Overview
Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Course 7: Incident Detection and Response
Welcome to course seven, Incident Detection and Response. Having an intruder inside your systems for months unnoticed by your systems, administrators, security specialists, and end-users is tantamount to giving the intruder, the keys to your business or organization. In many cases, organizations discover that they have been subjected to a data breach when they are told by others that their private data has been offered for sale on the dark web. Many leading voices within the security profession state that we all must do better to detect the intruders in our myths. Many people even say that detecting intruders should be the priority for security professionals. Ransomware attacks have become a big business involving not only large scale extortion attacks, but also the sell of ransomware attack tools and services, as well as the exploitation of any data ex-filtrated during the breach. Government officials and industry professionals worldwide have been raising their voices about this new and very troubling variant in the business model of advanced persistent threat or APT attackers. In this chapter, we'll focus on intrusion and incident detection. Many of the tools, techniques, technologies, and ideas, you'll see here have already been examined in previous chapters. This course brings them together and begins by discussing the central theme of detecting the intruder. Model one uses the concepts of precursors and indicators, the signals that give us advanced warning and a genuine alert about a risk event and the indicators of compromise concept which are those signals that we're certain can only mean a hostile agent has gained access. Module two will extend these ideas and concepts around the idea of what to do after you've discovered a possible intrusion, expanding your understanding of incident response. Module three continues with a deeper look at supporting forensic investigations. Forensics is an evidence-based process of logically and dispassionately reasoning about a situation or an event. It's your inner child, looking at something and asking questions. Then following each of those questions with more questions, letting the facts that you find frame and shape your growing understanding of what happened, how why and where, who did it and what impacts it may have. With these questions answered you can circle back to reviewing risk mitigation controls to see which if any, need to be modified, replaced or augmented.
Course 7 Learning Objectives
After completing this course, the participant will be able to:
L7.1 - Review the steps for monitoring, incident detection and data loss prevention using all-source intelligence.
L7.2 - Identify the elements of an incident response policy and members of the incident response team (IRT).
L7.3 - Classify the security professional’s role in supporting forensic investigations.
Course Agenda
Module 1: Operate All-source Intelligence for Monitoring and Incident Detection (Domain 3 - Risk Identification, Monitoring, and Analysis)
Module 2: Support Incident Lifecycle (Domain 4 - Incident Response and Recovery)
Module 3: Understand and Support Forensic Investigations (Domain 4 - Incident Response and Recovery)
Who Should Take This Course: Beginners
Experience Required: No prior experience required
Syllabus
- Module 1: Operate All-source Intelligence for Monitoring and Incident Detection
- We saw in Chapter 5 the evolution from simple host-based intrusion detection, through network-based intrusion prevention and on to integrated security information and event management (SIEM) systems. Each step along this path was attempting to bring together every possible signal, from every element of an organization’s IT and OT architectures, and then analyze and exploit those signals to see if any were indicators of a possible attack or intrusion taking place. The goal of such a set of processes, the objective of gathering, collating and assessing all of that information, is to try to answer three questions: What just happened to us? What happened to us a while ago, but we didn’t notice it? Is it too late to do anything about what happened in either case? Part of that evolution to SIEMs and the next generation of intrusion detection and response systems (and the next generation after that) is the idea of all-source intelligence as the input and the process. This idea of using every possible piece of data from even the most unlikely of channels is nothing new; business forecasting and market analysis does it, national weather services do it and, of course, military and national security organizations have been doing it for years. These professions and many others know that transforming information into actionable intelligence, the kinds of conclusions and assertions on which leaders and managers can base their decision-making, requires as broad a spectrum of analysis approaches and ideas as the spread of the sources it observes. All-source intelligence as a cybersecurity operation takes in far more than just monitoring. Monitoring in general involves observing the things you already know about: the systems, the endpoints, the people using them and the traffic on the networks. Monitoring is often about comparing observations to clip levels or alarm thresholds. As we’ll see, all-source intelligence as a process goes beyond monitoring; but it plays a vital role in enhancing the monitoring function, which still must be performed well. No examination of monitoring or incident detection would be complete without looking at the compliance requirements that relate to it, and we’ll use that topic to bring the many threads of this module together.
- Module 2: Support Incident Lifecycle
- An information security incident is a set of one or more events, or changes in the state of an information system, asset or architecture, which needs prompt and immediate security action to assess, contain, respond and recover from. Well-prepared organizations can, with skill and luck, limit the damages to assets and the disruption to business processes that an incident might otherwise cause. Poorly prepared organizations are more likely to make serious mistakes in characterizing and handling an incident and may cause themselves more harm in the process. Proper handling of information security incidents depends as much upon the day-to-day business processes as it does the specifics of the incident response processes. Incident detection, assessment, escalation, communication, recovery and learning from the event are activities typically integrated into the organization’s incident response process. Clarifying who does what in an incident and under what circumstances will greatly help the organization recover its business functions. The security professional should understand their legal and organizational responsibilities for incident management and be able to evaluate the activities and overall effectiveness of the organization’s incident response practice.
- Module 3: Understand and Support Forensic Investigations
- Digital forensics investigation as a process and as a field of study is a fascinating and exciting combination of challenges. Those who participate in such investigations find that their creative skills, their attention to detail, and their innate curiosity will be stretched to the limit as they attempt to embrace the human, organizational and technical aspects of an information security incident. Those who support the investigators, either before or during the investigation, are equally challenged but in very different ways. The support team has tasks they must perform as part of providing services to the investigators, to organizational leaders and managers, and to end users in the organization and they must perform these tasks with rock-solid reliability and dependability to the best of their ability. Simply put, they must follow procedures and make sure that all of the required processes are followed, step by step, in detail. Module 2 stressed the need for solid preparation and planning before the first incident occurs, and for a flexible, responsive and agile mindset to adjust those plans when that first incident does happen and shows the plans need to be changed. Preparing for incident investigation is a major part of what the security operations team needs to accomplish. To put that preparation into perspective, this module will look in more detail at the investigative process itself. Along the way, we’ll highlight opportunities for the forward-thinking security professional to get the organization, its users, its IT and OT staff and its managers and leaders prepared to support different types of forensic investigations when and as they become necessary. Module 3 will introduce some of the techniques of a digital forensics investigation. You may find them useful, and called for, as you’re troubleshooting an incident involving older technology systems (such as in OT architectures), or smaller, locally hosted SOHO or SMB environments. The same basic concepts still apply in the cloud and in the world of big data but scaling to that level requires a very different approach and mindset to thinking about forensics. Let’s take a closer look.
- Module 4: Chapter 7 Review
- This chapter has shown how the focus, perspective and emphasis on incident detection and response have all shifted, and shifted dramatically, over the last decade or so. Previously, security professionals focused substantial efforts on identifying, enumerating and securing assets; they focused on hardening systems and networks. These were necessary efforts, but they sometimes meant that detecting a breach or intrusion was a lower-priority effort. Many of the headline-making cyber breaches and ransom attacks of the last few years show that attackers have taken advantage of the six to eight months it takes the average enterprise to notice that they’ve had (past tense) an intruder in their systems. This must change. All-source intelligence as a means of identifying and characterizing possible intrusions is proving to be a powerful way to gain insight about your systems and about detecting intrusions (or attempts to intrude into them). Combined with analytics for security, it’s also turning around a time-tested practice of being very selective in what events generate log signals, which signals get logged (and how often) and how log files are managed, collated and analyzed. Today’s security professional needs to be a bit more of a data scientist than they were in the past and perhaps more of an intelligence data analyst as well. We also looked at digital forensics, largely from the perspective of small systems rather than cloud-hosted, large, enterprise environments. Either way, in most cases, the investigation itself and the analysis of evidence is best left to the certified, trained, expert computer systems examiners to do; but as an on-scene security professional, having some background in what digital evidence might be, how it might be analyzed and what might be learned from it can help you better prepare the organization for when it has to call in the investigators.
Taught by
(ISC)² Education & Training