Incident management basics

- [Instructor] With the resources being invested in both cybercrime and state-sponsored malware, it's inevitable that an attack will eventually penetrate even the most careful organization. When that happens, the difference between inconvenience and disaster will be how well-prepared the organization is to respond to the incident. NIST Cybersecurity Framework provides a set of control objectives under the functional area, Respond. This consists of five categories: Planning, Communicate, Analysis, Mitigation, and Improvements. The framework also includes a recovery function, which adds to the three of the Respond categories. The five cybersecurity framework categories align closely with the four-stage incident handling process defined in the NIST Special Publication SP 800-61, Incident Handling Guide. Unlike the cybersecurity framework, the communications which occur throughout these four stages is not shown as a separate stage. The cybersecurity framework and the SP 800-61 can also be aligned to the three-stage model published by Crest UK, with its model of Prepare, Respond, and Follow Up. Whatever the model, a key aspect of incident management is information sharing. This includes threat intelligence in the preparation stage and operational response matters during an incident. NIST established the Forum of Incident Response and Security Teams, or FIRST, in 1990, and this continues today as an active forum helping support the industry, government and vendor communities. FIRST runs workshops and conferences to foster cooperation and coordination in incident prevention to stimulate rapid reaction to incidents and where subject matter experts can meet to share information. The Community of Computer Incident Response Teams or CERTs, operate at a national level to protect the government and its critical infrastructure and to provide community advice on cybersecurity matters. The US-CERT, for example, is part of the Department of Homeland Security. Through its 24-by-7 operations center. US-CERT accepts, triages, and collaborates on incidents, provides technical assistance and disseminates notifications of current and potential issues. CERTs also collaborate at the international level through the Forum of Incident Response Teams. This involves not only maintaining national CERT-to-CERT channels, running training courses, and participating in annual conferences, but also being the main contact for CERTs to organizations such as the Global Forum of Security Experts and the International Telecommunications Union. It's useful to have a common language when talking about types of incidents and having a set of generic templates which are fit for purpose for each. US-CERT defines seven categories of incidents. Category 0 covers incidents that are part of cyber exercises for testing network defenses. Category 1 incidents are those where an individual gains logical or physical access without permission to a network system, application, data, or other resource. Category 2 incidents are denial-of-service events where the attack successfully prevents or impairs the normal authorized functionality of a network, system, or application by exhausting resources. Category 3 covers the successful installation of malicious software, not quarantined by antivirus software. Category 4 incidents are those involving a breach of acceptable use. Category 5 incidents are scans and probes of a system, looking for open ports, protocols, or services, which don't directly result in a compromise or denial of service. Category 6 is for incidents involving unconfirmed, but potentially malicious activity, which justifies further investigation. Incidents don't often appear in a way which is immediately obvious for categorization. We'll usually have some form of event that's flagged as suspicious and some investigation is needed. An important tool for incident management is the trouble ticket system, which enables us to maintain all relevant information on an event through to it becoming an incident and eventually being resolved. Here's an example of a trouble ticket system called osTicket, displaying its list of open tickets. The US Cybersecurity and Infrastructure Agency runs the National Initiative for Cybersecurity Careers and Studies, and through that, has published what is known as the NICE Framework, which describes workforce roles in cybersecurity. There are three roles related to incident response. Cyber defense analyst, whose role includes running vulnerability scans, monitoring for attacks, and analyzing malware. Cyber defense incident responder, whose role is to investigate, analyze, and respond to cyber incidents, and cyber defense forensics analyst whose role is to analyze digital evidence and investigate incidents. The NICE Framework provides a useful reference to the skills and knowledge required for each of these roles. Why don't you pause the course and take a moment to check out the skills and knowledge required to be a cyber defense incident responder, and check out the tasks you'll be expected to undertake.