Answer:-
describe each pahse of information security incident response program
The Seven Stages of Incident Response
1. Preparation
It is essential that every organization is prepared for the worst. So how will you handle the situation? Preparation is key and it involves identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies including, but not limited to:
Other aspects that should be considered when prepping are
training and pre-deployed incident handling assets. When training
for an incident you should contemplate different types of training
your team needs such as OS support, specialized investigative
techniques, incident response tool usage, and corporate
environmental procedure requirements.
When looking at your pre-deployed incident handling assets, you
want to make sure you have certain tools in place in case of a
system breach. This includes monitoring your own sensors, probes,
and monitors on critical systems, tracking databases in core
systems and completing active audit logs for all server network
aspects and components.
2. Identification
The next stage of incident response is identifying the actual incident. The first question you want your team to answer is; is the event an unusual activity or more? Once that answer has been established you are going to want to check out some areas of the affected system. This includes suspicious entries in system or network accounting, excessive login attempts, unexplained new user accounts, unexpected new files, etc.
After you have assessed the situation there are six levels of classification when it comes to incidents. You are going to want to evaluate which one the incident falls under.
3. Containment
Once your team knows what incident level they are dealing with, the next move is to contain the issue. The key here is to limit the scope and magnitude of the issue at hand. There are two primary areas of coverage when doing this. These essential areas of coverage are;
In order to determine the operational status of your infected system and or network, you have three options:
All of these options are viable solutions to contain the issue at the beginning of the incident response and should be determined a.s.a.p. to allow movement to the next stage.
4. Investigation
This is the first step in determining what actually happened to your system, computer or network. A systematic review needs to take place on all the:
You also should be able to answer questions such as; what data was accessed? who did it? and what do the log reviews reveal?
It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.
5. Eradication
Eradication is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradication which you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network.
The second step is notification. Notification always includes relevant personnel, both above and below the incident response team manager in the reporting chain.
6. Recovery
This is when your company or organization returns to normalcy. There are two steps to recovery.
Any component that was compromised must become re-certified as both operational and secure.
7. Follow-Up
After everything has been returned to normal there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.
Once these questions are answered and improvements are made where necessary, your company and incident response team should be ready to repeat the process.
This process can help your organization keep its valuable, personal information secure.
describe the cyber kilchain including the impact each phase has in determining how to react to cyber attack
The cyber kill chain was initially developed by Lockheed Martin, which co-opted the term “kill chain”, used to break down the structure of a military attack (either offensive or defensive) into a pattern composed of identifiable stages.
Lockheed Martin’s cyber kill chain breaks down an external-originating cyberattack into 7 distinct steps:
Reconnaissance
Intruder picks a target, researches it, and looks for vulnerabilities
Weaponization
Intruder develops malware designed to exploit the vulnerability
Delivery
Intruder transmits the malware via a phishing email or another medium
Exploitation
The malware begins executing on the target system
Installation
The malware installs a backdoor or other ingress accessible to the attacker
Command and Control
The intruder gains persistent access to the victim’s systems/network
Actions on Objective
Intruder initiates end goal actions, such as data theft, data corruption, or data destruction
While the original cyber kill chain model as envisioned by Lockheed Martin is a helpful starting point in trying to model and defend against attacks, as with any security model, keep in mind that every IT deployment is unique, and intrusion attacks do not, as a rule, have to follow the steps in the model.
Over the years, the attack landscape has shifted, and many have argued that the cyber kill chain, while helpful, needed to be updated to accommodate the reality that the traditional perimeter has shifted—some even say it has, in many cases, vanished.
Modern Cyberattacks: Focusing on Privilege & Vulnerabilities
According to Forrester Research, approximately 80% of security breaches today involve privileged credentials. To better illustrate the privilege threat component of modern cyber-attacks, in 2017, BeyondTrust published an updated model of the cyber-attack chain, along with guidance on how to dismantle an attack each step of the way.
Here are the key parts of the BeyondTrust Cyber-Attack Chain model, along with tactics to disrupt the attack at each phase.
Step One: Perimeter Exploitation
These are the early attempts to gain access to an IT organization systems and data. Typical techniques include:
Exploiting known vulnerabilities in software and hardware
Social engineering and phishing to gain access to passwords and login information
Malware and downloads that install and grant unauthorized access to the network
Direct hacking—seeking out open ports or other external access points
How to dismantle or contain an attack at this phase:
Identify and remediate vulnerabilities. Numerous security studies have reported that unpatched vulnerabilities are the leading cause of initial exploit. This calls for a thorough vulnerability management program that includes vulnerability scanning and patch management. Pen testing is also a valuable method for proactively identifying risks as a hacker would, to help close any security gaps. Implementing these measure dramatically reduce an organization’s attack surface.
Limit access to sensitive assets. This can be achieved by leveraging vulnerability-based application management (VBAM), which is the capability developed by BeyondTrust to correlate vulnerability data against privileged access requests and permissions, and restrict access based on real-time risk. For instance, if an asset or application has vulnerabilities, you will want to be even more judicious about allowing them to run elevated privileges.
Enforce least privilege: Hackers, and malware, covet privileges. Often, malicious code cannot execute without a higher level of privileges. By removing admin rights wherever possible and enforcing least privilege, you shrink the available actions that can be performed by an intruder or malicious code.
Step Two: Privilege Hijacking and Escalation
This stage is where an attacker looks to escalate privileges, and hijack other privileged passwords/accounts.
How to dismantle or contain an attack at this phase:
Eliminate shared accounts and password sharing. When accounts and passwords are shared, it makes lateral movement and hijacking that much easier. Privileged password management solutions enable organizations to enforce password security best practices, while identifying and eliminating shared accounts and default passwords.
Enforce least privilege. Again, limiting user privileges helps stymie an attacker’s movement at every step.
Monitor and audit all privileged user, session, and file activities. Logging all privileged activity and applying privileged session monitoring and management (which can allow you to pause or kill suspicious sessions), allows you to analyze, alert, report on, and potentially stop any suspicious or unwanted activity.
Step Three: Lateral Movement and Exfiltration
Here, the hacker attempts to move through the system by acquiring more privileges/privileged accounts, and to find other exploits and weaknesses. Ultimately, the intruder zig-zags through the network, user accounts, data, and systems as necessary to achieve their goal(s).
How to dismantle or contain an attack at this phase:
Correlate and analyze user and asset behavior to identify in-process attacks. This step calls on the full integration of privileged access management (PAM) and vulnerability management (VM). The more holistic the threat and behavioral analytics, the more likely you can out-maneuver attackers and stop breaches in their tracks via changing security controls (such as removing rights or access).
Describe each phase of in Information Security Incident Response program. Describe the Cyber Kill Chain including...
This week we'll look at the fifth stage of the Cyber Kill Chain: Installation. Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. Conduct independent research into this phase of the Cyber Kill Chain and complete a 2-3 page narrative (double spaced) discussing what tools can be used to conduct this activity. Then, play the role of a consultant and advise a fictional Chief Information Security Officer (CISO)...
CYB 4301-13C-3, Cyber Security and Crime War driving is a wireless attack. Describe at least four war driving tools and the purpose of each. Your response should be at least 150 words in length.
Multiple Choice 1. Which statement applies to a lowimpact exposure incident? A. A low-impact exposure incident only involves repairing the broken system. B. A low-impact exposure incident may result in significant risk exposure. C. A low-impact exposure incident require the highest level of scrutiny. D. A low-impact exposure incident can essentially be ignored. 2. What are the two components comprising information criticality? A. Data location and data classification B. Quantity of data involved and data location C. Data classification and...
Accounting Information Systems (AIS) Latest Technology trend in Malaysia: 1. Impact of *Cyber Security* to accounting practices in organizations. As far as possible, give an example for each of your answers. 2. Impact of *Artificial Intelligence* to accounting practices in organizations. As far as possible, give an example for each of your answers. 3. Impact of *Machine Learning* to accounting practices in organizations. As far as possible, give an example for each of your answers. 4. Impact of *Edge Computing*...
Physical security is often a second priority in an information security program. Since physical security has technical and administrative elements, it often takes a backseat to the security of data and other information technology assets. Protecting important data, confidential information, networks, software, equipment, facilities, company’s assets, and personnel is what physical security is about. There are two major types of physical security issues: natural and man-made. Natural physical security issues include floods, fire, power fluctuations, severe weather, war, etc., which...
Using your reading and the Internet, provide a one-page response detailing the relevance of physical security in the cybersecurity arena. Write a few short paragraphs and feel free to use bullets. Part 1: Compile Cyber Investigation Guidelines (3 points) Using your reading and the Internet, provide a response detailing the chain of custody considerations to enable you to collect evidence that will useful for a legal prosecution. Write short paragraphs guiding IT employees regarding the need to protect evidence and...
Step 1: Select an information systems security threat topic below. Your challenge is to find the largest (measured in dollars or number of customers impacted) recent (within about 5 years) loss suffered by a company, their customers or a government as a result of suffering a purposeful or accidental information security breach. Don't just give us an example, find the largest impact. Topic choices are: Natural disaster - flood Natural disaster - earthquake Natural disaster - tornado or hurricane Data...
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...
"Each day before leaving our homes, we protect the property within. By locking our doors, closing our windows, or activating our security systems, we go to great lengths to ensure that our homes have the necessary safeguards in place to thwart potential intruders and those who may try to steal our personal and precious belongings. When it comes to our confidential personal information, however, many of us fail to realize that this information is readily available and able to be...
If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These policies need to be well written to provide the organization with solid guidance to support their security objectives. Identify and briefly describe the three types of security policies. Your response should include a discussion of where each should be used. Where should policy writers look to...