Lesson 17

Performing Incident Response

Incident Response Process

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Cyber Incident Response Team

• Reporting, categorizing, and

prioritizing (triage)
• CIRT/CERT/CSIRT/SOC
• Management/decision-making
authority
• Incident analysts
• 24/7 availability
• Roles beyond technical response
• Legal
• Human Resources (HR)
• Marketing Image credit: John Mattern/Feature Photo Service for IBM.

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Communication Plan and Stakeholder Management

• Prevent inadvertent disclosure

• Call list identifying trusted parties
• Communication plan
• Share data on a need to know basis
• Out-of-band communications—avoid alerting intruder
• Stakeholder management
• Communication with internal and external stakeholders
• Notification and reporting

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Incident Response Plan

• Lists the procedures, contacts, and resources available to responders for

various incident categories
• Playbooks and runbooks
• Incident categorization
• Prioritization factors
• Data integrity
• Downtime
• Economic/publicity
• Scope
• Detection time
• Recovery time

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
 Incident Response Exercises

• Tabletop
• Facilitator presents a scenario
• Does not involve live systems
• Walkthroughs
• Responders demonstrate
response actions
• Simulations
• Red team performs a simulated
intrusion

Image © 2017 Kentucky National Guard.

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Incident Response, Disaster Recovery, and Retention Policy

• Incident response versus disaster recovery and business

continuity
• Disaster recovery plan
• Response and recovery planning for major incidents such as shifting
processing to a secondary site
• Business continuity plan
• Making business procedures resilient
• Continuity planning ensures that there is processing redundancy
supporting the workflow,

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Topic 17B
Utilize Appropriate Data Sources for Incident Response

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Incident Identification

• Events may be recorded by:

• Security mechanisms (IDS, log analysis, alerts)
• Manual inspections
• Notification procedures
• Public reporting
• First responder
• Member of CIRT taking charge of a reported incident
• Analysis and incident identification
• Classify and prioritize
• Downgrade low priority alerts

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
 SIEM Dashboards

• Manager dashboard
• Overall status indicators
• Sensitivity and alerts
• Log only/alert/alarm
• Sensors
• Source for network traffic data
• Aggregate data under one
dashboard

Screenshot courtesy of Security Onion (securityonion.net.)

Trend Analysis

• Detecting indicators over a time series

• Visualization
• Frequency-based
• Number of events per period

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Logging Platforms

• Syslog
• Logging format, protocol, and server (daemon) software
• Timestamp
• Message part
• Rsyslog and syslog-ng
• journalctl
• Binary logging
• Nxlog
• Logging tool

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Network, OS, and Security Log Files

• Five categories of windows logs:

• Application
• Security/audit
• System
• Setup
• Forwarded events
• Network logs
• Traffic and access data from network appliances
• Vulnerability scan output

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Metadata

• File
• Date/time and security attributes
• The file system tracks when a file was created, accessed, and modified. A file might be
assigned a security attribute, such as marking it as read-only or as a hidden or system
fileWeb
• Email
• An email's Internet header contains address information for the recipient and sender, plus
details of the servers handling transmission of the message between them.
Mobile
• Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing, and
attempted calls and SMS text time, duration, and the opposite party's number. Metadata
will also record data transfer volumes.

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Topic 17C
Apply Mitigation Controls

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Containment Phase

• Response must satisfy different or competing objectives

• What is the loss or potential for loss?
• What countermeasures are available?
• What evidence can be collected?
• Isolation-based containment
• Remove the affected system
• Disconnect hosts from power
• Disable user accounts or applications
• Segmentation-based containment
• Use sinkhole or sandbox to analyze attack

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Incident Eradication and Recovery

• Reconstitution of affected systems:

• Re-audit security controls – what could have prevented the intrusion?

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Firewall Configuration Changes

• Some general guidelines for configuring egress filtering are:

• • Allow only authorized application ports
• • Block access to "known bad" IP address, as listed on
• • Block access from any IP address space that is not authorized for use on
your local network.

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Content Filter Configuration Changes

• Update or revoke certificates

• Remove compromised root certificates from trust stores
• Revoke certificates on compromised hosts

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Security Orchestration, Automation, and Response

• Automation versus orchestration

• Security orchestration, automation, and response (SOAR)
• Incident response

• Playbooks - runbook

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20