CompTIA CySA+ Cybersecurity Analyst Certification: Incident Response - Incident Response Process

Domain Objectives
4.1  Explain the importance of the incident response process.
4.2  Given a scenario, apply the appropriate incident response procedure.
4.3  Given an incident, analyze potential indicators of compromise.
4.4  Given a scenario, utilize basic digital forensics techniques.

Objective 4.1  Explain the importance of the incident response process
Incident response (IR) is one area you must get right the first time. If an incident (a negative event) were to happen in your organization, you don’t get a second chance to perform the response. Botched incident response can lead to data loss, financial loss, and loss of reputation, and can potentially even put your company out of business. That’s why incident response processes are so critical for the organization to carefully plan, practice, document, and master. In this domain, we look at several critical incident response areas, such as incident response processes, procedures, indicators of compromise, and incident forensics. The processes for the incident response cycle include those needed for incident detection, response, containment, and recovery. In this domain, we will look at each of these in turn.

Critical Incident Response Processes
Several critical processes make up incident response. If any one of these processes fails, the entire incident containment and recovery effort could fail. Organizations must carefully plan for an incident and hope that they never have to use this planning for an actual event. Two of the most critical processes that are not focused on any given area in the incident response cycle are communications and coordination. You’ll find these two processes are critical throughout an incident response, whether in the detection phase, the containment phase, or the recovery phase. Without effective communications and coordination, the incident response will fail.

Communications Plan
The communications process is vitally important during the entire response effort, but communications must be planned out; this does not happen dynamically or randomly, regardless of the hundreds of different possibilities that can be realized during an incident. The communications plan is an important part of the overall incident response plan. It details how communications will flow up and down the chain of command, laterally within the organization, and even how the organization will communicate with external agencies. The communications plan should be worked out and agreed upon by management and the incident response team in advance, and all parties involved in the response should be familiar with it. Key elements of the communications plan include items we will discuss in the upcoming sections, including limiting information to only those entities with a need to know, when you must disclose details of an incident to regulatory agencies, protecting information against unauthorized access, using secure methods of communication, and reporting the details of an incident.

Limiting Communication to Trusted Parties
Information about an incident should be closely guarded for the duration of the incident as much as possible. This is because an organization’s adversaries, whether they are competitors or malicious external entities, might use this information against the organization. They may use it to destroy the organization’s reputation or take advantage of an ongoing incident by attempting to cause further harm to the organization’s assets. Adversaries aside, keeping information even from entities that don’t have malicious intent is a good idea, particularly because it can cause a loss of faith in the organization by its customers, create unnecessary panic and second-guessing within the organization, and possibly expose the organization to additional risk, including legal liability. Additionally, any incomplete or inaccurate information that leaks before the organization has completed its investigation may cause unneeded speculation. The relevant information about an incident will be disclosed to the right people in due time, but the organization must carefully control information communicated during the early stages of an incident. This is especially true when the organization is trying to determine what happened and how to contain the incident, and until it has definitive facts to report to both internal customers and external stakeholders.
Information should be limited initially to only those personnel who have a valid need to know: senior management, incident responders, and only those other personnel who have a direct role in containing or recovering from an incident. Also, depending upon the nature of the incident, this could include the legal department, the security department, information technology group, human resources, and possibly even the organizational entity targeted by the incident. When required by the situation or regulations, obviously law enforcement or other regulatory agencies should be notified when the organization has enough facts to make a report.

Disclosing Based on Regulatory/Legislative Requirements
Some information about the incident will have to be disclosed, based on statutory or regulatory requirements. For example, if there is a data breach that involves health data, the Health Insurance Portability and Accountability Act (HIPAA) requires that individuals as well as the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) be notified if the number of records breached exceeds 500. Financial laws and regulations also require breach notifications for loss of financial data. Other laws require that individuals be notified in the event of a breach. Certain incidents may require that law enforcement officials be notified of an incident, particularly if it involves loss of life or jeopardizes public safety. The Federal Bureau of Investigation (FBI) may require notification if the incident involves suspected espionage or terrorism.
In addition to regulatory requirements that determine disclosure, organizations may have contracts or agreements with other entities that require immediate notification of a breach or other incident. To ensure that the organization is meeting its regulatory obligations with regard to incident disclosure, senior management should ensure the following:
- Governance requirements regarding incident notification are understood and complied with through policy.
- The legal department has a plan in place to notify legal or regulatory agencies in the event of an incident.
- All personnel are aware of their legal and ethical obligations to report details of an incident to senior management.

Preventing Inadvertent Release of Information
As discussed earlier, information regarding an incident must be kept confidential within the organization. If incomplete or inaccurate information were to be released, it may cause panic or unnecessary speculation. Even if the information is accurate or factual, it should be released only to certain individuals or entities within a certain time frame or order, and doing so outside of that order may expose the organization to legal or civil liability issues.

To prevent accidental or inadvertent release of sensitive information about the incident, the organization should always do the following:
- Limit information to only those who need to know.
- Have an approved communications plan that details who in the chain of command and IR team is authorized to know details of an incident.
- Ensure a senior manager is appointed who is the focal point for the release of information.
- Vet and approve any information released to the public or external entities.
- Make sure that everyone understands how to handle sensitive information regarding the incident.

Using a Secure Method of Communication
As you probably already know, e-mail is not necessarily the most secure form of communication, and neither is the telephone. E-mails can be intercepted and read, particularly if they are not encrypted or there is no authentication mechanism built in. Telephone calls can be intercepted, overheard, and even recorded. These communication methods can still be used during an incident, however, provided the proper precautions are taken. Depending on the nature of the incident, the organization’s communications infrastructure may be compromised, so Voice over IP (VoIP) telephones and unencrypted e-mail would be subject to further disclosure to a potential hacker.
The organization must take proper steps and plan for secure communications during the incident, particularly when it involves transmitting sensitive information to different parties.

The organization should take the following precautions when communicating sensitive information about the incident:
- Use encryption whenever possible, particularly when using nonsecure communications methods such as e-mail.
- Ensure that the recipient of the communications is authenticated; for instance, ensure that if you’re e-mailing details of the incident, you use PKI certificates for positive identification and authentication.
- Encrypt sensitive data about the incident while it is in storage, with restricted permissions to files.
- Properly label sensitive data per your organization’s data sensitivity and classification policies.

Reporting Requirements
The incident communications plan should detail requirements for the incident response team and other entities to report containment progress, as well as any other relevant information, to management periodically. In the early stages of an incident, this could be daily or hourly, depending on the severity of the incident. During the incident, this might be at regularly scheduled intervals or status meetings. Post-incident, this could mean simply developing and coordinating the final incident report for management.

All personnel and departments involved in the incident should, at minimum, report the following:
- Labor hours involved with the incident response process
- Expenses incurred for incident response
- Any issues that would prevent an effective response
- Immediate threats to life or safety
- Threats to data or equipment
- Requests for information from any external entities or any other unauthorized personnel

Note: The communications plan is likely one of the most critical processes before, during, and after an incident. Without a solid communications process in place, the incident response is likely to fail.

Response Coordination with Relevant Entities
When assembling an incident response team, the organization should include more experienced technical members of the organizational team. But the team is also composed of more than just technical personnel. Experts from a variety of areas within the organization should either be on or have representation on the team. These areas include the human resources, accounting, legal, security, and public relations departments, as well as any other personnel management deems as critical to an effective response. The team members, in addition to contributing their expertise, may also need to serve as a liaison to their respective areas, providing information and coordination with those areas. An incident response usually won’t be limited only to interactions with internal organization personnel. Many different entities will be involved at various stages of the response, which we will cover in the upcoming sections.

Internal and External Entities
Regardless of whether an entity is internal to the organization or external, it may play a critical role in the response. In either case, effective, concise communications and coordination are critical. Senior management should appoint a spokesperson for the team who is responsible for coordination within the organization, possibly making use of team members from different areas as liaisons when the team requires assistance from those areas. Management should also appoint a point person for dealing with external entities—law enforcement, the media, regulatory bodies, customers, partners, and suppliers, for example. This should be someone with knowledge of the incident as well as laws and regulations, has excellent communication abilities, and can work well with external organizations to gain their assistance and trust. Additionally, the organization needs a public relations person to deal with the media, external customers, and even trusted partners. This person should be capable of passing on the right information to the right people, but only what they need to know and when they need to know it. Any coordination with external entities should be approved in advance by the senior manager in charge of the response.

Senior Leadership
Obviously, senior management must always be in the coordination chain. Often, a senior manager in charge of the response, if not the incident response team leader, will be the person tasked with coordinating all aspects of the response, both internally and externally. That person may appoint team members to different roles, such as public relations or dealing with law enforcement, as their expertise is needed. Senior management must be kept informed of all aspects of the incident promptly and given as complete and accurate information as possible. Typically, all decisions involving large expenditures of funds, excessive labor hours, or coordination with outside resources should be approved by the senior manager in charge.

Legal Department
The legal department has a critical role in incident response. While they may not be backing up or restoring servers, reverse-engineering malware, or dealing with user issues, their role is important because they deal with all the legal aspects of an attack. They are the primary office of responsibility when dealing with certain external agencies, such as law enforcement and regulatory agencies (discussed in upcoming sections).
They are also there to advise management on the legal and ethical aspects of the response. For example, they can provide solid legal advice on evidence collection, chain of custody, privacy issues, and so on. They can also assist human resources if there is an issue with an internal employee who may be responsible for the incident. The legal department can also advise management on potential liability issues associated with the event. And lastly, they can assist in negotiating or enforcing contracts with third parties regarding service levels during an incident, breach notification, and many other issues.
Typically, the incident response team will have a “go-to” person on the legal team who is qualified in law, ethics, and the particulars of incident response. That person will know what the legal responsibilities are of all internal and external parties and will facilitate coordination among them. They may also be the focal point of any law enforcement investigations that occur because of an incident.

Law Enforcement
The role of law enforcement during an incident should go without saying, but we will describe it here. Obviously, law enforcement would be considered an external third party to the incident response and would only be called in as a result of a decision by senior management and the legal department based on information indicating a criminal offense may have caused the incident or occurred during the incident. Law enforcement would be called to investigate any criminal aspects of an incident, and they would be expected to collect, secure, and analyze any evidence related to the incident.
The decision to call law enforcement in an incident response is not one to be taken lightly. Senior management and the legal department will consult with the incident response team to determine if there is the potential that a crime has been committed. The team does not have to conclusively rule out accident or negligence on the part of employees to consider calling in law enforcement. Once law enforcement personnel have been called in, the investigation and even part of the response may be taken over by that agency, as their requirements for investigation and response may be considerably more restrictive than that of the organization. For evidence of a crime to go to court, law enforcement must be involved in the preservation and collection of the evidence as well as the overall investigation. Cybersecurity analysts may be called in to assist law enforcement officers by providing detailed information about the infrastructure, how it is designed, and the particulars of the incident.

Regulatory Bodies
Compliance is a major issue in most modern organizations. Governance is often passed on to the organization from laws and regulations and monitored through regulatory agencies. The organization must comply with governance requirements, and frequently these require the organization to notify regulatory bodies in the event of an incident, particularly where it may involve a breach and unauthorized disclosure of protected data. Examples of such regulatory bodies might include the Department of Health and Human Services’ Office of Civil Rights for healthcare-related data under HIPAA regulations, the Securities and Exchange Commission (SEC) for incidents involving financial information and business operations, and even the Payment Card Industry (PCI) regulatory body in the event an incident involves payment card data loss or the breach of a network that processes credit cards. Most regulatory bodies have specific reporting timelines and data loss thresholds that must be considered in the event of an incident or breach.

Human Resources
The human resources (HR) department has a key role to play if there is a possibility that an employee caused an incident, whether it was by accident, through negligence, or with malicious intent. The HR department would assist the response by determining if specific employees were properly trained, had the proper security clearance, and had a job position requiring access to any potentially compromised systems or data. They would also be able to provide any relevant information on the employee’s background or disciplinary record. If there was sufficient evidence to determine that an employee violated any security policies that caused the incident, the human resources department would also be able to guide senior management on how an employee may be disciplined or terminated.
Another, more routine aspect of how human resources may be able to help during incident response is by providing senior management information on incident response labor costs and categories, managing overtime for the incident response personnel, and ensuring that exceptional performers get recognized for their actions during the incident.

Public Relations
The public relations team also has a vital role during an incident response. They are the direct liaison with the public, including media, customers, and other external entities. They provide information to external agencies and personnel based on the approval of senior management. In addition to providing an official source of approved information, they also are there to dispel any rumors and “manage” the organization’s public image during and after the response.
The public relations team should be part of the incident response meetings and communication chain. Although they may know more detailed information than they can disclose, their job is to take whatever information senior management approves for public release and convey that information to the appropriate external entities, such as the media. Therefore, people on the public relations team should be highly trusted, cleared for all levels of information, and kept “in the loop” about the incident response.

Exam tip: You should understand the different internal and external entities that are part of the incident response team or will be useful in assisting in the response, and how they are used.

Factors Contributing to Data Criticality
As part of routine business operations, organizations should develop data sensitivity and criticality policies and procedures. These are likely also required due to external governance from regulatory agencies. Understanding which information in an organization is considered sensitive or critical is important to prioritize that information for both protection on a routine basis and response during an incident. Different types of data have different protection requirements, and as such may be protected at different levels and restored into operations based on criticality to business processes.

High-Value Assets
The organization must determine which of its assets (systems, data, equipment, and even personnel) are the most critical and most valuable to its business. Typically, this occurs using several different processes. First, a business impact analysis (BIA) can help an organization determine which systems and data are the most critical for specific business processes. The organization must identify its critical processes and then, in turn, identify the critical systems and data to support those processes. These are the systems and data that must be protected the most and restored the fastest during an incident. The organization can also perform risk management activities to determine which systems and data have a higher likelihood of being affected during a potential incident, as well as what the impact would be to the organization if they were affected by any negative events. Finally, another process that can help determine which of the organization’s assets are the most critical is adherence to compliance requirements. Governance such as the NIST Risk Management Framework (RMF) requires that organizations undergo a system categorization step, where data types that are processed on systems are identified and rated based on criticality to the organization, using a scale of high, moderate, or low.
Regardless of how the organization determines its high-value assets, it must record these in its business continuity and disaster recovery plans and prioritize them for both protection and recovery during an incident. Examples of high-value assets often include critical servers, network infrastructure devices, and high-value data. High-value data may include competition-sensitive or proprietary data regarding formulas or processes, personnel data, customer data, and so on.
It goes without saying that any data considered critical or sensitive for any reason should be protected to the maximum extent possible. Protection mechanisms for certain sensitive or critical data include the following:
- Controlled access to data (only authorized personnel)
- Encryption mechanisms employed for both data in transit and data at rest to ensure confidentiality
- Redundant systems and data backups to ensure availability
- Integrity controls to ensure that the data has not been modified during an incident
In the following sections, we discuss some of these high-value assets.

Personally Identifiable Information (PII)
Personally identifiable information (PII) is a special categorization of data that relates to an individual. This is a legal designation for data that could be used to identify an individual and includes data elements such as Social Security number, passport number, taxpayer identification number, driver’s license number, name, address, dates of birth, and other pieces of data. Most data privacy laws require that organizations make an effort to protect this information by masking the data, restricting access to PII to only authorized individuals who can be trusted to protect it from unauthorized disclosure, and implementing strong security controls such as encryption and authentication.
During the incident, the organization should, as with other high-value assets, ensure that PII is protected both during transmission and in storage and is available to authorized employees who process that data. The organization should take steps to ensure that during an incident this data is not inadvertently released to either a potential attacker or the public.

Personal Health Information (PHI)
Like PII, personal health information (PHI) is a legally defined category of information that is protected under statute. HIPAA is a regulation that requires organizations to protect PHI against unauthorized disclosure or loss. There are also certain other classes of PHI, such as those that deal with mental health, that are protected at even a higher level. Organizations using and storing PHI should ensure that their security controls are strong enough to protect PHI from inadvertent disclosure or a malicious attack. These controls include encryption for data at rest, strong access controls, strong authentication, and detailed auditing of access to PHI. During an incident, the organization must make sure that PHI is protected not only from a potential attacker or the public, but even from those members of the incident response team who may not have access to that information.

Special Protected Information (SPI)
Special protected information is a specific category called out in the General Data Protection Regulation (GDPR) from the European Union. It is also called out in other privacy regulations as well. Slightly different from PII, it does represent information about individuals, but not the types of information that may easily identify them. It’s very personal information that could include sexual preference or orientation, religious or political affiliation, and so on. While by itself this might not be harmful, connecting it to an individual could cause harm through harassment by others, embarrassment, or even subject the individual to arrest in certain countries. This category of information is not necessarily protected in the United States, but you should be aware that if your organization does business with any European Union citizen, GDPR rules may legally apply to your organization. You should be aware that you must protect this type of information while it is in your possession, particularly during an incident that may result in the inadvertent release of it.

Financial Information
The need to protect financial information, for both individuals and the company, is obvious. This information should be considered a high-value asset, as well as proprietary and confidential. Inadvertent release of this information could subject the organization to serious legal liability as well as give competitors access to information that can harm the organization.
Corporate financial information includes revenue, profit, expenditures, asset valuation, contracts, labor rates, and so on. The organization would be also responsible for protecting financial information that belongs to individuals, such as payroll data, company stock information, 401(k) and other retirement data, and any other information that has to do with individuals’ finances. Organizations suffering a loss of personal financial information that they have a duty to protect, including banks, stock brokerages, and other financial institutions, would violate several laws if that information were breached during an incident.
As with all the other types of high-value information, financial information should be protected against unauthorized disclosure or loss during an incident. Incident response team members from the organization’s financial department should take special precautions to ensure that company financial records are secured and backed up in the event of a loss.

Intellectual Property
Intellectual property is a type of high-value asset that includes sensitive data relating to an organization’s processes, methods, and ways of conducting its business. Intellectual property is developed by the company to participate in the market space and to maintain its competitive edge in that market. Obviously, if this data were inadvertently released, the company could suffer financial loss because someone else could use its methods and processes to develop competing products.
Several different types of intellectual property must be protected:
- Trade secrets are a type of intellectual property that is not known to the general public and relates to the organization’s processes and methods of creating products or performing services.
- Patents are publicly known, but legally protected processes, methods, or designs that an inventor has registered with the government for protection.
- Copyright is a form of protection that covers original works of authorship—literary, dramatic, musical, artistic, and so on.
- Trademarks are names, slogans, or symbols used by the organization to identify its brand. Trademarks can be legally registered and protected.
In addition to these categorizations, intellectual property could be considered anything that the organization develops internally and uses for its business on a day-to-day basis. This could include media files, PowerPoint slide decks, policies and procedures, methods of writing contract proposals, and so on.
During an incident, these types of high-value data should be protected against unauthorized access, loss, or destruction. Without this data, the organization could suffer serious losses to its business.

Corporate Information
Sensitive corporate information could be considered intellectual property, but it usually doesn’t neatly fall into the categories of trade secrets, copyrights, patents, and trademarks. Still, it should be protected to the level of sensitivity determined by data sensitivity and criticality policies. Examples of corporate information include the following:
- Human resources processes and procedures, such as employee evaluations and so on
- Internal reorganization plans
- Raises, promotions, and demotions
- Meetings with customers or suppliers
- Accounting or budget processes
While some of these types of information may seem unimportant or benign, they can still give a competitor, or even a potential attacker, an edge in understanding the internal processes of the organization.

Exam tip: Make sure you understand the different categories of information, particularly those mandated by governance, such as PII and PHI. Any information type that requires protection under the law should be protected to the maximum extent possible by the organization.

REVIEW
Objective 4.1: Explain the importance of the incident response process In this chapter, we discussed the importance of critical incident response processes, including communications, response coordination, and data criticality.
Communication is one of the most critical processes during a response. The communications plan should include provisions for limiting information regarding the incident to only trusted parties, keeping in mind any mandatory disclosures based on any regulatory or legislative requirements, ensuring the protection of information, and preventing the inadvertent release of information about the incident. The communications plan should also discuss using a secure method of communication that is both encrypted and authenticated. Additionally, the plan should discuss any mandatory reporting requirements, particularly those based on governance.
The incident response is not limited to only the incident response team in the server room. Several entities must be coordinated with regarding different aspects of the response. These include both internal and external entities. Senior leadership must be involved in all aspects of communications and decision-making. The legal department is the point of contact for any coordination with law enforcement or regulatory bodies. Law enforcement serves to investigate an incident if it is probable that a criminal act has occurred. Regulatory bodies get involved in incidents due to compliance requirements and must be informed in the event of an incident that results in a breach. The human resources department should be an integral part of the incident response team if an employee is being suspected of causing or being involved in the incident. The human resources team also provides management advice on labor categories and potential overtime hours for the team members. Finally, the public relations element of the incident response team is responsible for releasing approved information to the media and other external entities, as well as dispelling rumors and correcting wrong information.
Data criticality is of importance because the organization must categorize its information assets, based on asset value and criticality to its business and mission processes. High-value assets could include any number or type of systems and data but will typically be those types whose loss or unauthorized disclosure would harm the organization. Some data types, such as personally identifiable information and personal health information, are protected under regulations or statutes. Special protected information may also be required for protection under other regulations, such as GDPR. Corporate financial information could include data regarding revenue, profit, loss, asset valuation, and so on. Intellectual property typically includes trade secrets, patents, and trademarks. Even information that seems harmless, such as internal processes and procedures, should be protected from unauthorized disclosure during an incident.