Many organizations create incident response policies to help personnel identify and respond to incidents. If you’re planning to take the SY0-501 version of the Security+ exam, you should understand incident response procedures.
For example, can you answer this question?
Q. Your organization is planning to implement an incident response plan in response to a new incident response security policy. Which of the following items is the FIRST step in an incident response process?
A. Preparation
B. Identification
C. Containment
D. Eradication
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Responding to Incidents
Many organizations create incident response policies to help personnel identify and respond to incidents. A security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within the organization, or that has the potential to do so.
Some examples include attacks, release of malware, security policy violations, unauthorized access of data, and inappropriate usage of systems. For example, an attack resulting in a data breach is a security incident. Once the organization identifies a security incident, it will respond based on the incident response policy.
Organizations regularly review and update the policy. Reviews might occur on a routine schedule, such as annually, or in response to an incident after performing a lessons learned review of the incident.
As an example, in the early days of computers, one hacker broke into a government system and the first thing he saw was a welcome message. He started poking around, but authorities apprehended him. Later, when the judge asked him what he was doing, he replied that when he saw the welcome message, he thought it was inviting him in. The lesson learned here was that a welcome message can prevent an organization from taking legal action against an intruder. Government systems no longer have welcome messages. Instead, they have warning banners stressing that only authorized personnel should be accessing the system. It’s common to see similar warning banners when logging on to any system today.
Incident Response Process
Incident response includes multiple phases. It starts with creating an incident response policy and an incident response plan. With the plan in place, personnel are trained and given the tools necessary to handle incidents. Ideally, incident response preparation will help an organization prevent an incident. However, this isn’t realistic for most organizations, but with an effective plan in place, the organization will be able to effectively handle any incidents that occur.
Some of the common phases of an incident response process are:
• Preparation. This phase occurs before an incident and provides guidance to personnel on how to respond to an incident. It includes establishing and maintaining an incident response plan and incident response procedures. It also includes establishing procedures to prevent incidents. For example, preparation includes implementing security controls to prevent malware infections.
• Identification. All events aren’t security incidents so when a potential incident is reported, personnel take the time to verify it is an actual incident. For example, intrusion detection systems (IDSs) might falsely report an intrusion, but administrators would investigate it and verify if it is a false positive or an incident. If the incident is verified, personnel might try to isolate the system based on established procedures.
• Containment. After identifying an incident, security personnel attempt to isolate or contain it. This might include quarantining a device or removing it from the network. This can be as simple as unplugging the system’s network interface card to ensure it can’t communicate on the network. Similarly, you can isolate a network from the Internet by modifying access control lists on a router or a network firewall. This is similar to how you’d respond to water spilling from an overflowing sink. You wouldn’t start cleaning up the water until you first turn off the faucet. The goal of isolation is to prevent the problem from spreading to other areas or other computers in your network, or to simply stop the attack.
• Eradication. After containing the incident, it’s often necessary to remove components from the attack. For example, if attackers installed malware on systems, it’s important to remove all remnants of the malware on all hosts within the organization. Similarly, an attack might have been launched from one or more compromised accounts. Eradication would include deleting or disabling these accounts.
• Recovery. During the recovery process, administrators return all affected systems to normal operation and verify they are operating normally. This might include rebuilding systems from images, restoring data from backups, and installing updates. Additionally, if administrators have identified the vulnerabilities that caused the incident, they typically take steps to remove the vulnerabilities.
• Lessons learned. After personnel handle an incident, security personnel perform a lessons learned review. It’s very possible the incident provides some valuable lessons and the organization might modify procedures or add additional controls to prevent a reoccurrence of the incident. A review might indicate a need to provide additional training to users, or indicate a need to update the incident response policy. The goal is to prevent a future reoccurrence of the incident.
Q. Your organization is planning to implement an incident response plan in response to a new incident response security policy. Which of the following items is the FIRST step in an incident response process?
A. Preparation
B. Identification
C. Containment
D. Eradication
Answer is A. The first step in an incident response process is preparation.
When a potential incident occurs, the next step is identification.
If the event is a security incident, the next step is containment to isolate the incident and limit the damage.
Next, personnel take steps to eradicate all elements that caused the incident, such as malware or compromised accounts.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on security policies.