Join Malcolm Shore for an in-depth discussion in this video Managing incident response, part of Cybersecurity Foundations.
- With the level of resources being invested in both cybercrime and state-sponsored malware, it's inevitable that an attack will eventually penetrate even the most careful organization. When that happens, the difference between inconvenience and disaster will be how well prepared the organization is to respond to the incident. NIST Cybersecurity Framework provides a set of control objectives into the functional area, Respond.
This consists of five categories, Planning, Communicate, Analysis, Mitigation and Improvements. The Framework also includes a Recovery function which augments three of the Respond categories. This aligns closely with the four-stage instant handling process, defined in the NIST special publication, SP800-61, Incident Handling Guide. Communications occur throughout these four stages, and is not shown as a separate stage.
The Cybersecurity Framework and the SP800-61 also align fairly well with the three-stage model published by Crest UK, with its model of Prepare, Respond and Follow Up. Whatever the model, the key aspect of instant management is information sharing. This includes threat intelligence in the preparation stage and operational response matters during an incident. NIST established the Forum of Incident Response and Security Teams in 1990.
And this continues today as an active forum helping support the industry, government and vendor communities. FIRST runs workshops and conferences to foster cooperation and coordination in incident prevention. To stimulate rapid reaction to incidents, and where subject matter experts can meet to share information. The community of computer incident response teams, or CERTs, operated to national level to protect the government, the critical infrastructure and to provide community advice on cybersecurity matters.
The US-CERT, for example, is a 24-hour operational arm of the Department of Homeland Security's National Cybersecurity and Communications Integration Center. Through its 24 by 7 operations center, US-CERT accepts triages and collaborates on incidents, provides technical assistance, and disseminates notifications of current and potential security issues. It's useful to have a common language when talking about types of incidents, and having a set of generic templates which are fit for purpose for each.
US-CERT defines seven categories of incidents. Category 0 covers incidents that's a part of cyber exercises for testing the network defenses. Category 1 incidents are those where an individual gains logical or physical access without permission, to a network, system, application, data or other resource. Category 2 incidents are Denial of Service events where the attack successfully prevents, or impairs, the normal authorized functionality of a network system or application by exhausting resources.
Category 3 covers the successful installation of malicious software not quarantined by anti-virus software. Category 4 incidents are those involving a breach of acceptable use. Category 5 incidents are Scans and Probes of a system looking for open ports, protocols, or services which don't directly result in a compromise or denial of service. Category 6 is for incidents involving unconfirmed but potentially malicious activity, which justifies further investigation.
By the end of this course, you'll have a greater understanding of the threats that affect private, corporate, and government networks, and the knowledge to prevent attacks and defeat them.
- Dissecting cyber risk
- Working with NIST, COBIT 5, DSS05, and other frameworks
- Exploring cybercrime
- Understanding how malware hides
- Selecting security controls
- Managing user access and identity
- Monitoring your network
- Managing incident response