Cysa+ Domain 3

Event

Any observable occurrence in a system or network. (A user accessing a file stored on a server)

Security Event

Any observable occurrence that relates to a security function. (An administrator changing permissions on a shared folder)

Adverse Event

Any event that has negative consequences. (A server crash)

Security Incident

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. (The launch of a denial-of-service attack against a website)

Preparation Phase

The phase where the organization builds policy, procedures, training, and resources for the response team before an incident occurs. (Assembling the hardware and software required to conduct an incident investigation)

Detection and Analysis Phase

The phase focused on initial identification and investigation to determine if a security incident is occurring. (Interpreting log entries using a security information and event management (SIEM) system to identify a potential incident)

Containment, Eradication, and Recovery Phase (Incident Response)

The phase involving active measures to limit the damage, remove the effects of the incident, and restore normal business operations. (Isolating systems to contain the damage caused by an incident)

Post-Incident Activity Phase

The final phase where the team conducts forensic procedures, determines the root cause, and reviews the response to improve future efforts. (Conducting a lessons learned review session)

Playbook

A document describing specific, step-by-step procedures to follow in the event of a particular type of cybersecurity incident. (Procedures for responding to a web server defacement)

Root Cause Analysis

Developing a clear understanding of what led to the incident to correct deficiencies and prevent future attacks. (Determining how an attacker breached security controls in the first place)

External/Removable Media

An attack executed from removable media or a peripheral device. (Malicious code spreading onto a system from an infected USB flash drive)

Attrition

An attack that employs brute-force methods to compromise, degrade, or destroy systems. (A brute-force attack against an authentication mechanism)

Low Functional Impact

Minimal effect caused by an incident, where the organization can still provide all critical services but has lost efficiency. (A system experiences impairment but the organization maintains all critical services)

High Functional Impact

The organization is no longer able to provide some critical services to any users. (An incident causes a server crash resulting in the loss of critical services)

Extended Recoverability Effort

The time to recovery is unpredictable, requiring additional resources and outside help. (An attack requires unpredictable time to restore service and external partners are needed)

Privacy Breach

Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, and so on was accessed or exfiltrated. (Unencrypted PII about company employees is contained on a stolen laptop)

Indicators of Attack (IoAs)

Evidence that can be identified while an attacker is currently conducting an attack.

Increases in Resource Usage

A spike in the consumption of computing resources like CPU, memory, disk space, or network bandwidth.

Suspicious File Modifications

Unauthorized or unexpected changes made to files, configuration files, or system registries. (Attackers gathering data from across the organization and collecting it in an unexpected location before transferring it out).

Unusual User/Account Behaviors

Actions that users, services, or systems perform that do not fit typical established patterns or profiles. (A user account connecting to 10 machines via SSH within a few seconds, indicating bot-like behavior).

Containment

The critical first activity in incident response designed to limit the scope and impact of a security incident.

Scope of the Incident

The measure of the number of systems or individuals involved in a security incident.

Network Segmentation

A strategy that divides the network into separate segments to prevent the spread of security incidents.

Isolation

A strong containment technique where compromised systems are completely disconnected from the rest of the internal network.

Airgapped System

A system that is physically and logically isolated from all other networks.

Removal

The strongest containment technique, which involves completely disconnecting affected systems from all other networks

Eradication

The phase of incident response that follows containment, focused on removing all remaining artifacts of the incident from the network.

Recovery

The phase of incident response focused on restoring normal operations and services while correcting security control deficiencies.

Root Cause

The underlying deficiency or mechanism that allowed the initial security attack to succeed

Reimaging

The process of rebuilding a compromised system from scratch or restoring it from an image or backup taken from a known secure state.

Clear

Applying logical techniques, such as standard Read and Write commands, to sanitize data against simple noninvasive data recovery techniques.

Purge

Applying physical or logical techniques to make data recovery infeasible using state-of-the-art laboratory methods.

Destroy

Techniques that render data recovery infeasible using laboratory methods and result in the subsequent inability to use the media for storage.