Incident response steps are specifically listed in the CIB as:
- Detection
- Response
- Reporting
- Recovery
- Remediation and Review
Once an incident is detected, the first response sohould be to limit or contain the scope fo the incident while protecting evidence. Based on governing laws, the incident may need to be reported to official authorities, and if PII is affected, individuals need to be informed. The remediation and review stage includes root cause analysis to determine the cause and recommend a solution to prevent reoccurrence.
Basic preventive measures can prevent many incidents from occurring and they are repeated often. Like keeping systems up-to-date, removing or disabling unneeded protocols and services, using antivirus software, enabling firewalls and using IDSs.
Malicious code is thwarted with a combination of tools. Updated antivirus is the primary tool on each system, at the boundary of the network and on email servers.
Don’t foget about policies enforcing basic security principles such as least privilege to prevent regular users from installing software that may be malicious. Additionally, educating users from installing software that may be malicious. Additionally educating users about the risks and the methods attackers commonly use to spread viruses, helps users understand and avoid dangerous behaviors.
A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone bu the attacker or known only to a limited group of people. On the surface, it sounds like you can’t protect against an unknown vulnerability, but basic security practices go a long way to preventing zero-day exploits. Removing or disabling unneeded protocols and services reduces the attack surface, enabling firewalls blocks many access points, and using intrusion detection systems helps detect potential attacks. Additionally, using tools such as honeypots and padded cells helps protect live networks.
DoS attacks prevent a system from responding to legitimate requests for service. A common DoS attack still used is the SYN flood attack, which disrupts the TCP three-way handshake. Even though older attacks are not as common today because basic precautions block them, you may still be tested on them because many newer attacks are often variations on older methods. Smurf attacks employ an amplification network to send numerous response packets to a victim. Ping-of-death attacks send numerous oversized ping packets to the victim, causing the victim to freeze, crash, or reboot.
Botnets represent significant threats due to the massive number of computers that can launch attacks, so it’s important to know what they are.
A botnet is a collection of compromised PCs organized in a network controlled by a criminal known as a bot herder. Bot herders use a command and control server to remotely control the zombies and often use the botnet to launch attacks on other systems or send spam or phishing emails. Bot herders also rent botnet access out to other criminals.
A man in the middle attack occurs when a malicious user is able to gain a position between the two endpoints of a communications link. While it takes a significant amount of sophistication on the part of an attacker to complete a man in the middle attack, the amount of data obtained from the attack can be significant.
Malicious insiders can perform sabotage against an organization if they become disgruntled for some reason. Espionage is when a competitor tries to steal information, and they may use an internal employee. Basic security principles and immediately disabling accounts for terminated employees limit the damage from these employees.
IDSs and IPSs are important detective and preventive measures against attacks.
Knowledge based using a database. Behavior based using a baseline to create a normal.
An IDS can respond passively by logging and sending notifications, or actively by changing the environment. Some people refer to an active IDS as an IPS, but its important to recognize that an IPS is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target.
HIDS can monitor activity on a single system only and can be discovered by attackers and disabled. NIDS can monitor activity on a network and aren’t as visible to attackers.
A honeypot is a system that often uses pseudo flaws and fake data to lure intruders. Administrators can observe the activity of attackers while they are in the honeypot, as long as attackers are in the honeypot, they are not in the live network. Some IDSs have the ability to transfer attackers into a padded cell after detection. While a honeypot and padded cell are similar, note that a honeypot lures the attacker but the attacker is transferred into the padded cell.
Penetration tests start by discovering vulnerabilities and then mimic an attack to identify what vulnerabilities can be exploited. It’s important to remember pen tests should not be done without express consent and knowledge from management.
Additionally, since pen tests can result in damage, they should be done on isolated systems whenver possible. Remember black box vs white box, vs gray box testing.
Fault tolerance is a common method used to eliminate single points of failure and increase availability. RAID protects against disk failures, failover clusters protect against server failuers, and UPS and generators protect against power failures. It’s important to remember that fault tolerance does not negate the need for backups.