pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. ISC2-cc

2. Incident Response

Incident Terminology

Breach: Loss of control, compromise, disclosure, acquisition, occurrence

  • Unauth user accesses PII; for other purpose NIST SP 800-53 Rev. 5

Event: An observable occurrence in a network/sys NIST SP 800-61 Rev 2

Intrusion: Intruder gains access without auth IETF RFC 4949 Ver 2

Threat: Any event with potential to impact op NIST SP 800-30 Rev 1

Exploit: Particular attack that goes after weaknesses

Incident: An event that jeopardizes CIA of system, processes

Vulnerability: Weakness exploited by a threat NIST SP 800-30 Rev 1

Zero Day: Previously unknown vulnerability

Goal of Incident Response

Reducing impact of incidents so orgs can resume operations as soon as possible Components of an Incident Response Plan

ID critical data, systems, points of failure, approved by mgmt

  1. Train staff and implement IR team

  2. Practice First Response: Incident ID and ID roles/responsibilities

  3. Plan coordination of communication between stakeholders

  4. Consider primary method of contact may not be available

Monitor all possible attack vectors, analyze incidents

Use known data/threat intel, prioritize IR and standardize documentation

Gather evidence, identify attackers, isolate attacks

Choose an appropriate strategy

ID evidence that may need to be retained and document

Incident Response Team

Security Operations Center

A typical IR team is a cross-functional:

  • Representative(s) of senior management

  • Infosec professionals

  • Legal representatives

  • Public affairs

  • Engineering

  • CIRT: Computer IR Teams: CSIRTs (Security)

The team has 4 main responsibilities:

  1. Determine scope of damage caused

  2. Determine if confidential info was compromised

  3. Implement recovery procedures from incident-related damage

  4. Supervise implementation of measures to improve/prevent recurrence

Business Continuity & Data Recovery

Intent: Sustain operations while recovering from disruption Continuity Plan: Procedures to restore business after disaster

Common business continuity plans:

  • Immediate response procedures/checklists (sec/safety, fire, ER, etc.)

  • Notification systems/call trees for alerting personnel

  • Guidance for mgmt, designation of authority for specific managers

  • How/when to enact plans

  • Contact numbers for supply chain (vendors, customers, emergency)

  • BIA: Business Impact Analysis

When disaster strikes, the DRP guides actions of response DRP: Data Recovery Plan: Restoring services needed

Components of a Disaster Recovery Plan:

  • Executive summary providing overview, department-specific plans

  • Guides for IT responsible for maintaining backups

  • Full copies of plan for members

Checklists for certain individuals:

  • Critical DRT members have checklists to guide actions in disaster

    • IT have tech guides to help get alternate sites up; running

    • Managers/public relations have docs to communicate issue

Previous1. Security PrinciplesNext3. Access Control

Last updated 1 year ago