CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Summarizing incident response procedures Tutorial

1 Summarize Common Incident Response Procedures

Troublemakers are present everywhere, and leave no chance to cause trouble. We should follow certain incident response procedures to manage any unprecedented trouble in our network. All troublemakers must be removed to ensure the network runs fine. At the end of this lesson, you will be able to: • Comprehend Common Incident Response Procedures • Describe Recovery or Reconstitution Procedures

2 Common Incident Response Procedures

In this topic, you will learn about Common Incident Response Procedures. In the previous lesson, we learned about various forensic procedures based on the incident, and how to collect and safeguard the evidence. In this lesson, we would focus on summarizing the common incident response procedures, which come into picture when there is a security breach or violation. If the incident response procedure is concerned with the end users, they should immediately contact the incident response team and follow accurate procedures. The incident response team is popularly known as Computer Incident Response Team or CIRT. Now, let’s see the different stages of the incident response procedure. The main task of CIRT starts from preparation. Preparation is necessary for successful outcomes of any event or incident. The first step in preparation is collecting policies or documents that need to be followed while responding to the incident. Also, preparations are required to protect the environment from incidents, recovering from incidents, and to help you efficiently deal with every aspect of the incident. Moreover, preparations help you assign resources to exact incidents, thereby improving the recovery time, while minimizing loss and the incurred cost. You must strictly follow the preparation procedures and verify if the information at hand is of any help in the court of law, or is it enough to prevent future breaches. After preparation, the next step is identification of the incident. We have learned many incidents take place without an alarm through IDS or IPS, which are also known as false negatives. Moreover, you are unable to respond or make changes before or during the incident. To avoid these false negatives, you should be careful about the configuration and limitations of IDP and IPS. Identifying an incident includes accurate review of security logs, IDP and IPS systems, trends and other performance levels, and keeping a vigilant eye on any abnormal activity. After you have identified the incident, the CIRT performs their task. They start collecting data about the incident, which is accompanied by detailed documentation. Also, they should determine the environment of the incident, and detect its causes. This would help decide the scope of the incident. Moreover, they should consider the following questions while identifying an incident: • Which systems were affected? • Is the source of an attack internal or external? • Is the compromise expanding or resolved? • Was is it a network traffic-based attack? • Which subnets were affected? • Which systems might have been accessed by the intruder? • What resources were accessed? • What level of privilege was used? • What information or data was at risk? • Was the attack from a single or multiple sources/vectors? • Is this a repeat of a previous attack? • Was malicious code infection involved? • Is the compromise contagious? • Was privacy violated? • Which other systems have similar vulnerabilities? The CIRT is your first responder, and their goal is isolation. It is known as pulling the device off the network, or just removing the device. This should be done whether or not you identified the incident. Isolation should be CIRT’s first goal, even if the incident is a false positive. If they do not isolate the incident, it is likely to cause more damage by spreading, or behave as a path for an attack to move onto the next device. Though isolation is not the remedy, but it can surely help safeguard the network from further damage. When identifying an incident is complete, and claimed to be true, the next step is to escalate the incident. As we are aware that once the incident is identified, it needs to be informed or notified to the concerned individual within the organization. But, it should not be shared with everyone. In the initial stages, only higher authorities should be informed. This may include legal, PR, IT staff, security staff, and human resources. If it is found the incident is related to any of the criminal activities, then it is mandatory to follow the law. When the details are revealed, the depth and complexity of an incident, or the damaged caused may increase. Hence, an escalation to the concerned authorities, and recording their response is essential. Once you identify the incident and perform appropriate escalation and notification, the next step is mitigation, or controlling the damage. In an ideal scenario, this step is effective when the potential for additional damage is eliminated or remarkably reduced. Mitigation is a process of responding to an incident to reduce risk, prevent recurrence, and start the recovery process. The steps involved in the mitigation process depend on the extent of damage, and the technologies deployed in the organization. We have been constantly focusing on documentation. In the response process, this is the most important step, as it becomes your learning tool to determine the cause for the incident; how it occurred, and what steps were taken to resolve it. This helps you not to repeat the same mistakes.The other advantage of documentation is that it can take the form of a report, which can be used for internal purpose as reference, or can be shared externally as a case study. Moreover, the report can be used to train other CIRTs. This would help them in the event of similar attacks. Things often go wrong during an incident response. But documentation helps you visualize the entire incident and help you improve your future responses.

3 Recovery and Reconstitution Procedures

In this topic, you will learn about Recovery and Reconstitution procedures. Recovery is the concept where an object, element, or a thing is damaged, and must be reinstated to its normal state. This is possible only if an accurate response is provided for the incident. For example, we have seen people getting injured. They need appropriate medication and observation. The recovery process is noted every time the doctor checks the patient. As the patient fully recovers, a health report is prepared, starting from prior health, how the accident took place, what were the medications given, and the pace of recovery. These details help when something similar happens, and act as a medical case study. When the system recovery procedure takes place, it needs to be documented, starting from its prior condition to its present condition after recovery. This clear documentation would help CIRT bring systems back to their operational state with clearly defined paths and procedures. When a security breach or perimeter violation is identified, incident response must be initiated by the first responders. If there is any possibility of an incident or disaster, you should first inform the first responders. They are the ones who begin the investigation process. One of the best way to respond to an incident is to plan and follow the procedures. The plan has accurate steps and procedures that help you respond to an incident. An important step you should follow when an incident occurs is to inform the CIRT. They follow the incident response plan to respond to the incident that takes place on the network. Another important thing you need to consider is, never log off or shut down your computer as it can damage or alter the evidence. The CIRT then guides the first responder to take an accurate action. The first responder should be trained thoroughly and be aware of how to manage the incidents, and document the event and its response. When a system or device needs to be separated from those that are affected by the incident, this concept is called Incident Isolation. We should primarily be aware that no other system or device should be affected by the already attacked or compromised systems. There are many methods of isolation. But, we would focus only on two methods, Quarantine and Device Removal. The Quarantine method involves setting something apart from the environment. This protects the environment from further damage. Also, it can be implemented to protect a mission-critical server from a network compromise, or to protect a network from a compromised server. In Device Removal, an incident attacked device or a system needs to be removed from the network completely, as it will never be used for production. This step should be taken when confirmed that damage to the device or system is beyond repair, or cannot be removed by restoring the system. Hence, it is convenient to replace the device rather than sending it back to production. Finally, depending on the severity of attack, you should decide whether the device removal step is a temporary or permanent solution. Data breach occurs when an unauthorized person has access to the sensitive data. This event can be really devastating. By adhering to rules such as, not attaching flash drives, USB, or any other removal device to the system connected to network, you can reduce such events. Data breaches need to be proactively prevented with procedures and policies, as well as technical controls like DLP, to help minimize similar types of incidents. Data breach has become common in all organizations as they fail to manage and store the retained or gathered data. In data breach, the confidential data is read or copied during the incident. If the data is damaged, it can be restored with the help of backup data, but if it is read or copied, you cannot stop its distribution. When the Incident Response Team responds to an incident, the culprit device should not affect other devices in the environment. Hence, the damage needs to be controlled or prevented. Controlling or preventing damage becomes extremely important due to incidents such as virus, remote control access, logic bomb, or the use of hacker tools such as a Trojan horse. This means contamination can spread across the network, causing more damage and allowing loss to get out of control. Malicious use of these components leave residual elements, which are activated at a later time. Thus, even after damage removal, an important step of the recovery process is eradication of malware.

5 Summary

Let’s summarize the topics covered in this lesson. • Incidents take place without any alarm through IDS or IPS, which are known as false negatives. • Preparation, Incident Identification, Escalation and Notification, Mitigation, and Documents are key stages of the Incident Response procedure. • Mitigation is effective when the potential for additional damage is eliminated or remarkably reduced. • Quarantine and Device Removal are two methods of Incident Isolation. • Even after damage removal, an important step of the recovery process is eradication of malware. With this, we conclude the lesson, ‘Summarizing Common Incident Response Procedures.’ The next lesson is, ‘The Importance of Security Related Awareness and Training.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*