Dwell Time - answer The time an attacker has remained undetected within a network.
An important metric to track as it directly correlates with the ability of an attacker to
accomplish their objectives.
Breakout Time - answer Time is takes an intruder to begin moving laterally once they
have an initial foothold in the network.
Main Threat Actors - answer APT (Nation State Actors)
Organized Crime
Hacktivists
NIST - answer US National Institute for Standards and Technology
Six-Step Incident Response Process - answer1: Preparation
2: Identification
3: Containment and Intelligence Development
4: Eradication and Remediation
5: Recovery
6: Follow-up
Six-Step - Preparation - answer Incident response methodologies emphasize
preparation-not only establishing a response capability so the organization is ready to
respond to incidents but also preventing incidents by ensuring that systems, networks,
and applications are sufficiently secure.
Six-Step - Identificatoin - answerIdentification is triggered by a suspicious event. This
could be from a security appliance, a call to the help-desk, or the result of something
discovered via threat hunting. Event validation should occur and a decision made as to
the severity of the finding (not valid events lead to a full incident response). Once an
incident response has begun, this phase is used to better understand the findings and
begin scoping the network for additional compromise.
Six Step - Containment and Intelligence development - answerIn this phase, the goal is
to rapidly understand the adversary and begin crafting a containment strategy.
Responders must identify the initial vulnerability or exploit, how the attackers are
maintaining persistence and laterally moving in the network, and how command and
control is being accomplished. in conjunction with the previous scoping phase,
responders will work to have a complete picture of the attack and often implement
changes to the environment to increase host and network visibility. Threat intelligence is
one of the key products of the IP team during this phase.
, Six Step - Eradication and Remediation - answerArguably the most important phase of
the process, eradication aims to remove the threat and restore business operations to a
normal state. However, successful eradication cannot occur until the full scop of the
intrusion is understood. A rush to this phase usually results in failure. Remediation plans
are developed, and recommendations are implemented in a planned and controlled
manner. Ex. Include
-Block malicious IP addresses
-Blackhole malicious domain names
-Rebuild compromised systems
-Coordinate with cloud and service providers
-Enterprise-wide password changes
-Implementation validation
Recovery - answerRecovery leads the enterprise back to day-to-day business. The
organization will have learned a lot during the incident investigation and will invariably
have many changes to implement to make the enterprise more defensible. Recovery
plans are typically divided into near-, mid-, and long-term goals, and near-term changes
should start immediately. The foal during this phase is to improve the overall security of
the network and to detect and prevent immediate reinfection. Some recovery models
include
-Improve Enterprise Authentication Model
-Enhanced Network Visibility
-Establish comprehensive Patch Management Program
-Enforce Change Management Program
-Centralized Logging (SIM/SIEM)
-Enhance Password Portal
-Establish Security Awareness Training Program
-Network Redesign
Follow-Up - answerFollow-Up is used to verify the incident has been mitigated, the
adversary has been removed, and additional countermeasures have been implemented
correctly. This step combines additional monitoring, network sweeps looking for new
breaches, and auditing the network 9penetration tests and compliance) to ensure new
security mechanisms are in place and functioning normally.
Problem with the Six-Step incident response process - answerFew teams follow the
process as prescribed. Pressure leading to immediately move to the
Eradication/Remediation phase before true scoping and understanding of the incident
occurs. Moving to eradication too early removes the benefits and capabilities provided
by cyber threat intelligence and intelligence-driven incident response doctrine.
Whack-a-mole - answerThe organization blindly chases the attacker throughout the
network, making little overall progress.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller julianah420. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $21.49. You're not tied to anything after your purchase.