Question

Describe each phase of in Information Security Incident Response program. Describe the Cyber Kill Chain including the impact each phase has in determining how to react to a cyber-attack. (Ctri)

Answer 1

Answer:-

describe each pahse of information security incident response program

The Seven Stages of Incident Response

1. Preparation

It is essential that every organization is prepared for the worst. So how will you handle the situation? Preparation is key and it involves identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies including, but not limited to:

• warning banners
• user privacy expectations
• established incident notification processes
• the development of an incident containment policy

• creation of incident handling checklists
• ensuring the corporate disaster recovery plan is up to date
• making sure the security risk assessment process is functioning and active

Other aspects that should be considered when prepping are training and pre-deployed incident handling assets. When training for an incident you should contemplate different types of training your team needs such as OS support, specialized investigative techniques, incident response tool usage, and corporate environmental procedure requirements.

When looking at your pre-deployed incident handling assets, you want to make sure you have certain tools in place in case of a system breach. This includes monitoring your own sensors, probes, and monitors on critical systems, tracking databases in core systems and completing active audit logs for all server network aspects and components.

2. Identification

The next stage of incident response is identifying the actual incident. The first question you want your team to answer is; is the event an unusual activity or more? Once that answer has been established you are going to want to check out some areas of the affected system. This includes suspicious entries in system or network accounting, excessive login attempts, unexplained new user accounts, unexpected new files, etc.

After you have assessed the situation there are six levels of classification when it comes to incidents. You are going to want to evaluate which one the incident falls under.

• Level 1 – Unauthorized Access
• Level 2 – Denial of Services
• Level 3 – Malicious Code
• Level 4 – Improper Usage
• Level 5 – Scans/Probes/Attempted Access
• Level 6 – Investigation Incident

3. Containment

Once your team knows what incident level they are dealing with, the next move is to contain the issue. The key here is to limit the scope and magnitude of the issue at hand. There are two primary areas of coverage when doing this. These essential areas of coverage are;

1. Protecting and keeping available critical computing resources where possible
2. Determining the operational status of the infected computer, system or network.

In order to determine the operational status of your infected system and or network, you have three options:

1. Disconnect system from the network and allow it to continue stand-alone operations
2. Shut down everything immediately
3. Continue to allow the system to run on the network and monitor the activities

All of these options are viable solutions to contain the issue at the beginning of the incident response and should be determined a.s.a.p. to allow movement to the next stage.

4. Investigation

This is the first step in determining what actually happened to your system, computer or network. A systematic review needs to take place on all the:

• bit-stream copies of the drives
• external storage
• real-time memory
• network devices logs
• system logs
• application logs
• and other supporting data.

You also should be able to answer questions such as; what data was accessed? who did it? and what do the log reviews reveal?

It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.

5. Eradication

Eradication is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradication which you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network.

The second step is notification. Notification always includes relevant personnel, both above and below the incident response team manager in the reporting chain.

6. Recovery

This is when your company or organization returns to normalcy. There are two steps to recovery.

1. Service restoration, which is based on implementing corporate contingency plans
2. System and/or network validation, testing, and certifying the system as operational

Any component that was compromised must become re-certified as both operational and secure.

7. Follow-Up

After everything has been returned to normal there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.

• Was there sufficient prep?
• Did detection occur in a timely manner?
• Were communications conducted clearly?
• What was the cost of the incident? Did you have a Business Continuity Plan in place?
• How can we prevent it from happening again?

Once these questions are answered and improvements are made where necessary, your company and incident response team should be ready to repeat the process.

This process can help your organization keep its valuable, personal information secure.

describe the cyber kilchain including the impact each phase has in determining how to react to cyber attack

The cyber kill chain was initially developed by Lockheed Martin, which co-opted the term “kill chain”, used to break down the structure of a military attack (either offensive or defensive) into a pattern composed of identifiable stages.

Lockheed Martin’s cyber kill chain breaks down an external-originating cyberattack into 7 distinct steps:

Reconnaissance

Intruder picks a target, researches it, and looks for vulnerabilities

Weaponization

Intruder develops malware designed to exploit the vulnerability

Delivery

Intruder transmits the malware via a phishing email or another medium

Exploitation

The malware begins executing on the target system

Installation

The malware installs a backdoor or other ingress accessible to the attacker

Command and Control

The intruder gains persistent access to the victim’s systems/network

Actions on Objective

Intruder initiates end goal actions, such as data theft, data corruption, or data destruction

While the original cyber kill chain model as envisioned by Lockheed Martin is a helpful starting point in trying to model and defend against attacks, as with any security model, keep in mind that every IT deployment is unique, and intrusion attacks do not, as a rule, have to follow the steps in the model.

Over the years, the attack landscape has shifted, and many have argued that the cyber kill chain, while helpful, needed to be updated to accommodate the reality that the traditional perimeter has shifted—some even say it has, in many cases, vanished.

Modern Cyberattacks: Focusing on Privilege & Vulnerabilities

According to Forrester Research, approximately 80% of security breaches today involve privileged credentials. To better illustrate the privilege threat component of modern cyber-attacks, in 2017, BeyondTrust published an updated model of the cyber-attack chain, along with guidance on how to dismantle an attack each step of the way.

Here are the key parts of the BeyondTrust Cyber-Attack Chain model, along with tactics to disrupt the attack at each phase.

Step One: Perimeter Exploitation

These are the early attempts to gain access to an IT organization systems and data. Typical techniques include:

• Exploiting known vulnerabilities in software and hardware

• Social engineering and phishing to gain access to passwords and login information

• Malware and downloads that install and grant unauthorized access to the network

• Direct hacking—seeking out open ports or other external access points

How to dismantle or contain an attack at this phase:

• Identify and remediate vulnerabilities. Numerous security studies have reported that unpatched vulnerabilities are the leading cause of initial exploit. This calls for a thorough vulnerability management program that includes vulnerability scanning and patch management. Pen testing is also a valuable method for proactively identifying risks as a hacker would, to help close any security gaps. Implementing these measure dramatically reduce an organization’s attack surface.

• Limit access to sensitive assets. This can be achieved by leveraging vulnerability-based application management (VBAM), which is the capability developed by BeyondTrust to correlate vulnerability data against privileged access requests and permissions, and restrict access based on real-time risk. For instance, if an asset or application has vulnerabilities, you will want to be even more judicious about allowing them to run elevated privileges.

• Enforce least privilege: Hackers, and malware, covet privileges. Often, malicious code cannot execute without a higher level of privileges. By removing admin rights wherever possible and enforcing least privilege, you shrink the available actions that can be performed by an intruder or malicious code.

Step Two: Privilege Hijacking and Escalation

This stage is where an attacker looks to escalate privileges, and hijack other privileged passwords/accounts.

How to dismantle or contain an attack at this phase:

• Eliminate shared accounts and password sharing. When accounts and passwords are shared, it makes lateral movement and hijacking that much easier. Privileged password management solutions enable organizations to enforce password security best practices, while identifying and eliminating shared accounts and default passwords.

• Enforce least privilege. Again, limiting user privileges helps stymie an attacker’s movement at every step.

• Monitor and audit all privileged user, session, and file activities. Logging all privileged activity and applying privileged session monitoring and management (which can allow you to pause or kill suspicious sessions), allows you to analyze, alert, report on, and potentially stop any suspicious or unwanted activity.

Step Three: Lateral Movement and Exfiltration

Here, the hacker attempts to move through the system by acquiring more privileges/privileged accounts, and to find other exploits and weaknesses. Ultimately, the intruder zig-zags through the network, user accounts, data, and systems as necessary to achieve their goal(s).

How to dismantle or contain an attack at this phase:

• Correlate and analyze user and asset behavior to identify in-process attacks. This step calls on the full integration of privileged access management (PAM) and vulnerability management (VM). The more holistic the threat and behavioral analytics, the more likely you can out-maneuver attackers and stop breaches in their tracks via changing security controls (such as removing rights or access).