CHAPTER 03: INCIDENT RESPONSE

1. Incident Response Plan Elements include:

1.1 Statement of purpose.

1.2 Strategies and goals for incident response.

1.3 Approach to incident response.

1.4 Communicate with other groups.

1.5 Senior leadership approval.

2. CONSULT NIST SP 800-61 AS YOU DEVELOP YOUR PLAN

3. The incident response team should be available 24/7.

4. An IR team should include the following groups of people:

4.1 Management.

4.2 Information security personnel.

4.3 Subject matter experts.

4.4 Legal counsel.

4.5 Public affairs.

4.6 Human resources.

4.7 Physical security.

5. IR Team Provider: A third party that helps the IR team with resources they may not be
able to get ahold of. E.g. Forensics capabilities.

6. Involving law enforcement requires careful consideration and depends on multiple

factors.

7. Monitoring is crucial to effective incident identification.

8. Incident data sources:

8.1 IDS/IPS.

8.2 Firewalls.

8.3 Authentication systems.

8.4 Integrity monitoring.

8.5 Vulnerability scanners.

8.6 System even logs.

8.7 Netflow records.

8.8 Anti-malware packages.

9. Security Incident and Event Management(SIEM): Security solution that collects
information from diverse sources, analyzes it for signs of security incidents and retains it for
later use.

10. First Responders must act quickly: Isolate affected systems.

11. THE HIGHEST PRIORITY OF A FIRST RESPONDER MUST BE CONTAINING THE

DAMAGE THROUGH ISOLATION

12. Strategic Intelligence Programs: Facilitate indecent identification efforts.

13. Counterintelligence: Hinders adversary abilities to gather intelligence.

14. Escalation and Notification Process Objectives:

14.1 Evaluate incident severity based upon impact.

14.2 Escalate response to an appropriate level.

14.3 Notify management and other stakeholders.

15. Triaging Process: Identifies the potential impact of an incident

16. Triaging Incidents:

16.1 Low impact.

16.2 Moderate impact.

16.3 High impact.

17. Low Impact Incidents:

17.1 Have minimal potential to affect security.

17.2 Are normally handled by first responders.

17.3 Don’t require after-hours response.

18. Moderate Impact Incidents:

18.1 Have significant potential to affect security.

18.2 Trigger incident response team activation.

18.3 Require prompt notification to management.

19. High Impact Incidents:

19.1 May cause critical damage to information or systems.

19.2 Justify an immediate full response.

19.3 Require immediate notification to senior management.

19.4 Demand full mobilization of the incident response team.

20. Containment Strategy Evaluation(According to NIST):

21.1 Damage potential.

21.2 Evidence preservation.

21.3 Service availability.

21.4 Resource requirements.

21.5 Expected effectiveness.

21.6 Solution time frame.

22. A balance between business needs and security objectives is the goal.

23. Mitigation Ends with stability: Business functions without danger.

24. NIST Incident Response Process:

24.1 Preparation.

24.2 Detection and analysis.

24.3 Containment, eradication and recovery.

24.4 Posy-incident activity.

25. There are 3 primary activities that you can perform to contain the damage of a
security incident:

25.1 Segmentation: Divide networks into logical systems by types of users or systems.
Creates a separate VLAN on the network and puts all infected systems in that quarantined
network.

25.2 Isolation: Moves affected systems to a completely different network disconnected from
the rest of the network.

25.3 Removal: Completely disconnects any affected systems from any network.

26. Eradication: Remove any traces of the incident from your systems and networks.

27. Recovery: Restore normal business operations.

28. Endpoint Security Practices include:

28.1 Application whitelisting.

28.2 Application Blacklisting.

28.3 Quarintine technology.

28.4 Strengthen access control measures.

29. Rebuild Affected Systems: After an incident response containment strategy has been
successfully applied and executed make sure to reset and rebuild affected systems, apply
patches to the security components of the system and make sure to rebuild the system with
the vulnerability in mind that the attacker used to breach the system’s security defenses.

30. Enhance Enterprise Security Controls:

31. Firewall rules.

31.2 Mobile device management(MDM).

31.3 Data loss prevention(DLP).

31.4 URL and content filtering.

31.5 Update and revoke digital certificates.

31. Sanitization techniques(NIST SP 800-88):

31.1 Clearing: Overwrites sensitive information to frustrate causal analysis.

31.2 Purging: Uses more advanced techniques to frustrate laboratory analysis.

31.3 Destroying: Completely obliterates the media through shredding, pulverization, melting
or burning.

32. Validation Process:

32.1 Verify the secure configuration of every system.

32.2 Run vulnerability scans.

32.3 Perform account and permission reviews.

32.4 Verify that systems are logging and communicating security information to the SIEM.

33. Validate that you have successfully restored all capabilities and services.

34. Post-Incident Activities Include:

34.1 Lessons learned.

34.2 Evidence retention.

34.3 Indicator of compromise generation.

35. Lessons Learned: Provides incident responders with the opportunity to reflect on the
incident response efforts and offer feedback that will improve the organization’s response to
future incidents.

36. Follow your organization’s change management process.

37. Incident Summary report: Describes response efforts.

38. Incorporate new indicators of compromise in your security monitoring program.

39. Incident response exercises include:

39.1 Read-Throughs: Ask each team member to review their role in the plan.

39.2 Walk-Throughs: Gather the team together, also known as tabletop exercises. Give the
team the opportunity to discuss the plan together instead of just reading the plan and making
changes by themselves (Read-Throughs).

39.3 Simulations: Use a specific scenario to test incident response. This exercise also
requires that the team be assembled together.

40. Simulations may become hands-on penetration tests.

41. There are 4 types of investigations involving cybersecurity professionals:

41.1 Operational or administrative investigations.

41.2 Criminal investigations.

41.3 Civil investigations.

41.4 Regulatory investigations.

42. Operational investigations: Looks into technology issues.

43. Operational Investigations:

43.1 Seek to resolve technology issues.

43.2 Restore normal operations as quickly as possible.

43.3 Use very low standards of evidence.

43.4 Involve root cause analysis.

44. Criminal Investigation: Looks into possible crimes.

45. Criminal Investigations:

45.1 Involve the possibility of fines and jail time.

45.2 Use the beyond a reasonable doubt standard of evidence.

46. Civil investigations: Resolve disputes between parties.

47. Civil Investigations:

47.1 Do not involve the possibility of fines and jail time.

47.2 Use the preponderance of the evidence standard.

48. Regulatory Investigations: Conducted by the government or industry regulators. May be

civil or criminal.

49. CYBERSECURITY INVESTIGATORS SHOULD LEAVE INTERROGATIONS TO LAW

ENFORCEMENT.
50. Different Types of Evidence:

50.1 Real evidence.

50.2 Documentary evidence.

50.3 Testimonial evidence.

51. Real evidence: Consists of tangible evidence.

52. Documentary evidence: Consists of written information.

53. Legal Documentary Evidence Rules:

53.1 Authentication Rule: Documents must be authenticated by testimony.

53.2 Best Evidence Rule: Original documents are superior to copies.

53.3 Parol Evidence Rule: Written contracts are assumed to be the entire agreement.

54. Testimonial Evidence: Consists of witness statements.

55. Testimonial evidence comes in 2 forms:

55.1 Direct Evidence: Witness provides evidence upon his or her own observation.

55.2 Expert Opinion: Expert draws conclusions based upon other evidence.
56. Digital Forensics: Investigative techniques that collect, preserve, analyze and interperet
digital evidence.

57. Investigations must never alter evidence.

58. Volatility: The relative permanence of a piece of evidence.

59. Order of volatility:

59.1 Network traffic.

59.2 Memory contents.

59.3 System and process data.

59.4 Files.

59.5 Logs.

59.6 Archived records.

60. Consider alternate evidence sources:

60.1 Video recordings.

60.2 Witness statements.

61. Write Blockers: Also known as forensic disk controllers, prevent accidental modification
of disks during imaging.

62. Hashes protect evidence: They provide a unique file signature.

63. Other Forensic Sources Include:

63.1 Screenshots.

63.2 Memory contents.

63.3 Process table.

63.4 Operating system configuration.

64. EXAM TIP: NEVER TRY TO PERFORM FORENSICS YOURSELF UNLESS YOU’VE
RECEIVED APPROPRIATE TRAINING!

65. Wireshark Monitors Networks: Captures full packet data.

66. Netflow Summarizes Traffic: Provides high-level information.

67. Netflow data captures:

67.1 IP addresses and ports.

67.2 Timestamp.
67.3 Amount of data transferred.

68. Routers and firewalls capture flow data using NetFlow, sFlow and IPFIX.

69. Bandwidth monitors report network utilization.

70. There are 2 major uses for software forensics:

70.1 Intellectual Property: Software forensics may be used to resolve intellectual property
disputes between two parties.

70.2 Malware Origins: Software forensics may be used to identify the author of malicious
software found on a system.

71. Embedded Devices: Special-purpose computers found inside smart devices found in
homes, businesses and industrial settings.

72. Chain of Custody: Provides a paper trail of evidence(each time someone handles a
piece of evidence).

73. Evidence Log Events include:

73.1 Initial collection.

73.2 Transfer.

73.3 Storage.
73.4 Opening and releasing the evidence container.

74. Evidence Log Entry Details Include:

74.1 Investigator name.

74.2 Date and time.

74.3 Purpose.

74.4 Nature of action.

75. Incident Communication Efforts Include:

75.1 Initial notification of key stakeholders.

75.2 Regular progress updates on the response.

75.3 Documentation of the incident for historic reports.

76. Notify these key stakeholders promptly:

76.1 Chief Information Officer.

76.2 Director of cybersecurity.

76.3 Other response teams.

76.4 System owners.

76.5 Business process owners.

76.6 Public relations staff.

76.7 Attorneys. THIS CAN BE AUTOMATED.

77. Three major steps in the electronic discovery process:

77.1 Preservation: All relevant information is kept and not destroyed.

77.2 Collection: All relevant information is collected and reviewed.
77.3 Production: Attorneys must review documents for relevance and turn them over to the
other side.

78. Legal Holds: Require the preservation of relevant electronic and paper records.

79. System administrators must suspend the automated deletion of relevant logs.

80. Source of electronic records:

80.1 File servers.

80.2 Endpoint systems.
80.3 Email messages.
80.4 Enterprise systems and cloud services.

81. Business continuity Planning(BCP): The set of controls designed to keep a business
running in the face of adversity, whether natural or man-made.

82. EXAM TIP: BUSINESS CONTINUITY PLANNING IS ALSO KNOWN AS CONTINUITY

OF OPERATIONS PLANNING(COOP).
83. Defining th BCP scope:

83.1 What business activities will the plan cover?

83.2 What (type of) systems will it cover?
83.3 What controls will it consider?

84. Business Impact Assessment(BIA): Identifies and prioritizes risks. A risk

assessment that uses a quantitative or a qualitative process. The BIA is as follows:

84.1 It first finds the organization’s mission essential functions.

84.2 Traces those backwards to identify the critical IT systems that support those processes.
84.3 Once planner have identified the affected IT systems, they then identify the potential
risks to those systems and conduct their risk assessment.

85. EXAM TIP: BUSINESS CONTINUITY PLANNING IN THE CLOUD IS A PARTNERSHIP

BETWEEN THE PROVIDERS AND CUSTOMERS.

86. Single Point Of Failure Analysis: Identifies and removes single points of failure(SPOFs).

87. SPOF analysis continues until the cost of addressing risks outweighs the benefits.

88. IT contingency scenario examples that should be considered:

88.1 Sudden bankruptcy of a key vendor.

88.2 Insufficient storage or compute capacity.
88.3 Failure of utility service.

89. Remember to perform succession planning for staff as well.

90. The two key technical concepts that improve the availability of systems:

90.1 High Availability(HA): Uses multiple systems to protect against service failure.
90.2 Fault Tolerance: Making a single system resilient against technical failures.
91. Load Balancing: Spreads the burden of providing a service across multiple systems.

92. RAID(Redundant Array of Inexpensive Disks): Provide redundancy by providing more

disks than needed to meet business needs.

93. Two RAID technologies:

93.1 Disk Mirroring: Stores the same data on two different disks. Also known as RAID level
1.
93.2 Disk Striping with Parity: Uses 3 or more disks to store data and parity
information(regenerate disks contents). Also known as RAID level 5.

94. EXAM TIP: RAID IS A FAULT-TOLERANCE STRATEGY DESIGNED TO PROTECT

AGAINST A SINGLE DISK FAILURE IT IS NOT A BACKUP STRATEGY!!

95. Network Redundancy Includes:

95.1 Multiple internet service providers.

95.2 NIC(Network Interface Cards) teaming. Using dual NIC cards in critical servers
95.3 Multipath networking (especially for storage).

96. NIC Teaming: Using two or more NIC cards.

97. Consider redundancy through diversity:

97.1 Use diverse technologies.

97.2 Aquire these diverse technologies from diverse vendors.
97.3 Diverse cryptography.
97.4 Use diverse security controls.

98. Disaster Recovery: Disaster recovery capabilities are designed to restore a business to
its normal operations as quickly as possible.
99. Initial response after a disaster recovery has been activated is:

99.1 Contain the damage caused by the disaster.

99.2 Recover whatever capabilities may be immediately restored.
99.3 Include a variety of activities depending upon the nature of the disaster.

100. Disaster communications are crucial and include:

100.1 Initial activation of the disaster recovery team.

100.2 Regular status updates.
100.3 Tactical communications (Adhock).

101. Disaster recovery metrics used to help an organization plan their disaster
recovery efforts:

101.1 Recovery Time Objective (RTO): The maximum amount of time that it should take to
recover a service after a disaster.

101.2 Recovery Point Objective (RPO): The maximum time period for which data may be
lost in the wake of a disaster.

101.3 Recovery Service Level (RSL): The percentage of a service that must be available
during a disaster.

102. DR efforts only end when the business is operating normally in its primary environment.

103. Team members should receive regular training on their disaster recovery
responsibilities.

104. Backup Media includes:

104.1 Tape backups.

104.2 Disk-to-disk backups.
104.3 Cloud backups.

105. There are three different types of backups:

105.1 Full Backup: Includes a complete copy of all data.

105.2 Differential Backup: Includes all data modified since the last full backup.
105.3 Incremental Backup: Includes all data modified since the last full backup or
incremental backup.

106. Non-Persistance: Allows us to backup only unique data.

107. Disaster Recovery Site: Provides alternate data processing.

108. Disaster Recovery Facility Types Include:

108.1 Hot site: Fully operational data centers stocked with equipment and data available at a
moments notice but they are very expensive.
108.2 Cold site: They are empty data centers stocked with core equipment, network and
environment tool but they don’t have the servers or data required to restore business and they
are relatively inexpensive. The downside is the time required to activate a cold site may take
weeks or even months.
108.3 Warm site: Stocked with all necessary equipment and data but are not maintained in a
parallel fashion. They are similar in expense to hot sites but only take hours to days to
activate.

109. Offsite Storage:

109.1 Geographically distant.

109.2 Site resiliency.

109.3 Manual transfer or site replication through SAN(Storage Area Network) or VM.
109.4 Online(expensive) or offline(less expensive) backups.

110. Disaster Recovery Testing Goals Are:

110.1 Validate that the plan functions correctly.

110.2 Identify necessary plan updates.

111. Disaster Recovery Test Types Include:

111.1 Read-Through: Asks each member to review their role in the disaster recovery process
and provide feedback.
111.2 Walk-Through: Gather the team together for a formal review of the disaster recovery
plan.
111.3 Simulation: Use a practice scenario to test out the disaster recovery plan.
111.4 Parallel Tests: Activate the disaster recovery environment (activates the DR plan) but
do not switch operations here.
111.5 Full-Interruption Test: Switch the primary operations to the alternate environment and
can be very disruptive to business.

112. After Action Reports (AAR): Creates a formal record of the Disaster Recovery (DR)
and Business Continuity (BC) event.

113. Always conduct an AAR after every BC or DR event even the successful ones.

114. After Action Reports (AAR) should contain the following major sections:

114.1 Brief executive summary: Capture the basics of the event and major findings in a few
paragraphs.
114.2 Background Information: Allows the reader to understand the context of incident and
leading up to the incident.
114.3 Answer Key Factual Questions: Answer the key factual questions around the event.
The who, what, where, when, how, why.
114.4 Lessons Learned: Include the lessons learned during the incident and in the post-
event analysis.
114.5 Next Steps: Include the next steps the organization must take based upon the lessons
learned.

115. Business continuity and disaster recovery efforts should be part of a broader emergency
response plan.

116. Emergency Response Plan:

116.1 Address localized risks such as fires or power outages.

116.2 Describe procedures to follow in the event of a natural disaster.
116.3 Identify appropriate responses to global issues, such as pandemics.

117. Crisis management teams (they guide the organizations response) should work closely
with cybersecurity and IT staff to address technical risks.

118. EXAM TIP: THE PROTECTION OF HUMAN LIFE IS ALWAYS THE HIGHEST
PRIORITY.