Question

Describe each phase of in Information Security Incident Response program. Describe the Cyber Kill Chain including the impact
0 0
Add a comment Improve this question Transcribed image text
Answer #1

Answer:-

describe each pahse of information security incident response program

The Seven Stages of Incident Response

1. Preparation

It is essential that every organization is prepared for the worst. So how will you handle the situation? Preparation is key and it involves identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies including, but not limited to:

  • warning banners
  • user privacy expectations
  • established incident notification processes
  • the development of an incident containment policy
  • creation of incident handling checklists
  • ensuring the corporate disaster recovery plan is up to date
  • making sure the security risk assessment process is functioning and active

Other aspects that should be considered when prepping are training and pre-deployed incident handling assets. When training for an incident you should contemplate different types of training your team needs such as OS support, specialized investigative techniques, incident response tool usage, and corporate environmental procedure requirements.

When looking at your pre-deployed incident handling assets, you want to make sure you have certain tools in place in case of a system breach. This includes monitoring your own sensors, probes, and monitors on critical systems, tracking databases in core systems and completing active audit logs for all server network aspects and components.

2. Identification

The next stage of incident response is identifying the actual incident. The first question you want your team to answer is; is the event an unusual activity or more? Once that answer has been established you are going to want to check out some areas of the affected system. This includes suspicious entries in system or network accounting, excessive login attempts, unexplained new user accounts, unexpected new files, etc.

After you have assessed the situation there are six levels of classification when it comes to incidents. You are going to want to evaluate which one the incident falls under.

  • Level 1 – Unauthorized Access
  • Level 2 – Denial of Services
  • Level 3 – Malicious Code
  • Level 4 – Improper Usage
  • Level 5 – Scans/Probes/Attempted Access
  • Level 6 – Investigation Incident

3. Containment

Once your team knows what incident level they are dealing with, the next move is to contain the issue. The key here is to limit the scope and magnitude of the issue at hand. There are two primary areas of coverage when doing this. These essential areas of coverage are;

  1. Protecting and keeping available critical computing resources where possible
  2. Determining the operational status of the infected computer, system or network.

In order to determine the operational status of your infected system and or network, you have three options:

  1. Disconnect system from the network and allow it to continue stand-alone operations
  2. Shut down everything immediately
  3. Continue to allow the system to run on the network and monitor the activities

All of these options are viable solutions to contain the issue at the beginning of the incident response and should be determined a.s.a.p. to allow movement to the next stage.

4. Investigation

This is the first step in determining what actually happened to your system, computer or network. A systematic review needs to take place on all the:

  • bit-stream copies of the drives
  • external storage
  • real-time memory
  • network devices logs
  • system logs
  • application logs
  • and other supporting data.

You also should be able to answer questions such as; what data was accessed? who did it? and what do the log reviews reveal?

It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.

5. Eradication

Eradication is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradication which you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network.

The second step is notification. Notification always includes relevant personnel, both above and below the incident response team manager in the reporting chain.

6. Recovery

This is when your company or organization returns to normalcy. There are two steps to recovery.

  1. Service restoration, which is based on implementing corporate contingency plans
  2. System and/or network validation, testing, and certifying the system as operational

Any component that was compromised must become re-certified as both operational and secure.

7. Follow-Up

After everything has been returned to normal there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.

  • Was there sufficient prep?
  • Did detection occur in a timely manner?
  • Were communications conducted clearly?
  • What was the cost of the incident? Did you have a Business Continuity Plan in place?
  • How can we prevent it from happening again?

Once these questions are answered and improvements are made where necessary, your company and incident response team should be ready to repeat the process.

This process can help your organization keep its valuable, personal information secure.

describe the cyber kilchain including the impact each phase has in determining how to react to cyber attack

The cyber kill chain was initially developed by Lockheed Martin, which co-opted the term “kill chain”, used to break down the structure of a military attack (either offensive or defensive) into a pattern composed of identifiable stages.

Lockheed Martin’s cyber kill chain breaks down an external-originating cyberattack into 7 distinct steps:

Reconnaissance

Intruder picks a target, researches it, and looks for vulnerabilities

Weaponization

Intruder develops malware designed to exploit the vulnerability

Delivery

Intruder transmits the malware via a phishing email or another medium

Exploitation

The malware begins executing on the target system

Installation

The malware installs a backdoor or other ingress accessible to the attacker

Command and Control

The intruder gains persistent access to the victim’s systems/network

Actions on Objective

Intruder initiates end goal actions, such as data theft, data corruption, or data destruction

While the original cyber kill chain model as envisioned by Lockheed Martin is a helpful starting point in trying to model and defend against attacks, as with any security model, keep in mind that every IT deployment is unique, and intrusion attacks do not, as a rule, have to follow the steps in the model.

Over the years, the attack landscape has shifted, and many have argued that the cyber kill chain, while helpful, needed to be updated to accommodate the reality that the traditional perimeter has shifted—some even say it has, in many cases, vanished.

Modern Cyberattacks: Focusing on Privilege & Vulnerabilities

According to Forrester Research, approximately 80% of security breaches today involve privileged credentials. To better illustrate the privilege threat component of modern cyber-attacks, in 2017, BeyondTrust published an updated model of the cyber-attack chain, along with guidance on how to dismantle an attack each step of the way.

Here are the key parts of the BeyondTrust Cyber-Attack Chain model, along with tactics to disrupt the attack at each phase.

Step One: Perimeter Exploitation

These are the early attempts to gain access to an IT organization systems and data. Typical techniques include:

  • Exploiting known vulnerabilities in software and hardware

  • Social engineering and phishing to gain access to passwords and login information

  • Malware and downloads that install and grant unauthorized access to the network

  • Direct hacking—seeking out open ports or other external access points

How to dismantle or contain an attack at this phase:

  • Identify and remediate vulnerabilities. Numerous security studies have reported that unpatched vulnerabilities are the leading cause of initial exploit. This calls for a thorough vulnerability management program that includes vulnerability scanning and patch management. Pen testing is also a valuable method for proactively identifying risks as a hacker would, to help close any security gaps. Implementing these measure dramatically reduce an organization’s attack surface.

  • Limit access to sensitive assets. This can be achieved by leveraging vulnerability-based application management (VBAM), which is the capability developed by BeyondTrust to correlate vulnerability data against privileged access requests and permissions, and restrict access based on real-time risk. For instance, if an asset or application has vulnerabilities, you will want to be even more judicious about allowing them to run elevated privileges.

  • Enforce least privilege: Hackers, and malware, covet privileges. Often, malicious code cannot execute without a higher level of privileges. By removing admin rights wherever possible and enforcing least privilege, you shrink the available actions that can be performed by an intruder or malicious code.

Step Two: Privilege Hijacking and Escalation

This stage is where an attacker looks to escalate privileges, and hijack other privileged passwords/accounts.

How to dismantle or contain an attack at this phase:

  • Eliminate shared accounts and password sharing. When accounts and passwords are shared, it makes lateral movement and hijacking that much easier. Privileged password management solutions enable organizations to enforce password security best practices, while identifying and eliminating shared accounts and default passwords.

  • Enforce least privilege. Again, limiting user privileges helps stymie an attacker’s movement at every step.

  • Monitor and audit all privileged user, session, and file activities. Logging all privileged activity and applying privileged session monitoring and management (which can allow you to pause or kill suspicious sessions), allows you to analyze, alert, report on, and potentially stop any suspicious or unwanted activity.

Step Three: Lateral Movement and Exfiltration

Here, the hacker attempts to move through the system by acquiring more privileges/privileged accounts, and to find other exploits and weaknesses. Ultimately, the intruder zig-zags through the network, user accounts, data, and systems as necessary to achieve their goal(s).

How to dismantle or contain an attack at this phase:

  • Correlate and analyze user and asset behavior to identify in-process attacks. This step calls on the full integration of privileged access management (PAM) and vulnerability management (VM). The more holistic the threat and behavioral analytics, the more likely you can out-maneuver attackers and stop breaches in their tracks via changing security controls (such as removing rights or access).

Add a comment
Know the answer?
Add Answer to:
Describe each phase of in Information Security Incident Response program. Describe the Cyber Kill Chain including...
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
Similar Homework Help Questions
  • This week we'll look at the fifth stage of the Cyber Kill Chain: Installation. Installation of...

    This week we'll look at the fifth stage of the Cyber Kill Chain: Installation. Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. Conduct independent research into this phase of the Cyber Kill Chain and complete a 2-3 page narrative (double spaced) discussing what tools can be used to conduct this activity. Then, play the role of a consultant and advise a fictional Chief Information Security Officer (CISO)...

  • CYB 4301-13C-3, Cyber Security and Crime War driving is a wireless attack. Describe at least four...

    CYB 4301-13C-3, Cyber Security and Crime War driving is a wireless attack. Describe at least four war driving tools and the purpose of each. Your response should be at least 150 words in length.

  • Multiple Choice 1. Which statement applies to a lowimpact exposure incident? A. A low-impact expo...

    Multiple Choice 1. Which statement applies to a lowimpact exposure incident? A. A low-impact exposure incident only involves repairing the broken system. B. A low-impact exposure incident may result in significant risk exposure. C. A low-impact exposure incident require the highest level of scrutiny. D. A low-impact exposure incident can essentially be ignored. 2. What are the two components comprising information criticality? A. Data location and data classification B. Quantity of data involved and data location C. Data classification and...

  • Accounting Information Systems (AIS) Latest Technology trend in Malaysia: 1. Impact of *Cyber Security* to accounting...

    Accounting Information Systems (AIS) Latest Technology trend in Malaysia: 1. Impact of *Cyber Security* to accounting practices in organizations. As far as possible, give an example for each of your answers. 2. Impact of *Artificial Intelligence* to accounting practices in organizations. As far as possible, give an example for each of your answers. 3. Impact of *Machine Learning* to accounting practices in organizations. As far as possible, give an example for each of your answers. 4. Impact of *Edge Computing*...

  • Physical security is often a second priority in an information security program. Since physical security has...

    Physical security is often a second priority in an information security program. Since physical security has technical and administrative elements, it often takes a backseat to the security of data and other information technology assets. Protecting important data, confidential information, networks, software, equipment, facilities, company’s assets, and personnel is what physical security is about. There are two major types of physical security issues: natural and man-made. Natural physical security issues include floods, fire, power fluctuations, severe weather, war, etc., which...

  • Using your reading and the Internet, provide a one-page response detailing the relevance of physical security...

    Using your reading and the Internet, provide a one-page response detailing the relevance of physical security in the cybersecurity arena. Write a few short paragraphs and feel free to use bullets. Part 1: Compile Cyber Investigation Guidelines (3 points) Using your reading and the Internet, provide a response detailing the chain of custody considerations to enable you to collect evidence that will useful for a legal prosecution. Write short paragraphs guiding IT employees regarding the need to protect evidence and...

  • Step 1: Select an information systems security threat topic below. Your challenge is to find the...

    Step 1: Select an information systems security threat topic below. Your challenge is to find the largest (measured in dollars or number of customers impacted) recent (within about 5 years) loss suffered by a company, their customers or a government as a result of suffering a purposeful or accidental information security breach. Don't just give us an example, find the largest impact. Topic choices are: Natural disaster - flood Natural disaster - earthquake Natural disaster - tornado or hurricane Data...

  • Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around...

    Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...

  • "Each day before leaving our homes, we protect the property within. By locking our doors, closing...

    "Each day before leaving our homes, we protect the property within. By locking our doors, closing our windows, or activating our security systems, we go to great lengths to ensure that our homes have the necessary safeguards in place to thwart potential intruders and those who may try to steal our personal and precious belongings. When it comes to our confidential personal information, however, many of us fail to realize that this information is readily available and able to be...

  • If an organization is going to have a chance at a successful security program they need...

    If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These policies need to be well written to provide the organization with solid guidance to support their security objectives. Identify and briefly describe the three types of security policies. Your response should include a discussion of where each should be used. Where should policy writers look to...

ADVERTISEMENT
Free Homework Help App
Download From Google Play
Scan Your Homework
to Get Instant Free Answers
Need Online Homework Help?
Ask a Question
Get Answers For Free
Most questions answered within 3 hours.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT