By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Security incident analysis involves an organization that should first capture the usual actions and performance of a system before determining if an event has happened. This serves as a benchmark against which all other activities are measured. To effectively determine when an event has happened, security professionals should ensure that the baseline is captured during periods of high and low activity. Additionally, they should collect baselines over time to ensure that the best overall baseline is achieved. Following that, the company must design policies that detail how security personnel should respond to incidents.
A risk assessment allows an organization to identify the areas of risk and document the methods for dealing with those risks. Security personnel should keep up with current trends in order to spot unplanned problems. The security experts will have a plan to follow if incident response processes are documented. Security professionals should try to document and examine the evidence after an incident has been stopped. Systems should be restored to their operating form once the evidence has been documented. It may be required to seize an asset as part of a criminal investigation in specific instances. If this happens, the company must identify a substitute asset as soon as feasible. E-discovery, data breaches, incident detection and response, incident and emergency response, incident response support tools, issues affecting the severity of an event or breach, and post-incident response are all discussed in this guide. Topics: - Data breaches - Incident detection and response - Incident and emergency response - Incident response support tools - Severity of incident or breach - Post-incident response - Asset identification - Security operations - Data risks and breaches - Incident response - Post-incident recovery Data breach Any situation in which information that is considered private or confidential is released to un-authorized people is referred to as a data breach. A plan must be in place for an organization to detect and respond to these situations appropriately. However, having an incident response plan is insufficient. An organization must also have trained staff who are familiar with the incident response strategy and possess the necessary abilities to respond to any incidents that may arise. An incident response team’s ability to follow incident response procedures is critical. Depending on where you look, different procedures or phases of the incident response process may be included.
For the CASP exam, you need to remember the following steps: Step 1: Detect the incident. Step 2: Respond to the incident. Step 3: Report the incident to the appropriate personnel. Step 4: Recover from the incident. Step 5: Remediate components to ensure that all traces of the incident have been removed. Step 6: Review the incident and document all findings.
If an incident remains unnoticed or unreported, the organization won’t be able to intervene in the middle of it or prevent it from happening again. If a user claims that the mouse pointer on their workstation is moving and files are opening automatically, they should be directed to contact the incident response team for assistance. During the respond, report, and recover processes, the incident is really investigated. During the investigation, following suitable forensic and digital investigative protocols can help ensure that evidence is maintained. Detection and collection Finding the occurrence, securing the attacked system(s), and identifying the evidence are the initial steps in incident response. Reviewing audit logs, monitoring systems, assessing user complaints, and studying detection methods are all used to find proof. The system’s status should be examined as part of this stage. At first, the investigators may be unaware of which evidence is crucial. It is always preferable to keep the evidence you may not need than to wish you had kept evidence you did not. This process also includes identifying the attacked system(s) (crime scene). The assaulted system is referred to as the crime scene in digital investigations. In some situations, the technology that was used to launch the attack can be regarded as a part of the crime scene. However, it is not always possible to entirely capture the attacker’s systems. As a result, you should record any data that might be used to identify a specific system, such as IP addresses, users, and other identifiers. Evidence should be preserved and collected by security professionals. Making system pictures, implementing chain of custody, documenting the evidence, and collecting timestamps are all part of this process. Consider the sequence of volatility before gathering any proof. Data analytics Any data acquired as part of an incident response must be appropriately evaluated by a forensic investigator or a security professional with similar training. Depending on the amount of data that has to be processed, someone trained in big data analytics may be needed to assist with the study. The investigator must review and analyze the evidence after it has been preserved and collected. Any attributes, such as timestamps and identification properties, should be determined and documented while analyzing evidence. The entire occurrence should be reproduced and documented after the evidence has been thoroughly reviewed using scientific methodologies. Mitigation Mitigation refers to the prompt measures taken to stop a data breach in its tracks. Once an event has been discovered and evidence is being collected, security professionals must take the necessary steps to limit the incident’s impact and isolate the critical infrastructure. Minimize Security experts should take necessary actions to mitigate the impact of a data breach as part of the mitigation process. In the majority of instances, this involves being open and responding to the data breach as soon as it occurs. It’s just as critical to protect your organization’s reputation as it is to protect its actual assets. As a result, businesses should ensure that their plan includes mechanisms for notifying the public of a data breach and mitigating the consequences. Isolate Isolating the compromised systems is a critical aspect of any data breach event response. Depending on the severity of the breach and the number of assets affected, it may be essential to temporarily cease some services in order to stop the current data breach or prevent future data breaches. The organization may just need to isolate a single system in some circumstances. Multiple systems that are involved in transactions may need to be segregated in other instances. Recovery/reconstitution Once a data breach has been prevented, the organization must recover the data and restore operations to as normal a state as feasible. While the goal is to fully restore a system, due to the nature of data backup and recovery and the data’s availability, it is probable that not all data will be recovered. Some data may be lost if organizations are only able to restore data at a specific point in time. Organizations should make sure that their backup/recovery procedures are in place so that data may be recovered within the timeframes specified. Some firms, for example, may do transaction backups within an e-commerce database every hour, while others may do so every four hours. Senior management must be aware that some data may be unrecoverable, according to security professionals. It’s important to remember that corporations must balance the risks with the expenses of countermeasures. The data owners should document the recovery processes for each system. Response Based on the analyses of a data breach, an enterprise should thoroughly evaluate the steps that may be taken to avoid a similar breach from occurring again. While the organization may not be able to implement all of the recommended preventative measures, it should at least adopt those that the risk analysis identifies as vital. Disclosure Once a data breach has been thoroughly recognized, security professionals should document all findings in a lessons learned database to assist future personnel in grasping all elements of the breach. In addition, the incident response team and forensic investigators should present senior management with full disclosure reports. Senior management can then select how much information is shared with internal staff and the general public. Consider the case of a data breach that was not adequately disclosed due to a lack of incident response training. Assume a marketing department supervisor bought the most recent mobile device and linked it to the company’s network. Through their email, the supervisor continued to download crucial marketing documents. The device was later misplaced while being transported to a conference. The supervisor alerted the company’s help desk about the missing equipment, and a replacement was sent to them. The help desk ticket was closed at that point, indicating that the problem had been fixed. In reality, this situation should have been studied and analyzed to discover the best method to prevent a similar occurrence in the future. The first mobile device’s disappearance was never addressed. Implementing remote wipe tools to delete company data from the original mobile device is one change you should consider. Incident detection and response An organization’s security policy should include ensuring that systems are built to aid in incident response. It’s critical to act quickly in the event of a security compromise. Actions should be guided by the six-step incident response method mentioned earlier. Because the business may have the right controls in place to prevent an incident from escalating to the point where a security breach occurs, not all occurrences will result in a security breach. Internal and external violations, such as privacy policy violations, criminal acts, insider threats, and non-malicious threats/misconfigurations, should be understood by security professionals in order to appropriately build systems to aid in incident response. Finally, security experts should collaborate with management to implement system, audit, and security log collection and review in order to guarantee that incident response occurs as rapidly as feasible. Internal and external violations When it comes to security events and breaches, the perpetrators can be inside or external persons or groups. Furthermore, a security breach may result in the disclosure of external customer or internal employee information. Accounts connected with internal entities should be used to strictly limit system access. Depending on the demands of the account holder, different levels of access should be provided to these accounts. Users who require administrative-level access should be given both administrative-level and regular-level accounts. Administrative accounts should only be used to carry out administrative tasks. In general, users should utilize the account with the fewest privileges necessary to complete the task at hand. Any organization’s normal procedure should include the monitoring of all accounts. Administrative accounts, on the other hand, should be monitored more closely than regular accounts. Because insiders already have access to systems, internal infractions are significantly easier to commit than external violations. These insiders have a level of information about the organization’s internal workings, which offers them an advantage. Finally, users with administrator or higher-level accounts have the power to commit large-scale security breaches. Before they can even start an attack, outsiders must first gain credentials. When assessing internal and external infractions, security experts know how to distinguish between privacy policy violations, criminal actions, insider threats, and non-malicious threats or misconfigurations. Privacy policy violations Data privacy is strongly reliant on the security safeguards in place. While enterprises can provide security without ensuring data privacy, data privacy is impossible to achieve without proper security controls. A privacy impact assessment (PIA) is a risk assessment that identifies the hazards associated with the collection, usage, storage, and transmission of personally identifiable information (PII). This will establish whether suitable PII controls and protections have been put in place to avoid PII disclosure or compromise. Personnel, processes, technology, and gadgets should all be evaluated as part of the PIA. Any significant modification should be followed by a new PIA. Any contracted third parties with access to PII should be examined to verify that suitable controls are in place as part of preventing privacy policy violations. Third-party personnel should also be educated on the organization’s policies and sign non-disclosure agreements (NDAs). Criminal actions When dealing with criminal event response, an organization must guarantee that the right steps are done to move toward prosecution. If proper procedures are not followed, criminal prosecution may be avoided because the evidence may be challenged by the defense. When a criminal act is detected, involving law authorities as soon as possible is critical. The sequence of volatility and chain of custody are two aspects of evidence collection that must be examined. Insider threats One of the most serious worries for security workers should be insider threats. Insiders, as previously stated, have knowledge of and access to systems that outsiders do not, making it considerably easier for insiders to carry out or participate in an attack. To detect insider threats as they occur, an organization should establish the right event collection and log review policies. Non-malicious threats/misconfigurations Internal users can unwittingly contribute to the possibility of security breaches. These dangers are not malevolent in origin but can arise as a result of users’ lack of understanding of how system changes can influence security. Examples of misconfigurations that can result in security breaches occurring and/or not being noticed should be covered in security awareness and training. For example, to complete an administrative operation, a user may temporarily disable antivirus software. If the user does not enable the antivirus software, the system is unwittingly exposed to infections. In this instance, a company should consider creating group policies or other means to ensure that antivirus software is enabled and running on a regular basis. Another option is to set antivirus software to restart automatically after a specified period of time has passed. System, audit, and security logs can be used to record and review user activity, allowing security experts to identify misconfigurations and adopt the relevant policies and controls. Hunt teaming Hunt teaming is a novel strategy for security that is offensive rather than defensive, as has been the case in the past with security teams. These groups collaborate to discover, detect, and comprehend advanced and determined threat agents. They are a significant financial investment for a company. They go after the assailants. To use a bank analogy, if a bank robber compromises a door in order to rob a bank, defensive measures would suggest getting a better door, but offensive tactics would suggest eliminating the bank robber. These cyber-hired firearms are yet another tool in the arsenal. Hunt teaming also refers to a set of strategies used by security employees to circumvent typical protection technology in order to track down other attackers who may have used similar techniques to carry out assaults that have already been detected, often by other firms. These methods aid in the detection of systems infected with advanced malware that avoids detection by traditional security technologies such as intrusion detection/prevention systems (IDS/IPS) or antivirus (AV) software. Security professionals could potentially get blacklisted from sites like DShield as part of hunt teaming. These blacklists would then be checked to current DNS entries to verify if the communication was taking place with known attackers on these blacklists. Hunt teaming can also be used to simulate previous assaults so that security personnel can gain a better understanding of the company’s current vulnerabilities and learn how to fix and prevent future problems. Heuristics and behavioral analytics Heuristics are a type of algorithm used in virus detection, behavioral analysis, event detection, and other situations where patterns must be found in the middle of chaos. It is a method for ranking alternatives using search algorithms, and while it is not an exact science and is more of a guessing game, it has been found to approximate an accurate solution in many circumstances. It also contains a trial-and-error procedure for self-learning as it approaches the ultimate approximated result. Using this strategy, many IPS, IDS, and anti-malware systems with heuristics capability can commonly discover zero-day vulnerabilities. Review system, audit and security logs Regular system events, such as operating system and service events, are recorded in system logs. Audit and security logs keep track of successful and unsuccessful efforts to conduct specified operations and need security professionals to configure the audited actions specifically. Policies for the collection, storage, and security of these logs should be established by organizations. The logs may usually be set up to send out warnings when particular occurrences take place. These logs must also be reviewed on a regular and methodical basis. Security personnel should also be taught how to use these data to detect incidents. It doesn’t matter whether you have all the data in the world, if you don’t have the right people to evaluate it. The amount of log data that needs to be evaluated for large organizations might be fairly considerable.
As a result, a security information event management (SIEM) device, which provides an automated solution for evaluating events and determining where attention should be focused, may be implemented by an organization. Assume that an IDS detected an attempt to launch an attack from a remote IP address. After a week, the attacker had gained access to the network. It’s very likely that no one was looking at the IDS event logs in this scenario. Consider another example of inadequate logging and review processes. Assume that a business was unaware that its internal financial systems had been hacked until the attacker made sensitive pieces of the information public on multiple popular attacker websites. The company couldn’t figure out when, how, or who carried out the attacks at first, so they rebuilt, restored, and updated the compromised database server to keep things running. If the organization is still unable to establish these details, it should examine its system configuration, audit, and security logs. Incident and emergency response Organizations must ensure that suitable response methods have been created in the event of an incident or an emergency. Security specialists should make sure that businesses consider chain of custody, forensic examination of a compromised system, continuity of operations plan (COOP), and order of volatility as part of these processes. Chain of custody If your organization does not have trained personnel who understand chain of custody and other digital forensic procedures, the organization should have a plan in place to bring in a trained forensic professional to ensure that evidence is properly collected. As part of understanding chain of custody, security professionals should also understand evidence and surveillance, search, and seizure. You should ask who, what, when, where, and how questions at the start of any investigation. These questions can assist in gathering all of the information required for the chain of custody. The chain of custody identifies who was in charge of the evidence, who safeguarded it, and who obtained it.
To properly prosecute a suspect, the chain of custody must be maintained. To maintain a correct chain of custody, evidence must be collected in compliance with predetermined processes and all applicable rules and regulations. The chain of custody’s main goal is to ensure that evidence is admissible in court. Officers of the law place a premium on the investigations they perform. Early involvement of law enforcement can help ensure that the right chain of custody is followed during an investigation. Evidence Evidence must be relevant, legally permissible, credible, correctly identified, and stored in order to be admissible. Relevant means it must prove a material fact linked to the crime, such as that it proves a crime was done, that it can offer information detailing the incident, that it can provide information about the perpetrator’s motives, or that it can verify what happened. The term “reliability” refers to the fact that it has not been tampered with or altered in any way. The term “preservation” refers to the fact that the evidence is neither damaged nor destroyed. Every piece of evidence must be labelled. When creating evidence tags, make sure to include the mode and means of transit as well as a detailed description of the evidence, including the quality, who received it, and who had access to it.
An investigator must ensure that evidence adheres to the following five rules of evidence: - Be authentic - Be accurate - Be complete - Be convincing - Be admissible
In addition, the investigator must be familiar with the various types of evidence available and how each one might be utilized in court. Surveillance, search, and seizure guidelines must be followed by investigators. Finally, investigators should be aware of the distinctions between media, software, network, and hardware/embedded device investigation.
Even though digital evidence is more volatile than other types of evidence, it must nonetheless follow these five guidelines. Surveillance, search, and seizure Surveillance, search, and seizure are all crucial aspects of a criminal investigation. Surveillance is the act of watching someone’s behavior, activities, or other changing information, which is usually about them. The act of looking for anything or information is known as searching. The act of seizing physical or digital components is known as seizure. Physical and computer surveillance are the two types of surveillance used by investigators.
When a person’s actions are reported or filmed using cameras, direct observation, or closed-circuit television (CCTV), it is referred to as physical surveillance. When a person’s actions are reported or collected using digital information, such as audit logs, this is known as computer surveillance. In most circumstances, a search warrant is required to actively explore a private site for evidence. A court must find probable cause that a crime has been committed before a search warrant can be issued. Corroboration of the presence of evidence must also be provided to the judge. The only time a search warrant is not required is in exigent circumstances, which are situations in which a search warrant is not required to prevent physical damage, evidence destruction, a suspect’s escape, or any other improperly obstructing legitimate law enforcement efforts. When evidence is submitted in court, extreme conditions must be demonstrated. Evidence can only be seized if it is specifically specified as part of the search warrant—unless the evidence is clearly visible. Only the evidence stated in the search warrant can be taken, and the search can only take place in the places listed in the warrant. Private organizations and people are exempt from search and seizure laws. Most companies inform their staff that any files maintained on company resources are considered the company’s property. This is frequently included in any policy that has no expectation of privacy. Forensic analysis of compromised system Forensic analysis of a compromised system varies greatly depending on the type of system that needs analysis. Analysis can include media analysis, software analysis, network analysis, and hardware/embedded device analysis. Media analysis Investigators can perform many types of media analysis, depending on the media type. The following are some of the types of media analysis: - Disk imaging: This involves creating an exact image of the contents of a hard drive. - Slack space analysis: This involves analyzing the slack (marked as empty or reusable) space on a drive to see whether any old (marked for deletion) data can be retrieved. - Content analysis: This involves analyzing the contents of a drive and gives a report detailing the types of data, by percentage. - Steganography analysis: This involves analyzing the graphic files on a drive to see whether the files have been altered or to discover the encryption used on the file. Data can be hidden within graphic files. Software analysis Software analysis is a little harder to perform than media analysis because it often requires the input of an expert on software code. Software analysis techniques include the following: - Content analysis: This involves analyzing the content of software, particularly malware, to determine the purpose for which the software was created. - Reverse engineering: This involves retrieving the source code of a program to study how the program performs certain operations. - Author identification: This involves attempting to determine the software’s author. - Context analysis: This involves analyzing the environment the software was found in to discover clues related to determining the risk. Network analysis Network analysis involves the use of networking tools to provide logs and activity for evidence. Network analysis techniques include the following: - Communications analysis: This involves analyzing the communication over a network by capturing all or part of the communication and searching for particular types of activity. - Log analysis: This involves analyzing network traffic logs. - Path tracing: This involves tracing the path of a particular traffic packet or traffic type to discover the route used by the attacker. Hardware/embedded device analysis The use of tools and firmware included with devices to determine the actions done on and by a device is known as hardware/embedded device analysis. Depending on the device, several methodologies are utilized to assess the hardware/embedded device. In most circumstances, depending on the information requested, the device vendor can advise on the appropriate technique to utilize. Some of the common approaches utilized are log analysis, operating system analysis, and memory inspections. Continuity of Operations Continuity planning entails determining the impact of a disaster and putting in place a workable recovery strategy for each function and system. Its main focus is on how to carry out organizational functions in the event of a disruption. COOP takes into account all aspects of a disaster’s impact, including functions, systems, personnel, and facilities. It identifies and prioritizes the services that are required, with a focus on telecommunications and information technology. The COOP is usually included in a company’s business continuity plan. COOP should include contingency plans for maintaining vital functions in a variety of situations. It should also include a management succession plan that outlines what to do if a senior executive is unable to carry out his or her responsibilities. Disaster recovery Recovery processes, personnel safety protocols, and restoration procedures are all part of the disaster recovery process. The focus of this guide on incident response is on the restoration of information assets that have been lost as a result of an incident, as well as continuous access to information assets after an incident has occurred. Data backup formats and techniques, as well as methods of sustaining data access during disc failures, must all be understood by security professionals. Incident response team An organization must evaluate each individual’s technical competence while forming an incident response team. Members of the team must be familiar with the company’s security policy and have excellent communication skills. In addition, members should be trained in incident response and investigation. When an incident occurs, the team’s first priority is to contain the attack and repair any damage that the incident has caused. When an incident is found, security isolation of the scene should begin immediately.
Evidence must be kept safe, and the proper authorities must be notified. Access to the incident response plan should be granted to the incident response team. A list of authorities to call, team roles and duties, an internal contact list, processes for securing and preserving evidence, and a list of investigative experts who can be contacted for assistance should all be included in this plan. To guarantee that no procedures are missed, a step-by-step manual should be established for the incident response team to follow. All incident response actions should be documented after the incident response process has been initiated. Senior management and the appropriate authorities should be alerted quickly if the incident response team concludes that a crime has been committed. Order of volatility Before collecting any evidence, an organization should consider the order of volatility, which ensures that investigators collect evidence from the components that are most volatile first.
The order of volatility is as follows: - CPU, cache, and register content - Routing table, ARP cache, process table, and kernel statistics - Memory - Temporary file system/swap space - Data on hard disk - Remotely logged data - Data contained on archival media You will need a tool that generates a bit-level duplicate of the system to create system images. To produce this bit-level replica, you must usually isolate the system and take it out of production. Make sure you keep two copies of the image. One copy of the image will be kept as proof, ensuring that it is undamaged and correct. During the examination and analysis, the other copy will be used. To ensure data integrity, message digests should be utilized. The system image is usually the most crucial piece of evidence, but it isn’t the only one you’ll need. Data saved in the cache, process tables, RAM, and the registry may also need to be captured. You should keep notes in a bound notebook when documenting a computer attack. It’s also critical that you never take a page out of the notebook. Remember to enlist the help of specialists while conducting digital investigations to ensure that evidence is maintained and collected appropriately.
Investigators usually put together a field kit to use during the investigation. Tags and labels, disassembly tools, and tamper-evident packaging could all be included in this kit. Commercial field kits are available, or you can put your own together based on your specific needs. Incident response support tools For incident response process, security professionals must be skilled and comfortable using an array of analysis and detection tools. This section takes a look at some of these tools and the proper use of each, as follows: - dd: Before any analysis is performed on the target disk in an investigation, a bit-level image of the disk should be made. Then the analysis should be done on that copy. This means that a forensic imaging utility should be part of your toolkit. There are many of these, and many of the forensic suites contain them. Moreover, many commercial forensic workstations have these utilities already loaded. The dd command is a UNIX/Linux command that is used to convert and copy files. The U.S. Department of Defense (DoD) created a fork (a variation) of this command called dcfldd that adds additional forensic functionality. By simply using dd with the proper parameters and using the correct syntax, you can make an image of a disk. Using dcfldd gives you the ability to also generate a hash of the source disk at the same time. For example, the following command reads 5 GB from the source drive and writes that information to a file called mymage.dd.aa. It also calculates the MD5 hash and the sha256 hash of the 5 GB chunk. It then reads the next 5 GB and names that myimage.dd.ab. The MD5 hashes are then stored in a file called hashmd5.txt, and the sha256 hashes are stored in a file called hashsha.txt. The block size for transferring has been set to 512 bytes, and in the event of read errors, dcfldd writes zeros. - Tcpdump captures packets on Linux and UNIX platforms. A version for Windows, called WinDump, is also available. Using the tcpdump command is a matter of selecting the correct parameter to go with it.
For example, the following command enables a capture (-i) on the Ethernet 0 interface, ‘#sudo tcpdump,’ as shown above and captures the network packets from the specific network interface, as illustrated below: Figure: Tcpdump command Figure: Capturing packets from specific network interface
- Nbtstat is used by Microsoft networks as an interface called Network Basic Input/Output System (NetBIOS) to resolve workstation names with IP addresses. The nbtstat command can be used to view NetBIOS information. nbtstat -n shows the NetBIOS names of the host that have been registered on the system; nbtstat -c displays the current contents of the NetBIOS name cache, which contains NetBIOS name to IP address mappings for other hosts on the network, as shown below: Figure: NetBIOS names of host registered on systems
- Netstat command is used to see what ports are listening on a TCP/IP-based system. The -a option is used to show all ports, and /? is used to show what other options are available. (The options differ based on the operating system you are using.) When executed with no switches, the command displays the current connections. -a -all shows both listening and non-listening sockets.
The –interfaces option show interfaces that are not up, as shown below: Figure: Netstat listening & non-listening sockets Netstat -at listens to list all tcp ports, as shown below: Figure: Netstat listening all UDP Ports
- nc (Netcat) is a command-line utility that can be used for many investigative operations, including port scanning, file transfers, and port listening. For example, the following command scans for ports 1 through 1,000 on the target at 192.168.1.2: nc -v 192.168.1.2 1-1000 is shown below: Figure: Using Netcat for Post scanning
- memcopy is a controversial C+ function used to copy the bytes from the source memory location directly to the destination memory block. It is controversial because if the source and destination overlap, this function does not ensure that the original source bytes in the overlapping region are copied before being overwritten. - tshark captures packets on Linux and UNIX platforms— much like tcpdump. It writes a file in pcap format, as Wireshark does. Whenever a scenario calls for working from the terminal interface rather than a GUI interface, this tool supports the same filter functions as Wireshark, and because it is a command-line tool, it can be scripted, as shown below.
The following are some examples of the filtering that can be done with tshark: -i to choose the interface on your machine -a for duration, which is in seconds -w to write the capture packets in the file Figure: Tshark commands
- Foremost is a digital forensic application that is used to recover lost or deleted files. Foremost can recover the files for hard disk, memory card, pen drive, and another mode of memory devices easily. It can also work on the image files that are being generated by any other application. It is a free command-line tool that is pre-installed in Kali Linux. This tool comes pre-installed in Kali Linux. Foremost is a very useful software that is used to recover the deleted files, if some files are deleted accidentally or in any case files are deleted. This tool works only if the data in the device is not overridden, which means that after deleting the files, no more data is added to the storage device. If the data is overridden the chances of recovery are reduced and data may get corrupted. This recovers files for Linux systems, using a process called file carving which can recover image and data files from hard drives using ext3, FAT, and NTFS, and iPhones.
The figure below illustrates Foremost to recover data from mobile device: Figure: Foremost to recover data from mobile device Severity of incident or breach Each incident must be classified according to the magnitude of the incident and the types of data that have been compromised in order to effectively prioritize them. The scope of the incident is more than just how prevalent it is, and the factors to examine may be more diverse than you think. The sections that follow go through the factors that influence incident severity and prioritization. Scope The scale of the occurrence is determined by how prevalent it is. Is this a single-device issue, or is it a malware infestation that has already spread throughout a subnet? The extent of the event must be determined early on because it will determine the amount of resources to devote to it and, in most cases, the escalation procedures. The impact is likewise tied to the scope, in that as the scope expands, the impact expands as well. Impact The impact of an incident is directly related to the criticality of the resources involved. System process criticality Some assets are systems that offer access to information rather than the information itself. These systems or groupings of systems are referred to as critical systems when they give access to data that is necessary to continue doing business. While it is easier to value physical assets like servers, routers, switches, and other devices, their worth is greater than the hardware replacement cost in circumstances where these systems give access to important data or are necessary to continue a business-critical operation. The given value should be enhanced to reflect its relevance in giving data access or in allowing a critical operation to continue. Cost The value of the assets involved determines the economic impact of an incident. It can be difficult to determine those values, especially for intangible assets like plans, drawings, and recipes. Computers, facilities, materials, and staff are examples of tangible assets. Intellectual property, data, and corporate reputation are examples of intangible assets. The asset’s value should be assessed in light of the asset owner’s perspective.
The following considerations can be used to determine an asset’s value: - Cost that competitors would pay for asset After determining the value of assets, you should determine the vulnerabilities and threats to each asset. Downtime One factor to consider is the amount of downtime that an incident could cause, as well as the time it will take to recover from the incident. You would have collected information about each asset that will help classify occurrences that affect each asset if you have built a proper business continuity strategy. Legal ramifications While the legal repercussions of a security incident can be costly to a business, the public relations harm can be even more costly if the organization is perceived by the general public to have mishandled the issue or been less than forthcoming about it.
Furthermore, the impact is amplified when an organization operates in a regulated area such as the medical, financial, or retail sectors, which are subject to even stronger data restrictions (for example, HIPAA, GLBA, and PCI-DSS). In addition, organizations should ensure that law enforcement officials are involved in all investigations at the right time. Post-incident response When an incident has been wrapped up, there is still work to be done. While it’s tempting to move on, you are not done until the paperwork is done, so let’s talk about that follow-up work. Root-cause analysis In many circumstances, security professionals don’t fully comprehend how or why an issue is occurring and simply want it to go away; later, even though they still don’t know what happened, security professionals are relieved that it is gone. This also applies to attack vectors on occasion. Security experts may have thwarted an attack and possibly removed the attacker from the environment, but they may not have fully understood how the assault progressed and worked. In situations like this, you can’t just ignore the problem; otherwise, you risk falling victim to the same attack or device issue again. You must devote time to determining the fundamental source of the problem or attack. Lessons learned Almost every security incident teaches you something about the situation that necessitates improvements to your environment. Then you must take corrective action to either address the new danger or make changes to address an identified vulnerability.
A lessons-learned report should be the first document to be written. It briefly summarizes and discusses what is now known about the attack or the previously unknown environment. Shortly after the incident, a formal meeting should be held to compile this report. This report contains significant information that may be used to improve the organization’s security posture.
This report might answer questions such as the following: - What went right, and what went wrong? - How can we improve? - What needs to be changed? - What was the cost of the incident? After-action report The lessons-learned report may generate a number of changes that should be made. An after-action report drives the process of handling these changes. It leads to changes in other documents as well. Change control process A number of adjustments to the network infrastructure may be required. All of these modifications should go through the regular change control process, regardless of how necessary (or minor) they are. They should be presented to the change control board, where they will be scrutinized for unintended consequences and evaluated for proper integration into the current context. They should only be introduced after receiving approval. When time is of the essence, you might find it useful to construct a “rapid track” for evaluation in your change management system for changes like these. Conclusion Security incident and response plans may also have weaknesses as a result of the lessons learned exercise. If this is the case, the plans need to be amended to reflect the necessary procedure adjustments. Then, once it’s finished, double-check that both software and hard-copy versions of the plan have been updated so that everyone is working with the same data when the next event occurs.
In this guide, we discussed the organization’s capacity to act quickly and address a wide range of security challenges based on well-planned incident response, a strong team, and suitable security technologies and processes.
Damage, service outages, data theft, loss of reputation, and potential liabilities are all reduced as a result.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.