CERT-CSIH Domain #4: Respond
“Respond” is the name of the fourth domain of the CERT-CSIH certification exam. This domain constitutes 40% to the overall percentage of the exam, by far the largest percentage of the exam of any domain. As the name implies, the Respond phase is applied as soon as the Triage and Analysis phase, the third domain of the CERT-CSIH exam, is completed. A Computer Security Incident Response Team (CSIRT) plays a pivotal role during the Respond phase.
The purpose of this domain is to help candidates learn how to respond to cybersecurity incidents. Cybersecurity incidents and threats such as Advanced Persistent Threats (APTs) have become the norm of the day. Former U.S. President Barack Obama once declared that cybersecurity threats are “one of the most serious economic and national security challenges we face as a nation … Protecting America’s digital infrastructure is going to remain a top national security priority.”
The following sections comprehensively describe the fourth CERT-CSIH domain. You need to grasp these topics in order to take and pass the exam with an elite score.
What Topics Are Covered in This Domain?
This domain covers the following topics:
- Develop an incident response strategy and plan to limit incident effects and to repair incident damage
- Perform real-time incident response tasks (e.g., direct system remediation) to support deployable incident response teams
- Determine the risk of continuing operations
- Change passwords
- Improve defenses
- Remove the cause of the incident
- Validate the system
- Identify relevant stakeholders that need to be contacted or that may have a vested interest or vital role in communications about an organizational incident
- Identify the appropriate communications protocols and channels (media and message) for each type of stakeholder
- Coordinate, integrate and lead team responses with other internal groups (e.g., IT, management, compliance, legal, human resources), according to applicable policies and procedures
- Provide notification service to other constituents (e.g., write and publish guidance or reports on incident findings) to enable constituents to protect their assets and/or detect similar incidents
- Report and coordinate incidents with appropriate external organizations or groups in accordance with organizational guidelines, policies and procedures
- Serve as technical experts and liaisons to law enforcement personnel (e.g., to explain incident details, provide testimony)
- Track and document incidents from initial detection through final resolution
- Assign and label data/information according to the appropriate class or category of sensitivity
- Collect and retain information on all events/incidents in support of future analytical efforts and situational awareness
- Enter information (shift change transitions, the current state of activity) into an operations log or record of daily operational activity
Incident Response Strategy
The organizations who consider themselves fully prepared in the face of cybersecurity threats will often get a nasty surprise when a sophisticated attack compromises their network. Since security incidents are prevalent nowadays, organizations including corporations, governments and international bodies such as the World Economic Forum or United Nations must develop an effective, fast, comprehensive, systematic and structured incident response strategy to curtail cybersecurity incidents.
According to the CREST Cyber Security Incident Response Guide, the incident response phase involves the following four steps:
- Identify the Cybersecurity Incident
- Define Objectives and Investigate Situation
- Take Appropriate Actions
- Recover Data, Systems and Connectivity
You can also read InfoSec Institute’s article describing 9 Tips for Improving Your Incident Response Strategy.
Conduct Real-Time Incident Response Tasks
Conducting real-time incident response tasks such as direct system remediation, incident handling, recovery, investigation and communication is necessary to support a deployable CSIRT team. To minimize the impact of an incident, a CSIRT team should work collaboratively with other security practitioners, including system and network administrators, database administrators, trainers, and top management. This collaboration can help to perform real-time incident response tasks.
Just putting an end to an intrusion is not sufficient. Instead, the affected systems should be isolated immediately, and data recovery and countermeasures should follow quickly. Business continuity should be ensured by keeping the communication open with consumers and the general public, as well as ensuring the provision of services.
Determine the Risks of Continuing Operations
The incident may not compromise the entire IT infrastructure of your organization. Various systems, network, and mobile devices can still be working effectively. If CSIRT teams do not act in a timely manner, the attackers may infiltrate the entire IT environment. To address this risk, the analysts immediately isolate the affected system (s) from the rest of systems performing continuing operations. The devices should also be disconnected from the internet to disrupt the connectivity between your corporate network and intruders.
CSIRT teams should harden all passwords and change all user and administrative access credentials to prevent threat actors from further damaging your business. However, the passwords must be strong enough to thwart brute-force and dictionary attacks. Charlotte Empey, the consumer security advocate for Avast, provides the following recommendations for a strong password:
- Avoid obvious passwords such as password, abcd1234, 123456, 111111 or 000000.
- The password should consist of at least 15 characters
- Always use a mix of characters such as upper- or lowercase characters, symbols and numbers
- Stay away from common substitutions, such as using DOOR8377 for DOORBELL
- Avoid using memorable keyboard paths. For example, “qwerty” is formed by the first six characters from the first row behind the functional keys
- Avast also suggests passphrase methods that involves multiple-word phrases with a twist such as uncommon and bizarre words. Use historical figures, names of local businesses, proper nouns or words from different languages
Remove the Cause of the Incident
CREST Cyber Security Research Report revealed that the most concerned attack vectors were:
- Authorized third parties (e.g., business partners, suppliers and customers)
- Personal devices (e.g., mobile devices or tablets)
- Downloaded material from the Internet
- Misconfigured systems
- Poorly-designed Web applications
If any of these or any other vulnerability is detected, the organization should take proactive measures to eliminate it in order to prevent future incidents.
Identify Relevant Stakeholders
You need to identify the relevant stakeholders such as business partners, outsourcers, suppliers, attorneys and so forth. They may have vested interests in your business and their assistance can be required. For example, your attorney will deal with the litigation issues associated with the incident.
Report to Relevant Stakeholders
After handling the incident successfully, you need to inform both internal and external stakeholders by asking the following important questions:
- What reporting requirements do I meet?
- Whom do I report to?
- What do I report and in what format?
- What are the objectives of reporting?
Once you answer these questions, the actual reporting will include the following content:
- The entire description of the incident, including its history, source and purposes, as well as actions that were taken to recover the incident
- A realistic estimation of the financial cost triggered by the incident and any other impact on the business. For example, the damage occurred in terms of reputation and penalties
- Recommendation with regard to additional controls needed to detect, prevent, and remediate incident more reliably
In addition, voluntary reporting to some crucial stakeholders can also be helpful. These stakeholders may include law enforcement agencies, CERTs (Computer Emergency Response Teams), media outlets and regulatory bodies like INTERPOL that also deals with cybercrimes.
According to the CREST Cyber Security Incident Response Guide, many businesses don’t know the benefits of reporting. Large organizations avoid reporting in order to prevent reputational damage. The report suggests that cybersecurity incidents must be reported, and more work needs to be done in this regard.
Tracking and Documenting the Incident
Track and document everything you got from the initial detection to final resolution. For example, how did you prepare for the incident, how did you identify it, how did you contain it, what was the method of investigation, how did you apply recovery strategies and what did you create for a follow-up plan?
Collect and Retain Information
In addition to the documentation process, you also need to communicate with all stakeholders and build a lessons-learned archive. Communication with stakeholders should be concise, clear and concentrated on a problem resolution. You should collect and retain this information; doing so help you to identify previous mistakes, incidents and experiences. Based on the collected information, the analysts should create the action plan to become more resilient against future cyber-incidents.
InfoSec Institute Boot Camp for CERT-CSIH
InfoSec Institute offers you an Incident Response and Network Forensics Training Boot Camp that helps you to pass CERT-CSIH certification with an elite score. If you want to know more about CERT-CSIH certification exam, the InfoSec Institute’s resources page recommends that you read CERT-Certified Computer Security Incident Handler (CSIH).
- Remarks by the President at the National Cybersecurity Communications Integration Center, The White House
- CERT-Certified Computer Security Incident Handler Qualification Examination, Software Engineering Institute
- CREST Cyber Security Incident Response Guide, CREST
- How to create a strong password, Avast