Phases of Incident Response
Download as PPTX, PDF1 like297 views
This document outlines a class on incident response in information security, detailing learning objectives such as identifying phases of incident response and creating incident response plans. Key phases of incident response discussed include preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. The instructor, Zachery S. Mitcham, has extensive experience in the field and aims to guide participants towards effective strategies for handling security incidents.
Phases of Incident Response
- 2. AboutMe ● Zachery S. Mitcham ● 38 years of Information Security experience beginning as a U.S. Army Officer ● MSA-Administration, Certified CISO; Certified Computer Security Incident Handler; Graduate Certificate-Harvard University ● I am one of thirteen children ● Feel free to view my linkedin profile at: https://www.linkedin.com/in/zmitcham/
- 3. Prerequisites There are no formal prerequisites for this class however you will benefit greatly by previewing the NIST 800 special publication 61 accessible at the following link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 61r2.pdf
- 4. Supplementary Materials We will use NIST 800 sp 61 as the basis for our discussion. Again, you may download it at the following link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-6 1r2.pdf
- 5. Target Audience ● This class is primarily intended for those that are in need of an informational overview on how to respond to information security incidents or have a responsibility for doing so. ● It will also assist with your preparation for a Computer Security Incident Handling certification
- 6. Learning Objectives ❖ Upon completion of this class you will be able to: ➢ Identify the phases of incident response ➢ Create a Computer Security Incident Response Plan ➢ Identify composition of key personnel necessary to serve as incident responders. ❖ This class will cover the phases of incident handling and how each phase relates to responding to information security incidents.
- 7. Definitions ❖ The mission of information security professionals is to safeguard the confidentiality, integrity and availability of data that is processed, stored and transmitted over a technological network whether it is at rest or in flight. ❖ Security Incident - any situation, condition, or circumstance whereby security control measures placed within information systems are circumvented. ❖ Computer Security Incident Response Team (CSIRT)- An organization or team that provides services and support to a defined constituency for preventing, handling, and responding to computer security incidents.
- 8. Phases of IncidentResponse ❖ Preparation ❖ Detection andAnalysis ❖ Containment, Eradication and Recovery ❖ Post IncidentActivity
- 9. Incident Handling Activities Triage – the actions taken to categorize, prioritize, and assign events and incidents. Detecting and Reporting – the ability to receive and review event information, incident reports, and alerts. Analysis – the attempt to determine what has happened, what impact, threat, or damage resulted, and what recovery or mitigation steps should be followed. This can include characterizing new threats that may impact the infrastructure. Incident response – the actions taken to resolve or mitigate an incident, coordinate and disseminate information, and implement follow-up strategies to prevent the incident from happening again.
- 10. Preparation Phase Adequate systems, resources and tools emplaced to respond to the incident Incident Response Plan development Incident Response Team Development Contact information for team members, War room, Evidence gathering
- 11. Detection and Analysis Phase Identification and assess magnitude of the threat (IDS/IPS, Security Information and Event Management (SIEM),A/V tools-System Center Configuration Manager(SCCM), system logs)
- 12. Containment, Eradication and Recovery Prevention of threat propagation, remediation and operational or system restoration.
- 13. Post Incident Activity Post Mortem debriefing, Lessons Learned, Documentation and Reporting.
- 14. Quiz What is the first phase of incident handling? A) Panic phase B) Priority Information Requirements phase C) Paranoia phase D) Preparation phase Answer D - The Preparation Phase-is the most important phase. Without it your response will be inadequate. Always remember to “Sweat more in training and bleed less in war!”
- 15. Quiz What is Triage? A) Remediation of issues causing the incident B) Artifacts analysis C) Prioritizing events D) Reporting the incident to law enforcement Answer C - Prioritizing. Triage are the actions taken to categorize, prioritize, and assign events and incidents.
- 16. Summary ● During this class, we discussed: ❖ The different phases of incident response and how each phase relates to responding to information security incidents ❖ Creation of a Computer Security Incident Response Plan ❖ Identification of key personnel necessary to serve as incident responders. ● Looking forward, our next class will cover the individual phases of incident response in depth