfigurations and coverage gaps in
its risk level within 10 minutes and eject the existing security products
adversary in less than one hour Strengthen network security to detect targeted
2.) Responsibilities attacks and improve breakout time
Education: Mitigating potential social Raise healthy competition among security
engineering and physical attacks by personnel and foster cooperation among the IT
providing cybersecurity hygiene training. and security teams
Risk Analysis: defining critical assets and Elevate awareness among staff
engaging in risk assessments Build the skills and maturity of the organization’s
Detection: identifying suspicious activity security capabilities within a safe, low-risk training
across networks, users, systems, and devices environment
Investigation: locating exploitable IV.) Psychology of Social Engineering
vulnerabilities and responding to detections 1.) Definitions
Containment: blocking red teamers from Involves manipulating human behaviors,
accessing the target systems and resources emotions, and cognitive biases to deceive
Vulnerability scans: scanning networks to individuals into divulging confidential information
identify known or unknown vulnerabilities or performing actions that compromise security.
Evidence collection and analysis: gathering Exploit human nature rather than technical
forensic data, like network traffic vulnerabilities
information, and analyzing it 2.) Authority
3.) Skillsets People tend to comply with requests from figures
Organized: Ability to manage data and of authority, whether real or perceived
follow procedures
 Attackers may pose as authority figures to gain b.) Least Privilege Access: Users and devices are
trust and prompt compliance. given the minimum level of access necessary to
3.) Urgency and Scarcity perform their tasks
Creating a sense of urgency/scarcity increases c.) Micro-Segmentation: The network is divided into
the risk of quick, unconsidered decision-making. smaller segments that have their own access
When people feel time-pressured, they are more controls to limit lateral movement of attackers
prone to make mistakes. d.) Identity and Access Management (IAM): Strong
4.) Reciprocity authentication methods like multi-factor
People tend to feel obliged to return a favor and authentication (MFA), are essential for verifying
social engineers can exploit this by offering user identities.
something small or appearing helpful to elicit a e.) Continuous Monitoring: Continuous surveillance of
reciprocal response. user behavior and network traffic helps detect
5.) Social Proof anomalies and potential threats in real time.
Individuals are more likely to comply with a f.) Data Protection: Sensitive data should be
request if they see others doing the same. encrypted and protected regardless of where it
Works especially well in social situations or when resides—on-premises or in the cloud.
there is a perceived norm. 3.) Key Steps in Zero Trust Implementation
6.) Liking a.) Identify Resources and Data: Catalog all
People are more likely to be influenced by assets(data, applications, and services) and
individuals they like. determine the sensitivity and criticality of each
7.) Commitment and Consistency resource.
Once people commit to something, they tend to b.) Define the Protection Surface: Focus on
follow through to appear consistent protecting the most critical data and assets
Attackers may start with small requests that seem rather than the entire network perimeter.
harmless and move to more significant requests c.) Map the Transaction Flows: Understand how data
8.) Fear and Threats flows between resources and users and identify
Using fear as a motivator, attackers can how users interact with resources to enforce
manipulate people into making irrational access policies.
decisions d.) Implement Strong Identity and Access
The fear of loss, legal consequences, or harm can Management (IAM): Use MFA to verify user
push individuals to act without thinking critically. identities and implement role-based access
9.) Why Social Engineering is Effective control (RBAC) and the principle of least privilege.
a.) Exploits Natural Tendencies: It takes advantage e.) Micro-Segmentation: Divide the network into
of common human behaviors, such as the smaller, manageable segments and apply
inclination to help others, trust authority figures, or security policies and controls at each segment to
act quickly under pressure. limit lateral movement.
b.) Circumvents Technical Controls: Even the most f.) Continuous Monitoring and Analytics: Monitor
secure systems can be compromised if attackers user and entity behaviors for anomalies and use
manipulate the people who use them. This is why security information and event management
social engineering is often used as an entry point (SIEM) tools to analyze logs and alerts.
for more sophisticated attacks. g.) Automate Security Responses: Employ
c.) Cognitive Biases: People are susceptible to automation tools to respond to security incidents
various cognitive biases like confirmation bias in real time and use orchestration tools to
(favoring information that confirms preexisting streamline workflows and improve response times.
beliefs) or availability bias (overestimating the h.) Establish a Strong Endpoint Security Posture:
likelihood of events based on recent examples). Ensure all devices are secured and implement
V.) Zero Trust Model endpoint detection and response (EDR) solutions.
1.) Definition i.) Regularly Test and Update Security Policies: Do
A cybersecurity model and framework that regular security assessments and penetration
fundamentally shifts the approach to network testing and update access policies based on
security new threats or changes in the environment.
Operates on the principle that no one—whether j.) Educate and Train Users: Provide ongoing training
inside or outside the network—should be trusted about security best practices and foster a
by default. Verification is required from everyone security-aware culture within the organization.
attempting to gain access to resources k.) Implement Data Encryption: Encrypt sensitive
2.) Key Principles data both at rest and in transit to protect it from
a.) Never Trust, Always Verify: Assume that threats unauthorized access.
could be both outside and inside the network. l.) Integrate Threat Intelligence: Use threat
Every access request must be verified. intelligence to inform security strategies and
anticipate potential threats.