Lesson 12

Topic 12A: Incident Response

EXAM OBJECTIVES COVERED: 4.8 Explain appropriate incident response activities

Effective incident response is governed by formal policies and procedures, setting out roles and responsibilities for an incident response team

Incident Response Processes

A cybersecurity incident refers to either a successful or attempted violation of the security properties of an asset, compromising its confidentiality, integrity, or availability. Incident response (IR) policy sets the resources, processes, and guidelines for dealing with cybersecurity incidents. Management of each incident should follow a process lifecycle.

CompTIA’s incident response lifecycle is a seven-step process:

  1. Preparation: makes the system resilient to attack in the first place

This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.

  1. Detection: discovers indicators of threat actor activity

Indicators that an incident may have occured might be generated from an automated intrusion system. Alternatively, incidents might be manually detected through threat hunting operations or be reported by employees, customers, or law enforcement.

  1. Analysis—determines whether an incident has taken place and perform

triage to assess how severe it might be from the data reported as indicators.

  1. Containment—limit the scope and magnitude of the incident. The principal

aim of incident response is to secure data while limiting the immediate impact on customers and business partners. It is also necessary to notify stakeholders and identify other reporting requirements.

  1. Eradication—removes the cause and restores the affected system to a secure

state by applying secure configuration settings and installing patches once the incident is contained.

  1. Recovery—reintegrates the system into the business process it supports

with the cause of the incident eradicated. This recovery phase may involve the restoration of data from backup and security testing. Systems must be monitored closely for a period to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to effect a complete resolution.

  1. Lessons learned—analyzes the incident and responses to identify whether

procedures or systems could be improved. It is imperative to document the incident. Outputs from this phase feed back into a new preparation phase in the cycle. Incident response likely requires coordinated action and authorization from several different departments or managers, which adds further levels of complexity.