Exam (elaborations)
CySa+ Jason Dion Notes (1).
CySa+ Jason Dion Notes (1).
[Show more]
Seller
Follow
Content preview
CySa+ Jason Dion NotesConsiderations for conducting triage on an incident - ANS-- Damage to data integrity
- Unauthorized changes
- Theft of data or resources
- Disclosure of confidential data
- Interruption of services
- System downtime
Impact-based Approach - ANS-Categorization approach that focuses on the severity of an
incident, such as emergency, significant, moderate, or low.
Taxonomy-based Approach - ANS-Approach that defines incident categories at the top level,
such as worm outbreak, phishing attempt, DDoS, external host/account compromise, or internal
privilege abuse.
Organizational Impact - ANS-Incident that affects mission essential functions so the organization
cannot operate as intended.
Localized impact - ANS-Incident that is limited in scope to a single department, small user group
or a few systems.
Immediate Impact - ANS-Incident measurment based on direct costs incurred because of an
incident, such as downtime, asset damage, penalties and fees
Total Impact - ANS-Incident measurement based on the costs that arise during and following the
incident, including damage to the company's reputation.
Incident Classification - ways to classify - ANS-- Data Integrity
- System Process Criticality
- Downtime
- Economic
- Data Correlation
- Reverse Engineering
- Recovery Time
- Detection Time
Data Integrity - ANS-Any incident where data is modified or loses integrity
System Process Criticality - ANS-Incidents that disrupt or threaten a mission essential business
function
,Downtime - ANS-An incident that degrades or interrupts the availability of an asset, system or
business process
Economic - ANS-incident that creates short-term or long-term costs
Data Correlation - ANS-Incident that is linked to the TTP of known adversary groups with
extensive capabilities
Reverse Engineering - ANS-Incident in which the capabilities of the malware are discovered to
be linked to an adversary group
Recovery Time - ANS-Incident which requires extensive recovery time due to its scope or
severity.
Detection time - ANS-- incident which was not discovered quickly
- Only 10% of data breaches discovered within first hour
- Nearly 40% of adversaries had successfully exfiltrated data within minutes of starting an
attack.
Containment - ANS-Rapid containment important to IR
- Limit the scope and magnitude of the incident by securing data and lmiting impact to business
operations and your customers.
Five Steps for Conducting Containment - ANS-1. Ensure the safety and security of all personnel
2. Prevent an ongoing intrusion or data breach
3. Identify if the intrusion is the primary or secondary attack
4. Avoid alerting the attacker that the attack has been discovered
5. Preserve any forensic evidence of the intrusion and attack.
Isolation - ANS-Mitigation strategy that involves removing an affected component from larger
environment
Segmentation - ANS-mitigation strategy that achieves the isolation of a host or group of hosts
using network technologies and architecture
- Uses VLANs, routing/subnets, and firewall ACLs to prevent communication outside the
protected segment.
- Can be used to reroute adversary traffic as part of a deceiption defensive capability.
Sandboxing - ANS-Security mechanism that separates a system from other critical system
resources and programs.
Eradication and Recovery - ANS-Remove the cause of the incident and bring the system back
to a secure state
,Eradication - ANS-Complete removal and destruction of the cause of the incident.
- Simplest option for eradicating contaminated system is to replace it with a clean image from a
trusted store.
Sanitization - ANS-Procedures that an organization uses to govern the disposal of obsolete
information and equipment, including storage devices, devices with internal data storage
capabilities, and paper records.
Cryptographic Erase (CE) - ANS-Method of sanitizing a self-encrypting drive by erasing the
media encryption key
Zero-fill - ANS-Sanitizing a drive by overwriting all bits on a drive to zero
- not reliable method with SSDs and hybrid drives
Secure Erase (SE) - ANS-Sanitizing a sold-state device using manufacturer provided software.
Secure Disposal - ANS-Sanitizing by physical destruction of the media by mechanical
shredding, incineration, or degaussing.
Eradication Actions - ANS-- Reconstruction
- Reimaging
- Reconstitution
Reconstruction - ANS-Restoring a system that has been sanitized using scripted installation
routines and templates.
Reimaging - ANS-Restoring a system that has been sanitized using an image-based backup.
Reconstitution - ANS-Method of restoring a system that cannot be sanitized using manual
removal, reinstallation and monitoring processes.
7 steps for reconstitution - ANS-1. Analyze the processes and network activity for signs of
malware
2. Terminate suspicious processes and securely delete them from the system
3. Identify and disable autostart locations to prevent processes from executing
4. Replace contaminated processes with clean versions from trusted media.
5. Reboot the system and analyze for signs of continued malware infection
6. If continued malware infection, analyze firmware and USB devices for infection
7. If tests are negative reintroduce the system to the production environment.
Recovery - ANS-Actions taken to ensure that hosts are fully reconfigured to operate the
business workflow they were performing before the incident ocurred.
Recovery Actions - ANS-- Patching
, - Permissions
- Logging
- System Hardening
Patching - ANS-Installing a set of changes to a computer program or its supporting data
designed to update, to fix, or to improve it
Permissions - ANS-
Logging - ANS-Ensure that scanning and monitoring/log retrieval systems are functioning
properly following the incident.
System Hardening - ANS-Securing a system's configuration and settings to reduce IT
vulnerability and the possibility of being compromised
Actions performed when conducting system hardening - ANS-- Deactivate unnecessary
components
- Disable unused user accounts
- Implement patch management
- Restrict host access to peripherals
- Restrict shell commands
Three mottos for system hardening - ANS-- Uninstall anything you aren't using
- If you need it, patch it frequently
- Always restrict users to least privilege
Post-Incident Activity - ANS-Analyze the incident and responses to identify whether procedures
or systems could be improved.
Main areas of post-incident activity - ANS-- Report Writing
- Incident Summary Report
- Evidence Retention
Report Writing - ANS-An essential analyst skill that is used to communicate information about
the incident to a wide variety of stakeholders
- Reports should be clearly marked for the intended audience
Incident Summary Report - ANS-Report written for specific audience with key information about
the incident and their use
- Contain information about how the incident ocurred, how it could be prevented in the future,
the impact and damage on the systems, and any lessons learned.
Evidence Retention - ANS-preservation of evidence based upon the required time period
defined by regulations if there is a legal or regulatory impact caused by an incident.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller modockochieng06. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for CA$11.16. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
73091 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now