4.8 - CompTIA Security+

Incident response process

Preparation

• Preparation (step one): Incident response step that concerns the establishment of guidelines/policies to ensure the organization can handle a security incident.

Detection

• Detection (step two): The process of identifying potential security incidents through monitoring systems (e.g., SIEMs), and system logs.

Analysis

• Analysis (step three): The process of evaluating whether a security incident is truly malicious or worth organization attention.

Containment

• Containment (step four): Limiting the security incident/breach to the affected systems or networks (e.g., quarantining infected machines/files).

Eradication

• Eradication (step five): Removing the source of contamination/the cause of the security incident - stopping the security incident in progress.

Recovery

• Recovery (step six): Restoring systems and operations to normal after a security incident, including the removal of malware, restoring data from backups, and implementing fixes to prevent future occurrences.

Lessons learned

• Lessons learned (step seven): Reflecting on how the security incident occurred, and implementing any changes to ensure the organization will not have a similar security breach.

Training

• Training: Educating/teaching staff on the actions to do during a security incident - this can have a critical impact on successful incident response outcomes.

Testing

• Testing: Exercises to help staff develop incident response competencies and can help to identify deficiencies in the procedures and tools.

Tabletop exercise

• Tabletop exercise: The least costly type of testing. The facilitator presents a scenario, and the responders explain what action they would take to identify, contain, and eradicate the threat. Scenario data is presented as flashcards.

Simulation

• Simulation: A team-based exercise where one team (red team) attempts an intrusion, and another team (blue team) operates response and recovery, while a white team moderates/evaluates the exercise. Requires considerable investment and planning.

Root cause analysis

• Root cause analysis: This process involves identifying the underlying factors that contributed to a security incident, allowing teams to develop improved strategies and mitigate future risks.

Threat hunting

• Threat hunting: Proactively looking for IoCs (Indicators of Compromise) within a network or system to identify potential threats before they cause significant damage.

Digital forensics

• Digital forensics: Post-mortem analysis of an incident to understand how it occurred, its root cause, and to obtain evidence that may be used in legal proceedings.

Legal hold

• Legal hold: Data acquisition request that preserves electronically stored information (ESI) to ensure that it is not altered or destroyed during an investigation.

Chain of custody

• Chain of custody: A legal document that tracks the possession of digital evidence - this ensures it has not been tampered with and proves court admissibility.

Acquisition

• Acquisition: The process of obtaining evidence during digital forensics.

Reporting

• Reporting: Providing documentation for the security incident, the data acquired, and the process of acquiring the relevant digital information.

Preservation

• Preservation: Storage of data acquired during digital forensics - more volatile data (CPU registers, temporary files, RAM), is stored before less volatile data (SSDs/HDDs, network topology configs, archival media).

E-discovery

• E-discovery: The process of collecting, preparing, reviewing, interpreting, and producing electronic documents.