Question

For each of the following, describe in your own words what each area seeks to offer (over 300 words)

• Containment
• Evidence
• Identifying
• Eradication
• Post-incident activities

Answer 1

Answer to this question is :-

1. Containment

When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.

Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever.

This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords.

Questions to address

• What’s been done to contain the breach short term?
• What’s been done to contain the breach long term?
• Has any discovered malware been quarantined from the rest of the environment?
• What sort of backups are in place?
• Does your remote access require true multi-factor authentication?
• Have all access credentials been reviewed for legitimacy, hardened and changed?
• Have you applied all recent security patches and updates?

2. Evidence

Preserving critical electronic evidence during a security incident is a must in order to obtain a full incident overview and to establish a basis for further investigation and threat containment/eradication. This evidence is of crucial importance for successful incident analysis utilizing strict data preservation standards to ensure all potentially relevant data is captured and remains uncompromised during the course of the investigation.

Subsequent to detecting a cyber attack, most incident responders are prepared to contain and remediate the incident as soon as possible. Responders must however be wary not to rush the collection of evidence. This could destroy or potentially compromise items of evidentiary value which could identify attacker methodology or avenues of compromise. These evidence items, appropriately collected in accordance with established regulations and/or best practices could further assist law enforcement in successful prosecution of the crime and this is why the preservation of evidence should be the first priority in any incident.

3. Identifying

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.

Questions to address

• When did the event happen?
• How was it discovered?
• Who discovered it?
• Have any other areas been impacted?
• What is the scope of the compromise?
• Does it affect operations?
• Has the source (point of entry) of the event been discovered?

4. Eradication

Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.

Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing valuable data, and your liability could increase.

Questions to address

• Have artifacts/malware from the attacker been securely removed?
• Has the system be hardened, patched, and updates applied?
• Can the system be re-imaged?

Post-incident activity

Post incident activity, as with preparation, is a phase we can easily overlook, but should ensure that we do not. In the post incident activity phase, often referred to as a postmortem (latin for after death), we attempt to determine specifically what happened, why it happened, and what we can do to keep it from happening again. This is not just a technical review as policies or infrastructure may need to be changed. The purpose of this phase is not to point fingers or place blame (although this does sometimes happen), but to ultimately prevent or lessen the impact of future such incidents.