Please enable JavaScript.
Coggle requires JavaScript to display documents.
Domain 2: Incident Response, Business Continuity and Disaster Recovery…
Domain 2: Incident Response, Business Continuity and Disaster Recovery Concepts
Continuity Strategies
Incident Terminology
- While security professionals strive to protect systems from malicious attacks or human carelessness, inevitably, things go wrong. For this reason, security professionals also play the role of first responders. An understanding of incident response starts with knowing the terms used to describe various cyberattacks
Breach
- The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose
Event
- Any observable occurrence in a network or system. NIST SP 800-61 Rev 2
Exploit
- A particular attack. It is named this way because these attacks exploit system vulnerabilities.
Incident
- An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
Intrusion
- A security event, or combination of events, that constitutes a deliberate security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization. IETF RFC 4949 Ver 2
Vulnerability
- Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. NIST SP 800-30 Rev 1
Threat
- Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. NIST SP 800-30 Rev 1
Zero Day
- A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures, or methods.
Business Continuity in the Workplace
- Obviously, the business continuity plan needs to be maintained somewhere where it can be accessed often in modern organizations, everything is digital and not provided as a hard copy. This can be dangerous just like storing everything within the main company building. Some organizations have what is called the red book, which is given to the appropriate individual outside the facility. All the procedures are outlined in that document in case for example, a hurricane hits the power is out and all the facilities are compromised and there is no access to electronic backups. It is important to update this hard copy red book any time the electronic copy is updated. So both versions remain consistent.
Business Continuity in Action
- Imagine that the billing department of a company suffers a complete loss in a fire. The fire occurred overnight, so no personnel were in the building at the time. A Business Impact Analysis (BIA) was performed four months ago and identified the functions of the billing department as very important to the company but not immediately affecting other areas of work.
Components of a Business Continuity Plan
-
- Business continuity planning (BCP) is the proactive development of procedures to restore business operations after a disaster or other significant disruption to the organization.
-
- Members from across the organization should participate in creating the BCP to ensure all systems, processes, and operations are accounted for in the plan.
-
- The term business is used often, as this is mostly a business function as opposed to a technical one. However, in order to safeguard the confidentiality, integrity, and availability of information, the technology must align with the business needs.
Some common components of a
comprehensive business continuity plan
-
- List of the BCP team members, including multiple contact methods and backup members
-
- Guidance for management, including designation of authority for specific managers
-
- Contact numbers for critical members of the supply chain (vendors, customers, possible external emergency providers, third-party partners)
-
- Immediate response procedures and checklists (security and safety procedures, fire suppression procedures, notification of appropriate emergency-response agencies, etc.)
The Goal of Business Continuity
- Keeping an organization's critical functions running, even if it means operating at a reduced capacity, during significant disruptions.
-
- While most incidents are minor—like a system simply needing a quick reboot
-
- Major events can interrupt business for an unacceptable length of time, it needs to activate its business continuity plan
-
- BC goes beyond immediate incident response. It encompasses planning, preparation, response, and recovery operations.
-
- Its core focus isn't to restore all business activities and services to their pre-disruption state. Instead, BC concentrates on the most critical products and services an organization offers, ensuring these vital areas can continue to operate, even with reduced performance, until normal business operations can resume
-
- Developing a robust BC demands a substantial organizational commitment, both in terms of personnel and financial resources. To secure this commitment, executive management or a dedicated executive sponsor must champion the BC planning efforts
The Importance of Business Continuity
- Sustain business operations while recovering from a significant disruption
-
- Communication is highlighted as a critical component of the BCP. Normal communication channels (e.g., phone lines, internet) may fail, so the plan must include multiple contact methodologies (e.g., email, radio, satellite phones) and backup contact numbers to ensure key personnel can be reached.
-
- A phone tree is a structured communication system where each person has a list of individuals to contact, ensuring that information cascades through the organization efficiently. If one person is unavailable, the phone tree specifies the next person to call, preventing delays in communication.
-
- The first step in responding to a disruption is to contact the appropriate individuals to activate the BCP. This might include key personnel, such as department heads or crisis response teams.
-
- The BCP must include contact numbers for external stakeholders, such as supply chain partners, law enforcement, o
Incident Management
The Goal of Incident Response
- Every organization must be prepared for incidents. Despite the best efforts of an organization’s management and security teams to avoid or prevent problems, it is inevitable that adverse events will happen that have the potential to affect the business mission or objectives.
Components of the Incident Response Plan
- The incident response policy should outline a detailed plan that employees follow based on their roles. This plan, reflecting the organization’s vision, strategy, and mission, includes procedures, standards, technical processes, techniques, checklists, and tools for responding to incidents. It serves as a dynamic representation of the policy.
1. Preparation
- Develop a policy approved by management.
-
- Identify critical data and systems and any single points of failure.
-
- Train staff on incident response. (Straightforward)
-
- Implement an incident response team. (Straightforward)
-
- Practice Incident Identification (first response).
-
- Identify roles and responsibilities. (Straightforward)
-
- Plan the coordination of communication between stakeholders
-
- Consider the possibility that a primary method of communication may not be available. (Straightforward)
2. Containment
- Gather evidence. (Straightforward)
-
- Choose an appropriate containment strategy.
-
- Identify the attacker. (Straightforward)
-
- Isolate the attack. (Straightforward)
3. Detection and Analysis
- Monitor all possible attack vectors.
-
- Analyze the incident using known data and threat intelligence.
-
- Prioritize incident response.
-
- Standardize incident documentation.
4. Post-Incident Activity
- Identify evidence that may need to be retained.
-
- Document lessons learned.
-
- Conduct a retrospective of:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity
-
Incident Response Team
Incident response team as a group that must be properly staffed and trained to effectively handle security incidents. The structure of the team can vary based on the organization’s needs:
- Leveraged: Team members may have other primary roles within the organization but are called upon during an incident.
-
- Dedicated: Some organizations have full-time incident response professionals solely focused on handling security incidents.
-
- Combination: A hybrid approach where some members are dedicated, and others are leveraged from other roles.
Role of IT Professionals as First Responders
- IT professionals are likened to first responders in a medical context. They are often the first to detect and respond to incidents because they work directly with the organization’s systems.
-
- Just as medical first responders are trained to assess whether an injury is minor (e.g., a small cut) or major (e.g., a heart attack) and take appropriate action, IT professionals need training to differentiate between routine issues and serious security threats.
-
- Training equips IT staff with the skills to recognize signs of a security incident (e.g., unusual network traffic, unauthorized access attempts) and follow proper protocols for reporting and initial response.
Composition of a Typical Incident Response Team
- A typical incident response team is described as cross-functional
-
- Potential team members include:
- Senior management representatives: Provide strategic oversight, make high-level decisions, and allocate resources.
-
- Information security professionals: Handle technical aspects of the incident, such as analyzing malware or securing systems.
-
- Legal representatives: Ensure compliance with laws and regulations, advise on legal implications, and manage reporting requirements.
-
- Public affairs/communications representatives: Manage external communication to customers, media, or stakeholders to maintain trust and transparency.
-
- Engineering representatives (system and network): Address technical issues related to systems or networks affected by the incident.
The response team has four primary responsibilities:
- Determine the amount and scope of damage caused by the incident
-
- Determine whether any confidential information was compromised during the incident
-
- Implement any necessary recovery procedures to restore security and recover from incident-related damage
-
- Supervise the implementation of any additional security measures necessary to improve security and prevent recurrence of the incident
Recovery Strategies
Components of a Disaster Recovery Plan
- Depending on the size of the organization and the number of people involved in the DRP effort, organizations often maintain multiple types of plan documents, intended for different audiences.
- Executive summary providing a high-level overview of the plan
-
- Department-specific plans
-
- Technical guides for IT personnel responsible for implementing and maintaining critical backup systems
-
- Full copies of the plan for critical disaster recovery team members
-
- Checklists for certain individuals
- Critical disaster recovery team members will have checklists to help guide their actions amid the chaotic atmosphere of a disaster.
-
- IT personnel will have technical guides helping them get the alternate sites up and running.
-
- Managers and public relations personnel will have simple-to-follow, high-level documents to help them communicate the issue accurately without requiring input from team members who are busy working on the recovery.
The Goal of Disaster Recovery
- Disaster recovery planning steps in where business continuity (BC) leaves off
-
- When a disaster strikes or an interruption of business activities occurs, the disaster recovery plan (DRP) guides the actions of emergency response personnel until the end goal is reached—which is to see the business restored to full last-known reliable operations.
-
- Disaster recovery refers specifically to restoring the information technology and communications services and systems needed by an organization, both during the period of disruption caused by any event and during restoration of normal services
- The recovery of a business function may be done independently of the recovery of IT and communications services; however, the recovery of IT is often crucial to the recovery and sustainment of business operations
-
- Whereas business continuity planning is about maintaining critical business functions, disaster recovery planning is about restoring IT and communications back to full operations after a disruption