CompTIA Cybersecurity Analyst (CySA+) 3.0 Cyber Incident Response 100% Solved

3.1 Given a scenario, distinguish threat data or behavior to determine the impact of an incident. - Answer Event - Answer is any observable occurrence in a system or network. Security Event - Answer includes any observable occurrence that relates to a security function. For example, a user accessing a file stored on a server, an administrator changing permissions on a shared folder, and an attacker conducting a port scan. Adverse Event - Answer any event that has negative consequences. Examples include a malware infection on a system, a server crash, and a user accessing a file that he or she is not authorized to view. Security Incident - Answer is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of include the accidental loss of sensitive information, an intrusion into a computer system by an attacker, the use of a keylogger on an executive's system to steal passwords, and the launch of a denial-of-service attack against a website. Every security incident includes one or more security events, but not every security event is a security incident. (CSIRT) Computer Security Incident Response Teams - Answer are responsible for responding to computer security incidents that occur within an organization by following standardized response procedures and incorporating their subject matter expertise and professional judgement. • Threat classification - Answer - Known threats vs. unknown threats - Zero day - Advanced persistent threat - Known threats vs. unknown threats - Answer we covered the concepts of signature-based and anomaly-based methods of detection for intrusion detection systems. Antivirus software works in a similar way. You may recall that signature-based systems rely on prior knowledge of a threat and that these systems are only as good as the historical data companies have collected. Although this is useful for identifying threats that already exist, it doesn't do much for threats that constantly change their form, or have not been previously observed. These will slip by the systems undetected. The alternative is to use a solution that looks at what the file is doing, rather than what it looks like. This kind of system relies on heuristic analysis to observe the commands the executable invokes, the files it writes, and any attempts to conceal itself. Often, these heuristic systems will sandbox a file in a virtual operating system and allow it to perform what it was designed to do. With the way that malware is evolving, security practices are shifting to reduce the number of assumptions made when developing policy. A report that indicates that no threat is present just means that the scanning engine couldn't find a match. A clean report isn't worth much if the methods of detection aren't able to detect the newest types of threats. In other words, the absence of evidence is not evidence of absence. Vulnerabilities and threats are being discovered at a rate that outpaces what traditional detection technology can spot. Because threats still exist even if we cannot detect them, we must either evolve our detection techniques or treat the entire network as an untrusted environment. There is nothing inherently wrong about the latter; it just requires a major shift in thinking about how we design our networks. - Zero day - Answer vulnerabilities that are unknown to the security community and, as a result, are not included in security tests performed by vulnerability scanners and other tools and have no patches available to correct them. Advanced Persistent Threat (APT) - Answer Skilled and talented attackers focused on a specific objective. They are often funded by nation-states, organized crime, other sources with tremendous resources and are known for taking advantage of Zero Day vulnerabilities. • Factors Contributing to Incident Severity and Prioritization - Answer - Scope of impact -Downtime - Recovery time - Data integrity -Economic -System process criticality Scope of Impact - Answer the formal determination of whether an event is enough of a deviation from normal operations to be called an incident, and the degree to which services were affected. Keep in mind that some actions you perform in the course of your duties as a systems administrator might trigger security devices and appear to be an attack. Downtime - Answer Networks exist to provide resources to those who need them, when they need them. Without a network and services that are available when they need to be, nothing can be accomplished. Every other metric in determining network performance such as stability, throughput, scalability, and storage all require the network to be up. The decision on whether to take a network completely offline to handle a breach is not a small one by any measure. Understanding that a complete shutdown of the network might not be possible, you should move to isolated infected systems to prevent additional damage. The priority here is to prevent additional losses and minimize impact on the organization. This is not dissimilar to operations in an emergency room: your team must work to quickly perform triage on your network to determine the extent of the damage and prevent additional harm, all while keeping the organization running (Refers to a period of time when a system is unavailable) (MTD) Maximum Tolerable Downtime - Answer The longest period of time a business can be inoperable without causing the business to fail irrecoverably. (KPI) Key Performance Indicator - Answer (a measure of achievement that can be attributed to an individual, team, or department) For detection and remediation will clear up confusion, manage expectations, and potentially allow you to demonstrate how prepared your team is should you exceed these guidelines. RTO (Recovery Time Objective) - Answer The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable. oftentimes used, particularly in the context of disaster recovery, to denote the earliest time within which a business process must be restored after an incident to avoid unacceptable consequences associated with a break in business processes. Recovery Time - Answer Time is money, and the faster you can restore your network to a safe operating condition, the better it is for the organization's bottom line. Although there may be serious financial implications for every second a network asset is offline, you should not sacrifice speed for completeness. You should keep lines of communication open with organization management to determine acceptable limits to downtime. *Data Integrity - Answer Taking a network down isn't always the goal of a network intrusion. For malicious actors, tampering with data may do enough to disrupt operations and provide them with the outcome they were looking for. Financial transaction records, personal data, and professional correspondence are types of data that are especially susceptible to this type of attack. There are cases when attacks on data are obvious, such as those involving ransomware. In these situations, malware will encrypt data files on a system so the users cannot access them without submitting payment for the decryption keys. However, it may not always be apparent that an attack on data integrity has taken place. It might be only after a detailed inspection that you discover the unauthorized insertion, modification, or deletion of data. This illustrates why it's critical to back up data and system configurations, and keep them sufficiently segregated from the network so that they are not themselves affected by the attack. Having an easily deployable backup solution will allow for very rapid restoration of services. The authors will caution, however, that much like Schrödinger's cat, the condition of any backup is unknown until a restore is attempted. In other words, having a backup alone isn't enough. It must be verified over time to ensure that it's free from corruption and malware. *Economic - Answer System Process Criticality - Answer As part of your preparation, you must determine what processes are considered essential for the business's operation. These processes are associated with tasks that must be accomplished with a certain level of consistency for the business to remain competitive. Each business's list of critical processes will be different, but it's important to identify those early so that they can be the first to come back up during a recovery. The critical process lists aren't restricted to only technical assets; they should include the essential staff required to get these critical systems back online and keep them operational. It's important to educate members across the organization as to what these core processes are, how their work directly supports the goals of the processes, and how they benefit from successful operations. This is effective in getting the appropriate level of buy-in required for successfully responding to incidents and recovering from any resulting damage. Probaility - Answer the chance of a future event occurring, - Criticality and probability are the primary components of risk analysis. Whereas probability describes the chance of a future event occurring, criticality is the impact of that future event. Criticality is often expressed by degree, such as high, moderate, or low. Low criticality indicates little impact to business operations, moderate indicates impaired or degraded performance, and high indicates a significant impairment of business functions. Criticality - Answer the impact of that future event. It is often expressed by degree, such as high, moderate, or low. Low criticality indicates little impact to business operations, moderate indicates impaired or degraded performance, and high indicates a significant impairment of business functions. - Types of data - Answer - Personally Identifiable Information (PII) - Personal Health Information (PHI) - Payment card information - Intellectual property - Corporate confidential - Accounting data - Mergers and acquisitions