What is incident response?

What is incident response?
Incident response is an organization's process and technologies for detecting and responding to cyberthreats, security breaches, or cyberattacks.

What does a formal incident response plan enable cybersecurity teams to do?
A formal incident response plan enables cybersecurity teams to limit or prevent damage.

What are the two goals of incident response?
The two goals of incident response are to:

  1. Prevent cyberattacks before they happen.
  2. Minimize the cost and business disruption resulting from any cyberattacks that occur.

What is incident response the technical portion of?
Incident response is the technical portion of incident management.

What three things does incident management involve besides incident response?
Besides incident response, three things which incident management also involves include:

  1. Executive management.
  2. Human Resources.
  3. Legal management.

How should an organization define their incident response processes and technologies?
An organization should define their incident response processes and technologies in a formal Incident Response Plan (IRP).

What should an Incident Response Plan (IRP) specify?
An IRP should specify how different cyberattacks should be identified, contained, and resolved.

What three things can an effective Incident Response Plan (IRP) allow for?
Three things an effective IRP can allow for include:

  • Allowing Incident response teams to detect and contain threats.
  • Restoring affected systems.
  • Reducing lost revenue, regulatory fines, and other costs.

What does IBM's Cost of a Data Breach Report say having an Incident Response Plan (IRP) can enable?
IBM's Cost of a Data Breach Report says that having an IRP can enable organizations to reduce the cost of data breaches by almost half a million US dollars on average.

What are security incidents?

What is a security incident?
A security incident is any digital or physical breach that threatens the confidentiality, integrity, or availability of an organization's information systems or sensitive data.

Examples of types of security incidents
  • Intentional cyberattacks by hackers.
  • Unintentional violations of IT security policy by legitimate authorized users.
Examples of security incidents
  • Ransomware.
  • Phishing and social engineering.
  • DDoS attacks.
  • Supply chain attacks.
  • Insider threats.
  • Privilege escalation attacks.
  • Man-in-the-middle attacks.

Ransomware

What is ransomware?
Ransomware is a type of malware that locks up a victim's data or computing device and threatens to keep it locked unless the victim pays a ransom.

What two things does IBM's X-Force Threat Intelligence Index report about ransomware?
Two things that IBM's X-Force Threat Intelligence Index reports about ransomware are:

  1. It is used in 20% of network attacks.
  2. Extortion-based attacks are a driving force in cybercrime.

Phishing and social engineering

What are phishing attacks?
Phishing attacks are digital or voice messages that try to manipulate recipients to share sensitive information or do some damaging action.

What do phishing messages look or sound like?
Phishing messages look or sound like they came from a trusted or credible organization or individual.

What are the two most prevalent attack vectors according to the IBM Cost of a Data Breach report?
According to the IBM Cost of a Data Breach report, the two most prevalent attack vectors are:

  1. Phishing.
  2. Stolen or compromised credentials.

What is the most common form of social engineering?
The most common form of social engineering is phishing.

What is social engineering?
Social engineering is a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.

DDoS Attacks

What happens during a Distributed Denial-of-Service (DDoS) attack?
During a DDoS attack, hackers gain control of a large number of computers and use them to overwhelm a target organization's network or servers with bogus traffic in order to make them unavailable to legitimate users.

Supply chain attacks

What are supply chain attacks?
Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors.

Insider threats

What are the two types of insider threats?
The two types of insider threats are:

  1. Malicious insiders - Employees, partners, or other authorized users who intentionally compromise an organization's information security.
  2. Negligent insiders - Authorized users who unintentionally compromise security by failing to follow security best practices.

Privilege escalation attacks

What happens during a privilege escalation attack?
During a privilege escalation attack, an attacker first gains limited privileges in a system and uses those to move laterally in order to receive higher privileges and gain access to more sensitive data along the way.

What can an attacker use to make their initial entry or boost their privileges?
To make their initial entry or boost their privileges, an attacker can use stolen credentials.

What is the most common way that attackers breach systems according to IBM's X-Force Threat Intelligence Index?
According to IBM's X-Force Threat Intelligence Index, the most common way that attackers breach systems is abuse of valid accounts.

Man-in-the-middle (MITM) attacks

What happens during a Man-In-The-Middle (MITM) attack?
During an MITM attack, a threat actor intercepts communication

What two things can an attacker do with intercepted communication during a Man-In-The-Middle (MITM) attack?
Two things which an attacker can do with intercepted communication during an MITM attack include:

  1. Use the stolen information directly.
  2. Inject malware to be forwarded to the intended recipient.

Incident response planning

Who creates and executes the Incident Response Plan (IRP)?
The IRP is created and executed by a Computer Security Incident Response Team (CSIRT).

Who makes up a Computer Security Incident Response Team (CSIRT)?
A CSIRT is made up of stakeholders from across the organization.

...