Question

Create a 1- to 2-page IRP Microsoft Word for an IT organization. In your plan, ensure you:

• Discuss roles and responsibilities.
• Discuss the critical activities for each of the 5 phases in the incident response process.
• List at least 3 cyber security tools that work together to monitor the organization’s network for malicious and abnormal activity.

Answer 1

Incidence Response refers to the process of addressing and managing of cyber attack. The goal of IRP is to handle the situation in way that reduces damage, recovery time and cost. An incident response manager is the director of IT is responsible for  prioritising actions during the detection, analysis and containment of an incident.

Roles and Responsibilities

IRP has been proven to be most effective to help organisations to respond to incidents when these three functions are in place:

1. The Computer Security Incident Response Team (CSIRT)

CSIRT refers to the process when a group of individuals are responsible for executing the technical functionalities of the IRP. CSIRT members are responsible for the detection, containment and eradication of cyber incidents of the affected IT systems.

CSIRT has three different staffing models :

- Employees : In this the organisation is capable to conduct all incident response-related activities by itself without the guidance from any external parties.

- Partially Obscured: In this method the organisation outsources certain elements of response-related activities from external parties.

- Fully Obscured : In this method the the organisation outsources all elements of response-related activities from external parties.

Important factor for setting up CSIRT :

• IRPs requires maintaining specialised knowledge in several technical areas that are not easily available.
• Employee retention strategies must be taken into consideration to avoid high employee turnover for any externally hired security experts.
• Risk assessments results, critical assets must be protected.

2. The Legal Expert

The legal expert refers to the process of understanding the need and responsibilities of judicial expertise. Legal experts are required at many critical roles throughout the process of IRP but especially during the phase of drafting policies, plans and procedures. The role of a legal expert is to provide quality guidance and assurance right from the phase of formation of mission statement to the actual incident handling. During the formulation of policies and plans the lawyers inform the decision-makers about legal requirements.Overall, legal experts are concerned with being able of demonstrating due care at all times by warranting the adequacy of rules regarding the handling of confidential information, evidence and documentation. In doing so, they proactively defend the organisation against liabilities.

3. The Public Relations/Communications Expert

It is important for an organisation to have a point of contact with the media this can be more efficient if a  public relations expert who is trained on developing precise and impactful press releases is hired for updating the media about the work of the CSIRT and any remedial action taken. A personal relations expert must be properly trained on information disclosure and must be aware of the organisation’s policies.

Discuss the critical activities for each of the 5 phases in the incident response process.

5 Critical Steps for Incident Response Process.

1. Preparation : It is one of the most important phase because the pace of a cyber incident is too fast for ad hoc response and decision making processes.A strong plan must be in place to support the entire team for performing tasks.These features should be included in an incident response plan:

• Develop and Document IR Policies
• Conduct Cyber Hunting Exercises
• Define Communication Guidelines
• Assess Your Threat Detection Capability
• Incorporate Threat Intelligence Feeds

2.Detection and Reporting : The objective of this phase is to  monitor security events in order to detect, alert, and report on potential security incidents.

3. Triage and Analysis : The aim of this step is to understand the security incident takes place during this step.Resources should be utilised to collect data from tools and systems for further analysis and to identify indicators of compromise. Individuals should have in-depth skills and a detailed understanding of live system responses, digital forensics, memory analysis, and malware analysis.

4. Containment and Organisation: This is one of the most critical stages. The aim of containment and organisation is based on the intelligence of the data gathered during the analysis phase.

5. Post-Incidence Activities : There is more work to be done after the incident is resolved. The document must be properly documented in-order to ensure prevent similar occurrences from happening again in the future.

List at least 3 cyber security tools that work together to monitor the organisation’s network for malicious and abnormal activity

1. SPLUNK ENTERPRISE SECURITY

Splunk Enterprise Security software focuses on networking threats , it also provides tools for the detection threat.The user of this product can control activities related to threats like statistical analysis and anomaly detections. Splunk provides a security software solution with SIEM to recognise and report on security threats by using alerts, monitoring, and analytical mechanism.

2. WEBSENSE TRITON

TRITON is a widely used security product that provides comprehensive network security solutions . I is capable to deal with sophisticated security breaches by detecting and preventing known security risks. Websense Content Gateway is a web proxy and cache that provides scanning and website classification. It also monitors employee access to dynamic user-generated web content.

3. NEXPOSE

Nexpose security software helps to build network security with vulnerability management. Nexpose allows the network’s administrators to monitor and reduce high-risk activity by utilising threat intelligence. Nexpose software offers a flexible and scalable deployment. Nexpose software supports automated scanning to examine any policy violations, malware, and misconfigurations within the network.