CompTIA Security+ SY0-601 – 4.2 Policies, processes, and procedures for incident response

1. Incident response process

In this video, I’m going to be going over the Incident Response Process. Now, the Incident Response Process is a series of steps of how an organization should be responding to security incidents that may occur throughout the workday in a business. Your exam loves to test you on this. Your exam loves to make you put this thing in order. It’s one of the most most famous topics that they have for a drag and drop question or PBq performance based questions. And I’m going to show you what I think is a pretty easy way to memorize that and maybe you can make up your own way also. So let’s get started. So the first thing we want to talk about here is an Incident Response Plans. An organization must have a plan to respond to incidents, right? So the first thing that we wanted to find is what exactly is an incident? An incident is anything that has a negative impact against CIA, which is confidentiality, integrity, or availability.

If you remember from the beginning of this course, we talked about CIA. So anything that can bring down an entire network, such as a DDoS attack, maybe even server hard drives blowing out so the servers are deadly when a switch failing and the entire segment has gone offline. It could be integrity attacks where someone mistakenly modifies a file, or hacker gets in modifies files or confidentiality issues. Something as simple as somebody just email in confidential data when they shouldn’t be, or hacker stealing information and publish it on website. There are many different incidents that can occur. These are just a few examples. But in an organization you want to be able to respond to these incidents fast enough so that the organization is not in a state of trying to respond, letting the incident maybe spread or worsen to the organization.

This could cause the organization downtime. Imagine if the Amazon website goes offline, how much money is Amazon losing for every minute it’s down? And that would just be an availability incident. So we want to be able to respond quickly. We want to be able to respond adequately, and we want to be able to resolve it in a method that doesn’t compromise any other systems. So we need plans for this. And this is where we’re going to have to come up with a process. So every organization is going to have a unique set of plans for this. But our exam has given us a process that they want us to follow. So let’s go through the process. It’s a really simple process to memorize and to understand. So when you see it on the exam, you’re going to be able to answer it.

Now you’re probably going to get, if you don’t get a drag and drop, I’m almost 100% sure you’re going to get a question where they’re going to say, oh, you have done this, what do you do next? You got to know the process in that order. Okay, so let’s take a look here. So the first step is preparation of it. So this here is creating a process. So preparation for incidents. This year you are going to be creating a process to manage incidents. When you first go into an organization, you need to have a process. And if the organization doesn’t have one, you got to create one. As a security analyst or manager, the next step you want to do is you want to be able to ID the incident. Now, identifying the incident is generally done through automated software.

Most of the time, think of an antivirus or an endpoint protection giving you a pop up that the computer has been infected. Think of an IDs system, intrusion detection systems sending an alert to the administrator that there’s a worm in the network or the servers are being Ddosd attack. So you could use that different type of login system like Seam or SIM systems also will have this. Also, the next thing here is to contain the incident. Now, this here is going to stop it. Basically stop the incident right where it is. Now, you don’t want the incident spreading. You don’t want if it’s a worm in the machine, you don’t want it spreading from this computer to that computer to that computer. What you want to do is you want to contain that incident just to that machine or that segment.

Now, this can involve disconnecting the nic card, unplugging the network cable from the machine so you don’t have it spread in. Now, if it’s a virus in one computer, for example, that has spread to many in that segment, disconnect that whole segment off the switch would be the correct way of doing this. So containment, remember, for your exam is when you’re taking steps not to eradicate it, not to delete the virus, but to stop the virus from spreading, right? You’re just stopping it in that section. The next step you want to do is you want to eradicate it. So eradication basically means that you are going to delete the virus. And this is going to be steps you’re going to take to remove the malware. If it’s malware in a computer, for example.

So you would maybe run the antivirus. Sometimes virus makers have antivirus makers have very specific tools that you can download and install to remove the actual malware itself. The next thing you want to do is you want to be able to recover that system. So in this one, in the eradication, you’re going to delete the virus. If it’s a virus and in recovery, you can reinstall Windows or restore data, right? So you can either reinstall Windows, which is fine to do, or you could read. Now if it’s Windows is not corrupted, but they have lost some data because of the malware, you recover the system, basically restore the data. I always tell people, I always have a way of saying if you get a computer with virus, and it’s bad enough that the antivirus is having issues, just wipe the machine out.

I think it’s the best thing to do, because sometimes you may think the antivirus got rid of it, but it didn’t. So a lot of times I just wiped the machine out, reinstall Windows, restore all the data. So recovery is about that. Then you got to do lesson Lauren. Lesson Lauren is the last part of this is when you look back and you see what caused the incident, was the user not trained? Was the user not able to identify that that link and that email contained the virus? Was the incident Response process good enough for the organization? These here would be all lesson learned. Okay, so I want you guys to review this. Make sure you know it well. I told you guys to come up with a quick, easy way. P-I-C-E-R-L. Here’s how I came up with this.

I say pick Emily, Robert, and Lisa is what I came up with. So it’s Pic pick, right? Pic pick emily, Robert and Lisa. Or you can come up with your own. So. It’s P-I-C-E-R-L. Can you come up with something? If you do, leave some comments in our discussion forms. I would be glad to know that’s the best one I came up with. That’s the one I tell students to memorize, or sometimes I’ll just tell my students to memorize. P-I-C-E-R-L-P-R-L. If you can remember that, I think that’s pretty easy to memorize also, especially if you got to put this thing in order. Okay, this is the incident response process. Please review it. Make sure you know it well for your exam.

2. Attack Frameworks

In this quick video, we’re going to be taking a look at some attack frameworks that you should be familiar with for your exam. Now what exactly is an attack framework? When an attack framework? Framework will help outline how attacks happen and why they may happen, maybe the different steps that they may happen. Your exam particularly calls out three of them. The metric framework, the I’m in mob of intrusion analysis, and the Cyber kill chain. Now some of these were developed by a different set of organizations that we’re going to take a look at here. I have some links here that I’m going to be using to display follow the links in the description of the video. So let’s take a look at this. So the first thing I have is what is known as the metric framework.

Now this particular one, what this does, this is something that we mentioned earlier in the class. This basically goes through all the steps that attackers will go through and the different things they can do for you or on your network. Let’s take a look here and again check the description of the video for this particular link. So for example, when they’re going through an attack on your network, they’re going to probably have to do reconnaissance. Then they’re going to have to gather their resource, try to gain initial access, execute it. Hopefully they’re persistent gain privileges, and so on and so on. So they’re basically going through all the steps.

But the good thing here about this particular website is that they will basically go through all the things that they could do and they tell you how they’re going to do them. So for example, if I say active scan and I come in here, they’ll actually describe this to me. There are two techniques they can use scanning, an IP block, vulnerability scanning, and they’ll tell you that. So they gather victims identity information, they’ll go through that and they’ll tell you how to do it also. So how to gather emails, how to get an employee names. So this website is a rabbit hole that you can go down and you’ll be down for a while. You could be here for hours learning new things and seeing how attacks are done. Because the other framework that is mentioned is something called the cyber kill chain model.

So the cyber kill chain model is a model that was developed by Lockheed Martin to help show you how APts or threats to your organization will proceed. So apt, advanced persistent threats advance means that they’re targeted, they’re purposeful persistent means hey, they don’t give up and threat. Basically they have an opportunity, they’re credible. So here are the steps here. So the first thing is they’re going to do reconnaissance on you. So in this framework, the attackers are going to find out your information. By the way, you’ll notice all these frameworks are very similar. They’ll find out information about you, number two. They’ll start with the exploit exploit with a back door. They’ll try to create the exploit. They have to deliver that exploit to you.

The next thing, hopefully they are able to execute it on your system and install the malware on the system. Then the command and control center will set up so they can take control and remote your machine. And basically they have full access. Now the other one that’s mentioned is something that is called the diamond model of intrusion analysis. Now the diamond model of intrusion analysis basically looks at now by the way, this is a presentation from Oasp where they talked about it. The diamond model looks at four things that would make a successful attack an adversary, infrastructure, a victim and a capability.

So if I’m looking at this adversary uses infrastructure, adversary develops credibility. They will then use this credibility to exploit the victim and use the infrastructure to connect to the victim. So for example, if they were to write a virus and send it to you so the adversary would be using your infrastructure to connect that your infrastructure being the internet, the switches, the routers. You have to be using your infrastructure to connect to you, to give you that payload, to give you that virus. The adversary develops this capability, have to develop this virus, hopefully to exploit you.

This is basically a small model that is showing you the different components that it would take to have an attack. Such as you need some kind of adversary. They have to have some kind of infrastructure or some way to get to you. They have to have some kind of capability that they can use against you. Even social engineering is like this, right? You got to have somebody that wants to socially engineering you. They have to have infrastructure to connect to you like a telephone or call you. They got to be capable of extracting that data out of you and you’re always the victim. Okay, so these are just a couple of attack models. Make sure you know what they are for your exam.

3. Incidents plans and exercises

In this video, we’re going to be talking about some things you should know when it comes to disaster recovery and business continuity. You see, no matter how small your business is, at some point in its existence, it will experience some form of disaster. Some form of a disaster could be something like earthquake, hurricane, floods, power outages, hackers, breaking and stealing your data, DDoS attacks against your networks, even pandermic. So you have a variety of different plans that you should have in place. Now let’s go through some of the terms that we need to know. The first thing up that we should have is what is known as a business continuity plan and disaster recovery plans.

Business Continuity and Disaster Recovery two terms you need to know for your exam business Continuity Plans basically outline what you’re going to do before the disaster and what you’re going to do after the disaster. The disaster recovery plan is a part of the business continuity that outlines what you’re going to do after the disaster. So for example, if there is a major flood in your organization, how do you do to rebuild that part of it? How do you do to continue operating if there is a flood or a major power outages in a particular data center? Organizations generally have multiple dr plans outlined on how they’re going to respond to multiple different types of disasters. Always remember, you can’t recover from a disaster if there is no disaster.

So disaster Recovery Plan is there to help you recover from a disaster. Now, when there is a disaster in the organization, it’s a couple of things to know incident Response Teams, stakeholder Management and Communication Plan. By the way, you should notice term as Incident Response Team. As C I RT or CSIRT stands for Computer Incident Response Team. A computer Security Incident Response Team and then also stakeholder Communications Management Plan. So when there is a design disaster in the organization, there’s going to have to be a team that responds to these disasters. For example, what if there’s a major power outages, power outage in the organization? Who responds to that? Who’s the first one to help activate this plan? Then they just can’t be a disaster. And then really no one knows what to do.

So when we make the plan, we make the teams to go along with the plan. So that would be your Internet response team. Then you have to manage your stakeholders. Your stakeholders are going to be the people that are affected by the disasters, that could be the workers within the organization, that could be the management, the tech people, the vendors within the organization. Do you have a good communication management plan in place telling them how to do or where to go? Imagine you’re someone in the accounting department and the building lost power. Now, so you say, okay, I’m going to go home, but do you know what to do tomorrow morning or the other days, do you just stay home? Does the organization have a plan to tell you what to do or to tell you how to work or to communicate with you?

In other words? So during disasters, you have to know how to manage your stakeholders, and you have to know basically how to communicate with them. Now, another term here you’ll see is something called the continuity of operations planning. The continuity of operations planning basically outlines how we’re going to set up a remote site. So if you’re going to be moving to a remote site, you’re going to have this plan to say, okay, we’re going to continue operating in this manner at this particular site. The other term you receive is a retention policy. One of the things the organizations must have is a good policy to see how far back the information we’re going to be storing for our organization.

Don’t forget, if you have a terrible retention policy and there’s a major disaster and you need to get data back from one month, two months, or three months ago, and you don’t have it because you keep overwriting the information, that may be really bad, that of itself might be a disaster. Another thing you want to do is you want to be able to test these disaster recovery plants. When you create these plants, you just can’t create them and leave. You have to test them that way. When there is a disaster, people know how to respond because they have done this through practice, not because there is a flood today, or there was a hurricane or a snowstorm or a major attack. And now no one is not too sure of their exact tasks to do. So we got a couple of different things here.

The first thing we could do when it comes to the exercise of testing these plans, we could do a tabletop. Tabletop test is when you give out the test to people, they put it on the table and they quote, unquote, flip through the pages to see if the plan matches. People in the accounting department may say, this plan, this plan is not good. It doesn’t really recover. Our department. I walk through, by the way, that give them an opportunity there to come back to you and tell you what’s wrong, how to fix it. Walk through is when you bring people in a room and generally you guys walk through, you put the plan once again on the tabletop, and you guys go through the plan together, but you’re not really getting up and doing anything.

Simulations is more of like when you’re doing drills, when you’re getting up and you’re actually simulating how we’re going to respond to a disaster. So this is one of the better tests. You can’t have a plan and never test it. You don’t ever want to be testing a plan when the disaster actually happened. You don’t want the first run to be when the disaster just took place, that would be absolutely crazy. Okay, so just know some of these terms here for your exam. Don’t be surprised. Your exam gives you a whole lot of questions on business continuity and disaster recovery. Make sure to know a difference between the two plans.

• Category: Uncategorized