ITSM Midterm Reviewer PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document details an incident response plan (IRP), outlining processes for detecting and responding to various cyber threats and security breaches within an organization. It explores key aspects of incident response, including roles, responsibilities, and steps in the incident lifecycle, such as preparation, containment, eradication, and recovery. The document also covers before-incident and post-incident phases.
Full Transcript
I.) Incident Response Plan (IRP) 2.) Update policies and procedures based on the A.) Incident Response (or Cybersecurity Incident retrospective meeting. Response) 3.) Co...
I.) Incident Response Plan (IRP) 2.) Update policies and procedures based on the A.) Incident Response (or Cybersecurity Incident retrospective meeting. Response) 3.) Communicate the findings to your staff. An organization’s processes and technologies for G.) An IRP includes: detecting and responding to cyberthreats, 1.) An incident response methodology that details security breaches or cyberattacks. the specific steps to be taken at each phase of A formal incident response plan enables the incident response process, and by whom. cybersecurity teams to limit or prevent damage 2.) A communications plan for informing company B.) Security Incidents (or Security Events) leaders, employees, customers and law Any digital or physical breach that threatens the enforcement about incidents. confidentiality, integrity, or availability of an 3.) Instructions for collecting and documenting organization’s information systems or sensitive information about incidents for postmortem data review and (if necessary) legal proceedings. Can be intentional (cyberattacks by H.) Steps in Incident Response (NIST) unauthorized users) or unintentional (violations of 1.) Preparation IT policies by legitimate authorized users) CSIRT selects the best possible procedures, C.) Overview tools and techniques to respond, identify, Plans are created and executed by a computer contain and recover from an incident security incident response team (CSIRT) made up quickly and with minimal business disruption. of stakeholders from across the organization. A continuous phase A written document, formally approved by the 2.) Detection and Analysis senior leadership team, that helps your Security team members monitor the network organization before, during, and after a for suspicious activity and potential threats. confirmed or suspected security incident. Today, most organizations use one or more Will clarify roles and responsibilities and will security solutions—such as security provide guidance on key activities, as well as information and event management (SIEM) include a cybersecurity list of key people who and endpoint detection and response may be needed during a crisis. (EDR)—to monitor security events in real time D.) Before a Cybersecurity Incident and automate response efforts. 1.) Train the staff The communication plan also comes into 2.) Review your plan with an attorney play during this phase. 3.) Meet up with your local anti-cybercrime police 3.) Containment unit/NBI cybercrime group. The incident response team takes steps to 4.) Print these documents and the associated stop the breach or other malicious activity contact list and give a copy to everyone you from doing further damage to the network. expect to play a role in an incident. The emergency incident response plans 5.) Develop an incident staffing and stakeholder then go into action plan. There are two categories of containment 6.) Review this plan quarterly. activities: Short-term mitigation and Long- 7.) Prepare press responses in advance. term containment 8.) Select an outside technical resource/firm that will 4.) Eradication investigate potential compromises. The team moves on to full remediation and 9.) Conduct an attack simulation exercise, complete removal of the threat from the sometimes called a tabletop exercise, or TTX; A system TTX is a roleplaying game where a facilitator The team also reviews both affected and presents a scenario to the team. unaffected systems to help ensure that no E.) During a Cybersecurity Incident traces of the breach are left behind. 1.) Assign an Incident Manager (IM). This person 5.) Recovery leads the response, manage communication The incident response team restores flows, update stakeholders, and delegate tasks. affected systems to normal operations. The IM does not perform any technical duties. This might involve deploying patches, 2.) Assign Tech Manager (TM). The TM will serve as rebuilding systems from backups and the subject matter expert. They will bring in other bringing systems and devices back online. internal and possibly external technical experts A record of the attack and its resolution are 3.) Assign Communications Manager (CM) that will kept for analysis and system improvements interact with reporters, post updates on social 6.) Post Incident Review (PIR) media, and interact with external stakeholders Throughout each phase of the incident F.) After a Cybersecurity Incident response process, the CSIRT collects 1.) Hold a formal retrospective meeting (sometimes evidence of the breach and documents the called a “postmortem”). steps it takes to contain and eradicate the compromised insider credentials—that can threat. elude other security tools The CSIRT reviews this to better understand UEBA functions are often included in SIEM, the incident and gather “lessons learned. EDR and XDR solutions. The CSIRT seeks to determine the root cause, 6.) XDR (extended detection and response) how it successfully breached the network, A cybersecurity technology that unifies and resolve vulnerabilities so that future security tools, control points, data and incidents of this type don't reoccur. telemetry sources and analytics across the I.) Incident Response Technologies hybrid IT environment 1.) ASM (Attack Surface Management) Creates a single, central enterprise system Refers to the processes, tools, and strategies for threat prevention, detection and that organizations use to identify, monitor, response and reduce the potential attack surfaces— Can help overextended security teams and vulnerabilities and exposed entry points— SOCs by eliminating silos between security across their digital environment tools and automating responses across the ASM solutions - automate the continuous entire cyberthreat kill chain discovery, analysis, remediation and II.) AI and Incident Response monitoring of vulnerabilities and potential A.) Benefits attack vectors across all the assets in an Quickly detect and control incidents before organization’s attack service escalation. Can uncover previously unmonitored Faster detection of anomalies network assets and map relationships More proactive response processes between assets Prediction of likely attack channels 2.) EDR (endpoint detection and response) B.) Automated Threat Detection Provides comprehensive monitoring, Real-Time Monitoring: AI can analyze network detection, investigation, and response traffic, logs, and other data sources in real time capabilities to help organizations protect to identify anomalies and patterns that could their endpoints from malicious activities. indicate a cybersecurity threat Is software designed to automatically Behavioral Analysis: AI can monitor user protect an organization's users, endpoint behavior and system interactions, looking for devices and IT assets against cyberthreats deviations from normal patterns that might Collects data continuously from all suggest a compromised account or system. endpoints on the network and analyzes it in C.) Threat Intelligence and Analysis\ real time for evidence of known or Data Correlation: AI can process large amounts suspected cyberthreats. of unstructured data from multiple sources and 3.) SIEM (security information and event correlate them to identify emerging threats or management) attack vectors. Aggregates and correlates security event Malware Analysis: AI can automatically analyze data from disparate internal security tools suspicious files or URLs to determine if they are and from devices on the network malicious. Can help incident response teams fight D.) Incident Prioritization “alert fatigue” by distinguishing indicators of Risk Scoring: AI can help prioritize incidents actual threats from the huge volume of based on their severity, potential impact, and notifications that security tools generate likelihood of exploitation. 4.) SOAR (security orchestration, automation and Automated Triage: AI can classify and response) categorize incidents, streamlining the triage Enables security teams to define playbooks, process and ensuring that resources are formalized workflows that coordinate allocated to the most important incidents first. different security operations and tools in E.) Incident Response Playbooks response to security incidents. Automated Playbook Execution: AI can trigger SOAR platforms can also automate portions predefined incident response actions, such as of these workflows where possible. isolating compromised systems, blocking 5.) UEBA (user and entity behavior analytics) malicious IP addresses, or disabling accounts. Uses behavioral analytics, machine learning Adaptive Playbooks: AI can learn from previous algorithms and automation to identify incidents, evolving response playbooks to abnormal and potentially dangerous user improve over time. and device behavior. F.) Forensics and Root Cause Analysis Effective at identifying insider threats— Data Mining: AI can assist in forensic malicious insiders or hackers that use investigations by analyzing large amounts of historical data to identify the root cause of an 2.) Improving Detection and Response: Allows the incident. Blue Team to practice detecting and responding Pattern Recognition: AI can look for patterns to attacks in real-time. and commonalities across incidents, potentially 3.) Identifying Weaknesses: Organizations can identify identifying trends or tactics used by attackers vulnerabilities they may not have been aware of. G.) Speed and Scalability 4.) Enhancing Communication: It helps foster better Scalable Analysis: AI can process vast amounts coordination between security teams and other of data much faster, helping organizations scale parts of the organization. their incident response efforts. 5.) In some cases, there may also be a White Team, Reducing Time to Resolution: By automating which oversees the exercise and ensures that the repetitive and low- value tasks AI reduces the rules are followed, and possibly a Purple Team, time it takes to identify, investigate, and which combines the efforts of both Red and Blue mitigate threats Teams for cooperative learning and improvement. H.) Communicating and Reporting 6.) Train the security team on real-world attack Automated Reporting: AI can help generate tactics and defense strategies. detailed reports on incidents, including 7.) Strengthen overall resilience to cyber threats. timelines, impact assessments, and 8.) To identify vulnerabilities, improve detection and recommendations for improvement. response capabilities, and strengthen overall Collaboration: AI can enhance communication security strategies, whether physical or digital. and collaboration within teams by providing C.) Red Team real-time updates, suggestions, and insights 1.) Definition I.) Predictive Capabilities Red Teams’ ideas will likely sort into two Threat Forecasting: AI can use machine learning broad categories: models to predict potential attack methods or a.) Direct attacks: Plans that rely on directly targets based on historical data, threat pursuing the secret or attempting brute intelligence, and current network activity force; and Vulnerability Management: AI can predict b.) Indirect attacks: Plans that rely on which vulnerabilities are most likely to be tricking the people involved into exploited, allowing organizations to patch breaking protocol or exposing critical systems before they are attacked. vulnerabilities. J.) Post-Incident Learning and Continuous Improvement 2.) Responsibilities Incident Review and Analysis: AI can analyze Determine objectives: Identifying target past incidents to identify areas for improvement, systems, networks, resources, or data including response time, effectiveness of Exploit vulnerabilities: Using weaknesses in mitigation strategies, and gaps in security the organization’s technology stack to gain controls. unauthorized access Training and Simulation: AI-driven simulation Compromise security: Using unauthorized tools can create realistic attack scenarios for access to achieve the identified objective training purposes Evade detection: Compromising security K.) Limitations and Challenges without triggering security alerts False Positives: AI may sometimes generate Develop report: Documenting findings and false positives that need to be validated by recommendations for improvement human analysts. 3.) Skillsets Complexity: Setting up AI-driven incident Competitiveness: Want to achieve their response systems requires expertise and objectives without getting caught or “losing” continuous tuning to ensure optimal Creativity: They think about new ways to get performance. around the organization’s controls and Human Oversight: AI should assist human detections. experts, not replace them entirely. Complex Cunning: They understand the psychology of decisions should still involve human judgment. social engineering and can talk people into III.) Red Team/Blue Team Exercise taking actions against their best interests A.) Definition Software development: Can develop own A structured simulation used to test and improve tools or scripts to use as part of their attacks an organization's security defenses which involves and can find vulnerabilities in code-based two opposing groups: the Red Team (attackers) infrastructures and resources. and the Blue Team (defenders). System knowledge: They have deep B.) Purpose knowledge about computer systems, 1.) Testing Security Posture: Helps evaluate how well protocols, libraries, servers, and technology an organization can defend itself against different trends so they can find vulnerabilities. types of attacks. Reverse threat engineering: They can use Meticulous: Detail-oriented to identify information about known attacks and deviations from normal data patterns identify adversary attack paths Risk aware: Ability to identify risk and create Penetration testing: They know how to threat profiles across various scenarios to identify and exploit different types of system prepare against future attacks and network vulnerabilities. Investigative: Using threat intelligence to Research: They know how to gather and use mitigate identified risks and uncover new information about potential attacks to ones emulate them Technical hardening techniques: A deep awareness of computer systems and understanding technical weaknesses and protocols, security techniques, tools and remediating them to reduce the attack safeguards surface Strong software development skills in order Experience with detection systems: to develop custom made tools Knowledge of various detection Experience in penetration testing technologies Social engineering skills that allow the team A full understanding of the organization’s member to manipulate others into sharing security strategy across people, tools and information or credentials technologies D.) Blue Team Analysis skills to accurately identify the most 1.) Definitions and Terms dangerous threats and prioritize responses Consists of incident response consultants who accordingly provide guidance to the IT security team on Hardening techniques to reduce the attack where to make improvements surface, particularly as it relates to the The IT security team is then responsible for domain name system (DNS) maintaining the internal network against Keen awareness of the company’s existing various types of risk. security detection tools and systems and Blue Teams may attempt to reduce their risk their alert mechanisms of direct or indirect attacks. E.) High Level Ideas That May Emerge Detection and remediation are equally as It’s tough to cover every possible attack. important as prevention to overall defense It’s easier to think of attacks than it is to think of capabilities protection measures. One key metric is the organization’s Brainstorming attacks and protections feels “breakout time” — the critical window disorganized. between when an intruder compromises the Both sides may have lots of open questions about first machine and when they can move what’s possible or answers that begin with “It laterally to other systems on the network depends” 1-10-60 rule - organizations should be able to F.) Benefits detect an intrusion in under a minute, assess Identify misconfigurations and coverage gaps in its risk level within 10 minutes and eject the existing security products adversary in less than one hour Strengthen network security to detect targeted 2.) Responsibilities attacks and improve breakout time Education: Mitigating potential social Raise healthy competition among security engineering and physical attacks by personnel and foster cooperation among the IT providing cybersecurity hygiene training. and security teams Risk Analysis: defining critical assets and Elevate awareness among staff engaging in risk assessments Build the skills and maturity of the organization’s Detection: identifying suspicious activity security capabilities within a safe, low-risk training across networks, users, systems, and devices environment Investigation: locating exploitable IV.) Psychology of Social Engineering vulnerabilities and responding to detections 1.) Definitions Containment: blocking red teamers from Involves manipulating human behaviors, accessing the target systems and resources emotions, and cognitive biases to deceive Vulnerability scans: scanning networks to individuals into divulging confidential information identify known or unknown vulnerabilities or performing actions that compromise security. Evidence collection and analysis: gathering Exploit human nature rather than technical forensic data, like network traffic vulnerabilities information, and analyzing it 2.) Authority 3.) Skillsets People tend to comply with requests from figures Organized: Ability to manage data and of authority, whether real or perceived follow procedures Attackers may pose as authority figures to gain b.) Least Privilege Access: Users and devices are trust and prompt compliance. given the minimum level of access necessary to 3.) Urgency and Scarcity perform their tasks Creating a sense of urgency/scarcity increases c.) Micro-Segmentation: The network is divided into the risk of quick, unconsidered decision-making. smaller segments that have their own access When people feel time-pressured, they are more controls to limit lateral movement of attackers prone to make mistakes. d.) Identity and Access Management (IAM): Strong 4.) Reciprocity authentication methods like multi-factor People tend to feel obliged to return a favor and authentication (MFA), are essential for verifying social engineers can exploit this by offering user identities. something small or appearing helpful to elicit a e.) Continuous Monitoring: Continuous surveillance of reciprocal response. user behavior and network traffic helps detect 5.) Social Proof anomalies and potential threats in real time. Individuals are more likely to comply with a f.) Data Protection: Sensitive data should be request if they see others doing the same. encrypted and protected regardless of where it Works especially well in social situations or when resides—on-premises or in the cloud. there is a perceived norm. 3.) Key Steps in Zero Trust Implementation 6.) Liking a.) Identify Resources and Data: Catalog all People are more likely to be influenced by assets(data, applications, and services) and individuals they like. determine the sensitivity and criticality of each 7.) Commitment and Consistency resource. Once people commit to something, they tend to b.) Define the Protection Surface: Focus on follow through to appear consistent protecting the most critical data and assets Attackers may start with small requests that seem rather than the entire network perimeter. harmless and move to more significant requests c.) Map the Transaction Flows: Understand how data 8.) Fear and Threats flows between resources and users and identify Using fear as a motivator, attackers can how users interact with resources to enforce manipulate people into making irrational access policies. decisions d.) Implement Strong Identity and Access The fear of loss, legal consequences, or harm can Management (IAM): Use MFA to verify user push individuals to act without thinking critically. identities and implement role-based access 9.) Why Social Engineering is Effective control (RBAC) and the principle of least privilege. a.) Exploits Natural Tendencies: It takes advantage e.) Micro-Segmentation: Divide the network into of common human behaviors, such as the smaller, manageable segments and apply inclination to help others, trust authority figures, or security policies and controls at each segment to act quickly under pressure. limit lateral movement. b.) Circumvents Technical Controls: Even the most f.) Continuous Monitoring and Analytics: Monitor secure systems can be compromised if attackers user and entity behaviors for anomalies and use manipulate the people who use them. This is why security information and event management social engineering is often used as an entry point (SIEM) tools to analyze logs and alerts. for more sophisticated attacks. g.) Automate Security Responses: Employ c.) Cognitive Biases: People are susceptible to automation tools to respond to security incidents various cognitive biases like confirmation bias in real time and use orchestration tools to (favoring information that confirms preexisting streamline workflows and improve response times. beliefs) or availability bias (overestimating the h.) Establish a Strong Endpoint Security Posture: likelihood of events based on recent examples). Ensure all devices are secured and implement V.) Zero Trust Model endpoint detection and response (EDR) solutions. 1.) Definition i.) Regularly Test and Update Security Policies: Do A cybersecurity model and framework that regular security assessments and penetration fundamentally shifts the approach to network testing and update access policies based on security new threats or changes in the environment. Operates on the principle that no one—whether j.) Educate and Train Users: Provide ongoing training inside or outside the network—should be trusted about security best practices and foster a by default. Verification is required from everyone security-aware culture within the organization. attempting to gain access to resources k.) Implement Data Encryption: Encrypt sensitive 2.) Key Principles data both at rest and in transit to protect it from a.) Never Trust, Always Verify: Assume that threats unauthorized access. could be both outside and inside the network. l.) Integrate Threat Intelligence: Use threat Every access request must be verified. intelligence to inform security strategies and anticipate potential threats.