Flashcards in SECOPS 13: Incident Response Plan Deck (20)
IR Plan questions (4)
Assets to protect?
Threats to assets?
How are threats detected?
Response to threats?
IR Lifecycle (7)
Get ready to handle an incident
Monitoring and hunting
Preform analysis and determine scope
Determine best containment steps.
Eradication and Recovery
Find root cause and clean it up (hardening, etc.).
How and why? Conduct FMEA
Failure Mode and Effects Analysis. Qualitative tool in a spreadsheet documenting what might go wrong.
IR Team notifies appropriate individuals
Attrition attack vector
Brute force. DDOS
Incident from violation of AUP.
Impersonation attack vector
Replacing something benign with something malicious. Spoofing, MITM, rogue wireless, some SQL injection
US-CIRT reporting Testing (CAT and time)
CAT 0. n/a
US-CIRT reporting Unauthorized Access (Cat and time)
CAT 1. 1 Hour
US-CIRT reporting DOS (Cat and time)
CAT 2. 2 hours if ongoing
US-CIRT reporting Malicious code (Cat and time)
CAT 3. 1 hour if widespread
US-CIRT reporting Improper Usage (Cat and time)
CAT 4. Weekly
US-CIRT reporting Scans\Probes\Attempted Access. (CAT and time)
CAT 5. Monthly or 1 hour for classified