Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

The csirt is also known as the ir reaction team

14/10/2021 Client: muhammad11 Deadline: 2 Day

Principles of Incident Response and

Disaster Recovery, 2nd Edition

Chapter 7 Incident Response: Response Strategies

Objectives

• Explain what an IR reaction strategy is and list general strategies that apply to all incidents

• Define incident containment and describe how it is applied to an incident

• List some of the more common categories of incidents that may occur

• Discuss the IR reaction strategies unique to each category of incident

Principles of Incident Response and Disaster Recovery, 2nd Edition 2

Introduction

• What do we do once we have detected an incident?

• IR reaction strategies – Procedures for regaining control of systems and

restoring operations to normalcy – Are at the heart of the IR plan and the CSIRT’s

operations • How the CSIRT responds to an incident relies in

part on its mission philosophy: – Protect and forget – Apprehend and prosecute

Principles of Incident Response and Disaster Recovery, 2nd Edition 3

IR Response Strategies

• Once the CSIRT has been notified and arrives “on scene ” – First: assess the situation – Second: begin asserting control and make positive

steps to regain control over the organization’s information assets

Principles of Incident Response and Disaster Recovery, 2nd Edition 4

IR Response Strategies (cont'd.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 5

Response Preparation

• Prevention strategies – Using risk assessment to make informed decisions – Acquiring and maintaining good host security – Acquiring and maintaining good network security – Implementing comprehensive malware prevention – Thorough and ongoing training to raise user

awareness

Principles of Incident Response and Disaster Recovery, 2nd Edition 6

Incident Containment

• Containment strategies – Monitoring system and network activities – Disabling access to compromised systems that are

shared with other computers – Changing passwords or disabling accounts of

compromised systems – Disabling system services, if possible

Principles of Incident Response and Disaster Recovery, 2nd Edition 7

Incident Containment

• Containment strategies (cont’d.) – Disconnecting compromised systems (or networks)

from the local network – Temporarily shutting down compromised systems – Verifying that redundant systems and data have not

been compromised

Principles of Incident Response and Disaster Recovery, 2nd Edition 8

Principles of Incident Response and Disaster Recovery, 2nd Edition 9

Incident Containment (cont'd.)

• Identifying the attacking hosts involves: – Verifying the IP address of the attacking system – Web-based research of the attacking host’s IP

address – Incident/attack database searches – Attacker back-channel and side-channel

communications

Principles of Incident Response and Disaster Recovery, 2nd Edition 10

Incident Eradication

• Many practitioners feel that a system, once compromised, can never be restored to a trusted state

• To prevent concurrent recurrence – Team must continuously monitor the assets

associated with the current incident and the remaining assets that may be susceptible to attack

– The organization’s monitoring teams should be on high alert, carefully examining communications and system activities

Principles of Incident Response and Disaster Recovery, 2nd Edition 11

Incident Recovery

• The reestablishment of the pre-incident status of all organizational systems

• Incident recovery involves: – Implementing the backup and recovery plans that

should already be in place before the attack • Difficult part of recovery

– The identification of data that may have been disclosed

Principles of Incident Response and Disaster Recovery, 2nd Edition 12

Incident Containment and Eradication Strategies for Specific Attacks

• CSIRT leader must determine appropriate response based on certain aspects of the incident – Type – Method of incursion – Current level of success – Current level of loss – Expected or projected level of loss – Target – Target’s level of classification and/or sensitivity – Any legal or regulatory impacts mandating a specific

response Principles of Incident Response and Disaster Recovery, 2nd Edition 13

Incident Containment and Eradication Strategies for Specific Attacks (cont'd.) • Containment strategy should include details about

how the organization will handle: – Theft or damage to assets – Whether to preserve evidence for potential criminal

prosecution – Service-level commitments and contract

requirements to customers – Allocation of necessary resources to activate

strategy – Graduated responses that may be necessary – Duration of containment efforts

Principles of Incident Response and Disaster Recovery, 2nd Edition 14

Handling Denial of Service (DoS) Incidents

• Denial-of-service (DoS) attack – Occurs when an attacker’s action prevents the

legitimate users of a system from using it • Distributed denial-of-service (DDoS) attack

– The use of multiple systems to simultaneously attack a single target

Principles of Incident Response and Disaster Recovery, 2nd Edition 15

Handling Denial of Service (DoS) Incidents (cont'd.)

• Tasks to be performed before the DoS incident – Coordinating with service provider – Collaborating and coordinating with professional

response agencies – Implementation of prevention technologies – Monitoring resources – Coordinating the monitoring and analysis capabilities – Setting up logging and documentation – Configuring network devices to prevent DoS

incidents

Principles of Incident Response and Disaster Recovery, 2nd Edition 16

Handling Denial of Service (DoS) Incidents (cont'd.)

• Containment strategies during the DoS incident – Try to fix the source of the problem – Change the organization’s filtering strategy – Try to filter based on the characteristics of the attack – Engage upstream partners – Eliminate or relocate the target system

Principles of Incident Response and Disaster Recovery, 2nd Edition 17

Handling Denial of Service (DoS) Incidents (cont'd.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 18

Principles of Incident Response and Disaster Recovery, 2nd Edition 19

Handling Denial of Service (DoS) Incidents (cont'd.)

• After the DoS attack, the organization: – Should consider its overall philosophy of protect and

forget or apprehend and prosecute – Will want to collect evidence to see how the incident

occurred and to provide insight into how to avoid future recurrences

Principles of Incident Response and Disaster Recovery, 2nd Edition 20

Principles of Incident Response and Disaster Recovery, 2nd Edition 21

Principles of Incident Response and Disaster Recovery, 2nd Edition 22

Malware

• Designed to damage, destroy, or deny service to the target systems

• Common instances include: – Viruses and worms, Trojan horses, logic bombs,

back doors, and rootkits • Cookie

– Data kept by a Web site as a means of recording that a system has visited the site

• Tracking cookie – Collects valuable personal information, then sends it

along to the attacker Principles of Incident Response and Disaster Recovery, 2nd Edition 23

Malware (cont'd.)

• Before the malware incident : – Schedule awareness programs to inform users

about current malware issues – Keep up on vendor and IR agency postings and

bulletins – Implement appropriate IDPS – Conduct effective inventory and data organization – Implement and test data backup and recovery

programs

Principles of Incident Response and Disaster Recovery, 2nd Edition 24

Malware (cont'd.)

• To search for undetected infections during the malware incident – Scan internal systems to look for active service ports – Use updated scanning and cleanup tools promptly

and aggressively – Analyze logs from e-mail servers, firewalls, IDPSs,

and individual host log files for anomalous items – Give network and host intrusion systems access to

signature files that can indicate when certain behaviors have occurred

– Conduct periodic and ongoing audits Principles of Incident Response and Disaster Recovery, 2nd Edition 25

Principles of Incident Response and Disaster Recovery, 2nd Edition 26

Principles of Incident Response and Disaster Recovery, 2nd Edition 27

Principles of Incident Response and Disaster Recovery, 2nd Edition 28

Malware (cont'd.)

• Response strategies for malware outbreaks include: – Filtering e-mail based on subject, attachment type

using malware signatures, or other criteria – Blocking known attackers – Interrupting some services – Severing networks from the Internet or each other – Engaging the users – Disrupting service

Principles of Incident Response and Disaster Recovery, 2nd Edition 29

Malware (cont'd.)

• After the malware incident – System should be constantly monitored to prevent

re-infection – Distribute warnings that a particular malware

incident has occurred and that it was successfully handled

Principles of Incident Response and Disaster Recovery, 2nd Edition 30

Unauthorized Access

• Attempts by insiders to escalate privileges and access information and other assets for which they do not explicitly have authorization

• Some examples of UA – Gaining unauthorized administrative control of any

server or service – Gaining unauthorized access to any network or

computing resource – Defacing or unauthorized modification of any public-

facing information service

Principles of Incident Response and Disaster Recovery, 2nd Edition 31

Principles of Incident Response and Disaster Recovery, 2nd Edition 32

Unauthorized Access (cont'd.)

• Before the UA incident – Placing a common central log server in a more

highly protected area of the network will certainly assist in post-event analyses

– Implementing an effective password policy and having both a complete and usable management policy as well as technology-enforced password requirements is critical

Principles of Incident Response and Disaster Recovery, 2nd Edition 33

Principles of Incident Response and Disaster Recovery, 2nd Edition 34

Principles of Incident Response and Disaster Recovery, 2nd Edition 35

Unauthorized Access (cont'd.)

• During the UA incident – NIST recommends the following containment

strategies • Isolate • Disable • Block • Disable • Lockdown

Principles of Incident Response and Disaster Recovery, 2nd Edition 36

Principles of Incident Response and Disaster Recovery, 2nd Edition 37

Principles of Incident Response and Disaster Recovery, 2nd Edition 38

Unauthorized Access (cont'd.)

• After the UA incident – The task of identifying the avenue of attack and

closing any still-open repeat mechanisms begins – The organization must identify the extent of the

damage and look for any residual effects – The CSIRT should always presume that if a critical

information asset was accessed, the data stored within it is compromised

Principles of Incident Response and Disaster Recovery, 2nd Edition 39

Principles of Incident Response and Disaster Recovery, 2nd Edition 40

Inappropriate Use

• IU incidents – Predominantly characterized as a violation of policy

rather than an effort to abuse existing systems • The following can be considered IU incidents

– Inappropriate and/or unauthorized software or services

– Organizational resources used for personal reasons – Organizational resources used to harass coworkers – Restricted company information and other assets

stored in external sites

Principles of Incident Response and Disaster Recovery, 2nd Edition 41

Inappropriate Use (cont'd.)

• Before the IU incident – For a policy to become enforceable, it must meet the

following five criteria • Dissemination (distribution) • Review (reading) • Comprehension (understanding) • Compliance (agreement) • Uniform enforcement

Principles of Incident Response and Disaster Recovery, 2nd Edition 42

Inappropriate Use (cont'd.)

• During the IU incident – Level of authority an individual manager has

• Important thing to consider when investigating a potential IU incident

– Clear policies must be in place that discuss the level of direct investigation the CSIRT may undertake

– The organization should clearly define the circumstances under which the CSIRT and/or management may investigate the interior of a piece of organization equipment

Principles of Incident Response and Disaster Recovery, 2nd Edition 43

Principles of Incident Response and Disaster Recovery, 2nd Edition 44

Principles of Incident Response and Disaster Recovery, 2nd Edition 45

Inappropriate Use (cont'd.)

• After the IU incident – The CSIRT will typically turn copies of all

documentation over to management for administrative handling, then monitor the offending systems for possible recurrences

Principles of Incident Response and Disaster Recovery, 2nd Edition 46

Principles of Incident Response and Disaster Recovery, 2nd Edition 47

Hybrid or Multicomponent Incidents

• Many incidents begin with one type of event, then transition to another

• Timeliness is a factor in prioritizing the response • Key recommendations for handling hybrid incidents

– Use software to support incident management – Prioritize each incident component as it arises – Contain each incident, then scan for others

Principles of Incident Response and Disaster Recovery, 2nd Edition 48

Principles of Incident Response and Disaster Recovery, 2nd Edition 49

Automated IR Response Systems

• The CSIRT must document and preserve every action, file, event, and item of potential evidentiary value

• Automated IR systems to facilitate IR documentation are available through a number of vendors

Principles of Incident Response and Disaster Recovery, 2nd Edition 50

Summary

• IR reaction strategies – Plans for regaining control of systems and restoring

operations to normality in the event of an incident • Once the CSIRT is active, the first task that must

occur is an assessment of the situation • Some prevention strategies include:

– Risk assessment – Acquiring and maintaining good host security – Acquiring and maintaining good network security

• It is imperative to contain a confirmed incident Principles of Incident Response and Disaster Recovery, 2nd Edition 51

Summary (cont'd.)

• Incident recovery – The reestablishment of the pre-incident status of all

organizational systems • The selection of the appropriate reaction strategy is

an exercise in risk assessment • Denial of service (DoS)

– Occurs when an attacker’s action prevents the legitimate users of a system or network from using it

Principles of Incident Response and Disaster Recovery, 2nd Edition 52

Principles of �Incident Response and Disaster Recovery, 2nd Edition
Objectives
Introduction
IR Response Strategies
IR Response Strategies (cont'd.)
Response Preparation
Incident Containment
Incident Containment
Slide Number 9
Incident Containment (cont'd.)
Incident Eradication
Incident Recovery
Incident Containment and Eradication Strategies for Specific Attacks
Incident Containment and Eradication�Strategies for Specific Attacks (cont'd.)
Handling Denial of Service (DoS) Incidents
Handling Denial of Service (DoS) Incidents (cont'd.)
Handling Denial of Service (DoS) Incidents (cont'd.)
Handling Denial of Service (DoS) Incidents (cont'd.)
Slide Number 19
Handling Denial of Service (DoS) Incidents (cont'd.)
Slide Number 21
Slide Number 22
Malware
Malware (cont'd.)
Malware (cont'd.)
Slide Number 26
Slide Number 27
Slide Number 28
Malware (cont'd.)
Malware (cont'd.)
Unauthorized Access
Slide Number 32
Unauthorized Access (cont'd.)
Slide Number 34
Unauthorized Access (cont'd.)
Slide Number 36
Slide Number 37
Slide Number 38
Unauthorized Access (cont'd.)
Slide Number 40
Inappropriate Use
Inappropriate Use (cont'd.)
Inappropriate Use (cont'd.)
Slide Number 44
Slide Number 45
Inappropriate Use (cont'd.)
Slide Number 47
Hybrid or Multicomponent Incidents
Slide Number 49
Automated IR Response Systems
Summary

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Finance Master
Writing Factory
Financial Solutions Provider
Engineering Guru
Instant Assignment Writer
Quick N Quality
Writer Writer Name Offer Chat
Finance Master

ONLINE

Finance Master

I am an experienced researcher here with master education. After reading your posting, I feel, you need an expert research writer to complete your project.Thank You

$33 Chat With Writer
Writing Factory

ONLINE

Writing Factory

I have read your project details and I can provide you QUALITY WORK within your given timeline and budget.

$31 Chat With Writer
Financial Solutions Provider

ONLINE

Financial Solutions Provider

I find your project quite stimulating and related to my profession. I can surely contribute you with your project.

$35 Chat With Writer
Engineering Guru

ONLINE

Engineering Guru

I am an elite class writer with more than 6 years of experience as an academic writer. I will provide you the 100 percent original and plagiarism-free content.

$47 Chat With Writer
Instant Assignment Writer

ONLINE

Instant Assignment Writer

I am an experienced researcher here with master education. After reading your posting, I feel, you need an expert research writer to complete your project.Thank You

$33 Chat With Writer
Quick N Quality

ONLINE

Quick N Quality

I will provide you with the well organized and well research papers from different primary and secondary sources will write the content that will support your points.

$16 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Http www strategicbusinessinsights com vals surveynew shtml - Soap note for pain management - Can a pmo accelerate the implementation process discussion - Lan to wan domain security - ORGANIZATIONAL CONFLICT PAPER - Universal purpose of goods - Wisc v sample report - Of mice and men worksheets - Ib standard level math formula booklet - Sam hughes margaret olley - Biology lab variation in cell structure - Microelectronic circuits 7th edition problems - Action research project proposal - Chain of command pros and cons - Civil 3d storm and sanitary analysis - Marketing environment simulation and summary - Why did the schlieffen plan fail - Mental and behavioral - Dell complete care coverage - 1 - lugares audio listen and select the place that corresponds to each activity described. - A good media strategy requires - Background of a research study - Ethical dilemma in public service - F for th phonological process - Essay on criminal justice - Management accounting atkinson 6th edition pdf - Biomedical optics express template - Taxonomy answer key - 1 samuel 2 12 17 - Importance of dichotomous key - 619 cal young road hallsville tx - Conditional probability venn diagram - Unity multiple choice game - Hodder education workbook answers - Answer the following questions - 1 RESPOND - Calculating total cost in java - Wechsler individual achievement test score interpretation - Rowlands castle st johns cec primary school - What is hp support assistant - Organizational structures in Information technology startups - How many trips originate in each state - Read the article and answer the questions - Whats the density of milk - Different types of artifacts in radiography - Topic 5 DQ1 and DQ 2 - A time line is not meaningful unless all cash flows occur annually. - List and briefly define ieee services - Responding - Loreto grammar school uniform - Beale v taylor 1967 - Dialogue between social worker and client - A particle initially located at the origin - Engineering graduate cover letters - A builder has located a piece of property - Bus 311 week 5 final paper - Sa power networks meter box lock - What is the magnitude f of the force? express your answer numerically in newtons. - Milk milk milk what do cows drink - Inserting a node into a sorted doubly linked list python - Dirty in thailand language - 2.05 bar to psi - Week 4 summary - Ifsm 300 stage 1 - Abercrombie and fitch diversity issues - Katy perry firework song lyrics - Primary activities and secondary activities - Australian top 20 songs - Alpha beta charlie delta - Tale of tristan and isolde - Eonomics - Kinesiology exam - Entrepreneurial Venture Plan Paper | DUE IN 24 HOURS - Avaya 4850gts pwr+ datasheet - Mpa to n mm2 - Delta airlines pestel analysis - Survey of art and culture ivy tech - Farlingaye 6th form open evening - Zhejiang jiangshan liren wood industry - I am australian poem analysis - According to the lecture univisión's headquarters are in ___________________ - Cross cultural adaptation theory strengths and weaknesses - A7 Blood pressure in children - Role of school captain - Motivational theories in criminal justice - Baroque period music dates - Modern history sample answers - Corporate finance case studies and solutions - Examples of questions for family health assessment - Current Event Summary - Smile index in orthodontics - Watt converter to amp - Case Study – Perioperative - Can a cuban land crab outrun a horse - What makes a perm smell - Netwitness investigator application - Automatic folding clothes machine - Propose a mechanism for the following reaction - Google case study human resource management - Journal Article Research(NCM)