CompTIA CySA+ Objective 3.5

Photo by kat wilcox from Pexels

Summarize the incident recovery and post-incident response process.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Containment Techniques

Segmentation

Segmentation involves limiting the scope of an incident by instituting barriers to prevent it from spreading to other parts of the network. At Layer 3, ACLs and shutting down interfaces may be an option. At Layer 2 VLANs and PVLANs along with port security can isolate the event.

Isolation

Isolation is implemented by blocking traffic to a device. Usually this involves shutting down interfaces. This may not scale if multiple hosts are involved, but is very effective for a few devices.

Removal

Another option is to shut down the affected devices. This is not always advisable as digital forensics in RAM may be lost.

Reverse Engineering

Reverse engineering can be used to retrace what happened during an incident. Logs and other clues can help figure out what the malware did.

  • Disassembly: Using specialized tools and knowledge the malware can be analyzed operation by operation.
  • Decompiling: Attempt at reconstructing the high-level code for the application.
  • Debugging: Step through the code interactively using either a kernel debugger (driver level with direct kernel access) or a usermode debugger.

Eradication Techniques

After the threat is contained, it must be removed or eradicated.

Sanitization

Remove all traces of the threat by overwriting the drive multiple times. With solid state drives, vendors often provide commands to erase the drive data, but security analysts should research to make sure they are effective.

Reconstruction/Reimage

After a device is sanitized, the system must be rebuilt. This can either be done by reinstallation of the OS and applications or by using a backup image of the device. Imaging is faster because all of the configuration work is already done.

Secure Disposal

Sometimes it may be decided to dispose of a device or its storage instead of sanitizing and reusing the device. Disposal needs to be done in a secure manner.

  • Clearing: Remove the data from the device in a way that cannot be reconstructed using normal file recovery techniques.
  • Purging: Make the data unreadable even with advanced techniques.
  • Destruction: Destroy the media using degaussing and physical destruction.

Validation

Once a threat is contained and remediated steps must be taken to ensure that the systems are back to a normal secure state.

Patching

Any missing security patches found during the incident need to be implemented. This includes OS patches, application patches and infrastructure firmware patches.

Permissions

All permissions that may have been changed by the attacker must be reviewed. In addition the attack may indicate a need to change some permissions as well to prevent a future attack.

Scanning

An updated vulnerability scan after the event should be made to ensure that everything has been patched and mitigated.

Verify Logging/Communication to Security Monitoring

Make sure that all logs and telemetry data is properly going to a central SIEM or other system.

Corrective Actions

Lessons learned during the security incident might require changes to the environment.

Lessons Learned Report

The first step to corrective actions is to create a lessons learned report. This report lists and discusses what is known about the attack or the environment that was not known before. The report should answer the questions below.

  • What went right and what went wrong?
  • How can we improve?
  • What needs to be changed?
  • What was the cost of the incident?

Change Control Process

Changes that are indicated by the Lessons Learned Report still should be put through standard change control. A corporation may determine a “fast-track” within their process for time sensitive changes.

Update Incident Response Plan

The lessons learned may also uncover issues with the IR plan. If found, the plan should be updated with any needed changes.

Incident Summary Report

All stakeholders should receive a document summarizing the event. It should not be technical, and should include the following highlights.

  • When the problem was detected and by whom.
  • The scope of the incident.
  • How it was contained and eradicated.
  • What work was performed during the recovery phase?
  • What areas did the Cyber Incident Response Team (CIRT) prove effective.
  • What areas need improvement.