الرشودي صح | خطاء

Incident Handling is the well-defined course of action whenever a computer or network security incident occurs

According to the Computer Security Incident Handling Guide by NIST, only events with negative consequences are considered security incidents

System crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of destructive malware are examples of security incidents

SOC teams or CSIRT teams often suffer from alert fatigue

Incident handling is not limited to intrusions and also includes dealing with malicious insiders, availability issues, and loss of intellectual property

As an incident handler, one of your daily activities is discussing how an attacker attempted or managed to break into a system

An incident handler should have a good understanding of attacker techniques, tactics, and procedures, including the stages of the cyber kill chain

Incident handlers can anticipate attacks and propose defensive measures against them without understanding attacker techniques

The incident handling process consists of four phases: preparation, detection & analysis, containment, eradication & recovery, and post-incident activity

The four phases of the incident handling process are also known as the incident response life cycle

The Preparation phase of the incident handling process does not focus on an organization's incident handling readiness

Skilled response teams, IT security training, and security awareness exercises are part of the Preparation phase

Well-defined policies and well-defined response procedures are essential for incident handling preparation

The legal department's advice is not required to ensure the right to monitor and collect evidence during incident handling

he Detection & Analysis phase of the incident handling process involves detecting incidents and analyzing the gathered information

Means of detection in the Detection & Analysis phase include sensors, personnel, information sharing, threat intelligence, and network segmentation

An incident handler should logically categorize the network into levels such as network perimeter, host perimeter, host-level, and application-level for effective detection.

Detection at the network perimeter level involves analyzing packets crossing the network, such as using firewalls and NIDS

Detection at the host perimeter level does not involve analyzing data a host receives from or sends out to the network, such as using local firewalls or HIPS

Redundancy in detection is important, and performing redundant checks using different tools or commands can enhance the accuracy of findings

Static Acquisition is the acquiring process of data that are volatile

Dynamic Acquisition is the acquiring process of data that are volatile

Detection at the host level occurs whenever we analyze data residing in the network

Detection at the application level occurs whenever we analyze application logs

When it comes to detection, “Redundancy” is a good thing

Detection at the network perimeter level occurs whenever we analyze data a host receives from the network or sends out to the network

Firewalls, internet-facing NIDS, IPS, DMZ systems, etc. can assist such detection activities

When it comes to data acquisition, we have to consider the order of volatility