Summarize the incident recovery and post-incident response process.CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
Segmentation involves limiting the scope of an incident by instituting barriers to prevent it from spreading to other parts of the network. At Layer 3, ACLs and shutting down interfaces may be an option. At Layer 2 VLANs and PVLANs along with port security can isolate the event.
Isolation is implemented by blocking traffic to a device. Usually this involves shutting down interfaces. This may not scale if multiple hosts are involved, but is very effective for a few devices.
Another option is to shut down the affected devices. This is not always advisable as digital forensics in RAM may be lost.
Reverse engineering can be used to retrace what happened during an incident. Logs and other clues can help figure out what the malware did.
- Disassembly: Using specialized tools and knowledge the malware can be analyzed operation by operation.
- Decompiling: Attempt at reconstructing the high-level code for the application.
- Debugging: Step through the code interactively using either a kernel debugger (driver level with direct kernel access) or a debugger.
After the threat is contained, it must be removed or eradicated.
Remove all traces of the threat by overwriting the drive multiple times. With solid state drives, vendors often provide commands to erase the drive data, but security analysts should research to make sure they are effective.
After a device is sanitized, the system must be rebuilt. This can either be done by reinstallation of the OS and applications or by using a backup image of the device. Imaging is faster because all of the configuration work is already done.
Sometimes it may be decided to dispose of a device or its storage instead of sanitizing and reusing the device. Disposal needs to be done in a secure manner.
- Clearing: Remove the data from the device in a way that cannot be reconstructed using normal file recovery techniques.
- Purging: Make the data unreadable even with advanced techniques.
- Destruction: Destroy the media using degaussing and physical destruction.
Once a threat is contained and remediated steps must be taken to ensure that the systems are back to a normal secure state.
Any missing security patches found during the incident need to be implemented. This includes OS patches, application patches and infrastructure firmware patches.
All permissions that may have been changed by the attacker must be reviewed. In addition the attack may indicate a need to change some permissions as well to prevent a future attack.
An updated vulnerability scan after the event should be made to ensure that everything has been patched and mitigated.
Verify Logging/Communication to Security Monitoring
Make sure that all logs and telemetry data is properly going to a central SIEM or other system.
Lessons learned during the security incident might require changes to the environment.
Lessons Learned Report
The first step to corrective actions is to create a lessons learned report. This report lists and discusses what is known about the attack or the environment that was not known before. The report should answer the questions below.
- What went right and what went wrong?
- How can we improve?
- What needs to be changed?
- What was the cost of the incident?
Change Control Process
Changes that are indicated by the Lessons Learned Report still should be put through standard change control. A corporation may determine a “fast-track” within their process for time sensitive changes.
Update Incident Response Plan
The lessons learned may also uncover issues with the IR plan. If found, the plan should be updated with any needed changes.
Incident Summary Report
All stakeholders should receive a document summarizing the event. It should not be technical, and should include the following highlights.
- When the problem was detected and by whom.
- The scope of the incident.
- How it was contained and eradicated.
- What work was performed during the recovery phase?
- What areas did the Cyber Incident Response Team (CIRT) prove effective.
- What areas need improvement.