Incident Response, NIST - Summaries PDF

Preview

Summary

This document outlines the process of Incident Response and how this links to BCP, with the NIST framework explained for each phase with examples....

Description

Incident Response: Event = any occurrence in a system, not specifically good or bad. Adverse Event = events with a negative consequence. Security Incident = an adverse event that negatively impacts the CIA triangle.

Security Incidents result in: -

Financial Loss Bad media exposure. Disruptions in business operations. Fraud. Loss of valuable information. Lawsuits.

Incident Handling: This is the actions taken to protect and restore the operations of a business. -

Economic Protecting sensitive information Business Continuity Public Relations Compliance Safety

CSIRT (Computer Security Incident Response Team) A team with expertise in cyber/computer security that deals with response activities if an incident arises. Objectives: -

Define the incident response policies, procedures and services provided. Create an incident capability. Handle the incident

-

Recover from incident. Investigate the incident. Assist in reoccurrence of the incident.

Incident Response Process: Provides a step-by-step framework for identifying and reacting to an incident. They must be able to cope well under pressure and mistakes can be very costly. A simple, well understood approach is best. Common frameworks are NIST and ISO. NIST: Preparation -> Detection & Analysis -> Containment Eradication and Recovery -> Post Incident Activity. Phase 1: Preparation -

Develop an incident response policy. Create procedures for dealing with incidents. Ensure suitable management.

Purpose/objectives, scope and objectives, acceptable risk limits, and roles/responsibilities. Phase 2: Detection & Analysis Detection can be done by collecting data from systems and identifying indicators of attacks. Analysis involves profiling systems and networks. Understanding the normal behaviour.

During Analysis, there is also Incident Prioritisation. This is based on the functional, information and recoverability of the incident. Phase 3: Containment, Eradication and Recovery: Containment – goal to limit the damage from the current security incident and prevent any further damage. -

Short-term containment, System backup and Long-term containment.

Eradication – goal to remove malware of the artefacts introduced by the incident. After that, to restore the systems and operations of the business. Recovery – goal to bring systems back to full operations.

Phase 4: Post Incident Activity This is compiling all the information about the incident to gain knowledge that helps if the incident reoccurs....