Incident Response Steps Cissp

Any event that has a negative effect on the CIA of an organization's assets

Refers to an incident that is the result of an attack or the result of malicious or intentional actions on the part of users. Organizations define the meaning of a computer security incident within their security policy or incident response plan

1. Detection 2. Response 3. Reporting 4. Recovery 5. Remediation and review

Containment/limiting the effect or scope of the incident

They are not recognized as incidents. This is often a result of inadequate training.

To identify anything that can be modified to prevent a similar incident or to limit the severity of a similar incident

Keep systems and applications up to date. Remove or disable unneeded services and protocols Use up to date antivirus software Use firewalls Use IDS and IPS

Drive by downloads

Using anti-virus software with up to date signatures

1. Attacker first discovers a vulnerability (Only they know of it at that point) 2. Vendor learns of vulnerability (Vendor is developing a patch but public doesn't know vulnerability) 3. Vendor releases patch (Some people refer to attacks the day after patch is released to the public)

Doesn't attack the victim directly but instead manipulates traffic or network service so that attacks are reflected back to the victim from other sources. DNS poisoning and smurf attacks are examples

It disrupts the standard 3 way handshake used by TCP. One method of blocking SYN flood attacks is with SYN cookies. Also firewalls and IDS/IPS include mechanisms to check for SYN attacks

Smurf attacks use ICMP echo packets instead of TCP SYN packets.

Fraggle attacks use UDP packets over UDP ports 7 and 19. The fraggle attack will broadcast a UDP packet using spoofed IP address of victim. All systems will start sending traffic to victim like in a smurf attack

Attacker fragments traffic in such a way that data packets can't be put together. Current systems not susceptible to teardrop attacks. IDS can check for malformed packets.

When the attacker sends spoofed SYN packets using the victim's IP address as the source and destination address. Keep a system up to date and filtering traffic will stop it

Provide a means for a timely and accurate response to intrusions

Knowledge based detection (Signature matching or pattern matching) Behavior based detection (Starts by creating a baseline of normal activity and can detect abnormal activity that may indicate a malicious intrusion or event)

It is only effective against known attacks

Often raises false alarms

Logs the event and sends a notification

Changes the environment to block the activity in addition to logging and sending a notification

It is able to detect anomalies on the host system

It is costly and may use up system resources. Also logs are stored on the machine

An IPS is placed in line with network traffic. All traffic must pass through the IPS and the IPS can choose what traffic to forward and what traffic to block after analyzing it

When an IDS detects an intruder, they are automatically transferred to a padded cell. The padded cell has the look and feel of an actual network, but the attacker is unable to perform any malicious activities or access any confidential data from within the padded cell

A darknet is a portion of allocated IP addresses within a network that are not used. It includes one device configured to capture all the traffic into the darknet. A benefit to darknets is that there are few false positives. Legitimate traffic should not be in the darknet, so unless there is a misconfiguration on the network, traffic in the darknet is not legitimate.

At the boundary between the Internet and the internal network, on email servers, and on each system