4.2 Policies, Processes, and Procedures for Incident Response

Incident Response Process

NIST SP800-61 = entire lifecycle when handling an incident - incident response lifecycle -preparation - detection/analysis - containment/eradication/recovery - post-incident activity

Incident precursor = an incident might occur in the future (sign that an attacker may be preparing to cause an incident) - web server logs - hacker threats - exploit announcement

Preparing for an incident - communication methods - incident handling hardware and software - incident analysis resources, mitigation software - policies for incident handling

Recovery after an incident - get things back to normal, remove bad, keep the good - eradicate the bug, remove malware, disable breached user accounts - recover system, restore from backups, replace compromised files

Reconstitution = process of resuming normal system operation and completing contingency plan activities

Incident Response Planning

Tabletop execises = performing a full-scale disaster drill - it can be costly

Walkthrough = a step beyond a tabletop exercise - test processes and procedures before an event, walkthrough each step

Simulation = test with a simulated event, like phishing attacks

Disaster Recovery Plan is part of a business continuity planning which keeps the organization up and running - technology or system failures - comprehensive plan including recovery location, data recovery method, application restoration

Contiunity of Operations Planning (COOP) = the effort within individual agencies to ensure they can continue to perform their mission essential functions during a wide range of emergencies

Incident response team = receives, reviews, and responds to an incident - usually a group of people who are in charge of focusing the incident handling

Retention policies = backup the data

Attack Frameworks

MITRE ATT&CK framework = globally accessible knowledge base of adversary tactics and techniques based on real-world observations Key Components: - Tactics: Represent the "why" of an ATT&CK technique. It refers to the adversary's tactical objective, the immediate goal they are trying to achieve (e.g., lateral movement, privilege escalation). - Techniques: Represent the "how" of an ATT&CK. It describes the behavior an adversary engages in to achieve a tactical objective (e.g., pass-the-hash, spear-phishing) - Mitigations: Suggests ways to prevent or alleviate the techniques used by adversaries. - Detection: Describes how to identify the technique being used by adversaries.

Diamond Model of Intrusion Analysis = applies scientific principles to intrustion analysis. structured analytic methodology used to examine and understand intrusions Key components: - Adversary: The individual, group, or organization responsible for the intrusion - Capability: The tools and techniques the adversary uses to conduct the intrusion. - Infrastructure: The physical and virtual resources the adversary uses to conduct and maintain the intrusion (e.g., servers, domains) - Victim: The target of the intrusion

Cyber Kill Chain = seven phases of a cyber attack - reconnaissance, weaponization, delivery, exploit, installation, C2, actions on objectives

Vulnerability Scan Output

Vulnerability scans can show you lack of security such as firewall, anti-virus, anti-spyware, misconfigurations, real vulnerabilities

False positives are common (vulnerability is identified but it doesn't actually exist)

False negative (vulnerability exists, but the scanner didn't detect it - might be more dangerous)