CySA+ domain #11: Incident recovery and post-incident response process
Incident Recovery and Post-Incident Response Process is a subdomain that falls under the CySA+ certification objectives 3.0: Cyber Incident Response. But before diving deep into this article to understand the last step of the incident response process, we need to have a short look at the previous incident response steps that have been completed in previous sub-domains.
Previously, we have learned how security analysts or a Computer Security Incident Response Team (CSIRT) distinguishes threat data or behavior to determine the impact of an incident (subdomain 3.1), how they prepare a toolkit and use appropriate forensic tools during an investigation (subdomain 3.2), the importance of communication during the incident response process (subdomain 3.3) and how a CSIRT team analyzes common symptoms to select the best course of actions to support incident response (subdomain 3.4).
Finally, in this article, we will cover incident recovery and post-incident response processes, including containment techniques, eradication techniques, validation, corrective actions and incident summary reports. Let’s take a look.
What do I need to know about containment techniques?
Incident containment techniques help CSIRT teams to minimize and prevent further damage and restore normal business operations as soon as possible. Preventing the destruction of forensic evidence is also indispensable, as it may be required to bring the perpetrators to justice. Below are some containment techniques that are covered in the CySA+ exam.
Segmentation is the act of separating groups of systems, applications and networks from one another for the purpose of achieving maximum security. If you have a breach on one part of the network, you can contain that breach and make sure that it doesn’t affect the other part of the network through network segmentation. Intruders don’t get access to the segmented area of the network.
Network segments are often referred to as IP ranges, security groups, subnets or network zones. Network zones can be created by business units, locations or operational sensitivity. Network analysts use access controls to configure permissible services among different zones.
A blacklist approach can also be used to block vulnerable or risky services. However, access control lists incorporate some policies that allow legitimate traffic and block unwanted access to organizations’ critical systems and services. A network security policy can also be established through access control lists.
Network segmentation is the best security practice. That’s why it finds its way into many compliance regulations, including HIPAA, FISMA and PCI-DSS. Security assessment tools from both NIST and FFIEC also recommend network segmentation as a mature security control.
Mere segmentation is not enough to foil attackers as it only limits access to the remainder of the network. Therefore, isolation is used to completely cut off an attacker from the secured area of the network. During this operation, compromised systems are either disconnected or disabled until the incident is resolved.
Isolation contains two primary techniques: isolating the attacker and isolating affected systems.
One of the strongest containment techniques in the incident response toolkit is the removal of compromised systems. The removal technique differs from segmentation and isolation in that compromised systems are completely disconnected from other networks, though they are still able to communicate with other affected systems.
Technically, reverse-engineering (RE) is not a containment technique. However, it can be helpful to contain an incident if the information gathered during this process assists to identify other affected hosts.
Reverse-engineering is generally employed to work backward from a finished product to understand how it works. In the context of incident response, RE relates to malware exclusively. For example, the malware’s binary code can be analyzed to find IP addresses of the host/domain names it utilizes for Command and Control (C2).
RE also involves a sandboxing approach that detects malicious host/software based on its behavior rather than its signature. Signature-based detection is used by traditional antivirus software programs who are inefficient against modern threats developed by clever APT actors.
What are eradication techniques?
Once the containment techniques are completed, the CSIRT team will move on the eradication phase. This phase aims to remove artifacts of the incident. For instance, the sanitization of exploited media, securing of compromised accounts and removal of malicious code from the network. CySA+ exam involves following eradication techniques.
Sanitization is the process of irreversibly removing data from media to ensure that recovery of information is impossible and that the objectives of information security are not compromised. NIST Special Publication 800-88 Revision 1 provides three sanitization models that include Clear, Purge and Destroy.
Today’s attacks are very sophisticated and threat actors may compromise systems through the use of web application attacks, malware or other attacks. The compromised system must be considered completely untrustworthy, as the bad guy may still have an undetected control on it.
Therefore, it is unwise to merely address the security issues on the infected system and then move on. Instead, the security professionals should reconstruct the exploited system, either by using an image/backup from a known secure state or rebuilding it from scratch.
During the incident, you may need to dispose of specific media. Secure disposal is the act of destroying media through shredding, incineration or hard drive destruction to prevent hostile actors from an attempted recovery. Disposed items must not be recoverable from the scrap or disposed of securely so that malicious actors will not be able to physically access them.
What validation techniques are included in CySA+?
Knowing the success of recovery measures is essential before ending recovery operations. To this end, the CSIRT team spends some time to validate it through the following four activities:
It is vital to verify whether the compromised system has been hardened and patched in the face of recent cyberattack. In addition, ensuring their protection against future attacks is also indispensable.
Excessive permissions that violate the Principle of Least Privilege (PoLP) should not be granted to any account or user. Only the minimum essential rights should be delegated to a user that requests access to a resource or service for a specific time required to complete a task. Incident responders must verify that the PoLP is not being violated. The PoLP is also defined in the NIST SP 800-179 guidelines.
Vulnerability scanning is the process of proactively finding systems’ security vulnerabilities to verify if a system can be exploited in future attacks. Therefore, incident responders should perform vulnerability scanning to ensure the protection of all systems.
Verify logging/communication to security monitoring
To verify that all systems and applications are logging properly, they should be configured in accordance with the logging policy of the organization.
What corrective actions are part of the post-incident response process?
Though the completion of containment, eradication and recovery techniques provide a big relief to CSIRT teams, post-incident activities are yet to be completed and need immediate attention. These activities include preparing lessons learned reports, the change control process and updating the incident response plan.
Lessons learned report
During incident response, the CSIRT teams may discover potential deficiencies in the incident response process. The lesson learned report depicts all these deficiencies and other vital information regarding the response.
Change control process
The change control process ensures that any change or modification to the existing IT environment is tackled efficiently and smoothly. For example, incident responders may perform some necessary upgrades; these are necessary for containing the incident but may be problematic for the normal operations of services such as modifying the software, drivers or even the operating system.
Update incident response plan
Based on the lesson learned report, incident response analysts should update the incident response plan to make it more effective and powerful in the face of future cybersecurity incidents.
Creating the incident summary report
Creating the incident summary report helps to keep a record of the incident that is invaluable in the event of establishing new security controls, training new CSIRT team members and knowing which legal actions were taken during the previous incident(s). The report should incorporate such important elements as the root causes of the incident, collected evidence, the specific actions taken to contain, eradicate and recover from the incident, the impact of the incident, results of incident response efforts and issues found during the lessons learned report.
The incident summary report must be secured at the safe place and old reports should be destroyed when their retention period has expired.
The final word (conclusion)
Incident recovery and post-incident response process is the critical phase of the cyber-incident response plan. This phase encompasses containment techniques, eradication techniques, validation efforts, corrective actions and finally, creating the incident summary report. The CySA+ candidates should grasp all these topics to pass the CySA+ exam with an elite score.
- Mike Chapple and David Seidl, “CompTIA CySA+ Study Guide EXAM CS0-001,” Sybex, 2017
- PART 4 – INCIDENT CONTAINMENT, InfoSec Nirvana
- Network Segmentation: Breach Containment & Need to Know Info, Rapid7
- The Security Benefits of Network Segmentation, Sage Data Security
- Network Segmentation: Secure Your Network and Enable Attack Containment, Security Boulevard
- CySA+ Chapter 7: The Incident Response Process, Quizlet
- NIST Drafting Guide on Media Sanitization, Bank Info Security
- Least Privilege, CISA Cyber + Infrastructure
- Principle of Least Privilege, NIST
- What is a change control process and how does it relate to disaster recovery? TechTarget NETWORK