Incident Response

The fourth domain in the SSCP CBK is Incident Response and Recovery. This domain accounts for 13% of the SSCP exam.

The Incident Response and Recovery domain defines four (4) tasks that a certified SSCP should be able to perform:

  1. Participate in Incident Handling
  2. Understand and Support Forensic Investigations
  3. Understand and Support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
    Emergency response plans and procedures

This is part 4 in a 7-part series on the (ISC)2 SSCP Common Body of Knowledge (CBK).

Remember: An SSCP who can recall this information will likely pass the exam, but the SSCP who can explain how these concepts are applied in real-world situations is more likely to get hired.

 

Participate in Incident Handling

Bad things happen. Organizations who prepare for these bad things are able to treat them as short term disruptions instead of business ending events.

Incident response is the process you follow after a bad thing (i.e., a security incident) occurs. Remember when we covered security events and security incidents in domain 3? Once you determine one or more events are signs of an incident (i.e., discovery), you put the security incident response plan into action.

NIST Special Publication 800-161 (rev 2), Computer Security Incident Handling Guide, outlines four (4) basic steps in the incident response lifecycle:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, & Recovery
  • Post-Incident Activity

Preparation is the process of putting all of the people, process, and technology in place to ensure you’re ready when an incident occurs. A few questions that will help you understand how prepared you actually are:

  • Who will be in charge during an incident?
  • Who needs to be involved in the resolution process?
  • Are your logging and monitoring controls effective enough to detect an incident?
  • How will you know when the incident has been contained?
  • Where will you document the incident (everything from identification to resolution)?

In your preparation, make sure you spend time discuss your escalation process. A security operations center (SOC) analyst may discover the incident, but that employee will not have the authority to make critical decisions during the response process. What if you need to take a business critical application offline? What if you need to engage law enforcement or notify your customers? Knowing when to escalate an incident will be very important in the long term.

Reporting and feedback loops (lessons learned) are an essential output of the incident response process. You should review documents that capture everything from how the incident was detected to how long it took to resolve in order to determine whether or not your current controls are effective. By educating the incident response team after each incident and improving your controls, you can reduce the likelihood and impact of potential future incidents.

A fundamental part of that improvement process is the implementation of countermeasures. Prior to the WannaCry global ransomware incident, far too many organizations did not understand the importance of patch management and current backups. As a result, those organizations who were able to recover likely invested the time and money in these two countermeasures to better protect themselves from future ransomware attacks.

 

Understand and Support Forensic Investigations

Digital forensics is the practice of analyzing and preserving evidence of an information incident or computer crime.

Containing the incident and minimizing the damage will be your initial focus. Afterwards, you may need to perform additional analysis to determine root cause. You may also need to present evidence to law enforcement if you intend to press charges or seek compensation for damages. Without forensically preserved evidence, those actions will be difficult at best and impossible at worst.

This is why the first responder should be training in proper digital forensics techniques. The first responder is the employee who initially identifies the incident and has access to the impacted systems. If the first responder deletes or changes any critical data during the initial response, then the forensic process will have already been compromised.

Does NIST have guidance on digital forensics? Of course they do! Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, contains more detail than you’ll need to know as an SSCP. However, there are a few key concepts that SSCP’s should understand.

  • Evidence Handling – Responders need to make sure they have supplies on hand to help them capture evidence in a forensically sound manner. Simple things like notebooks, chain of custody forms, evidence storage bags, and digital cameras can make all the difference.
  • Chain of Custody – Once you collect evidence, you need to be able to prove who had access to that evidence at all times. This is especially important if the evidence is tampered with, as the chain of custody may help you identify who did the tampering. Take a look at NIST’s sample chain of custody form if you’d like to see what one looks like.
  • Preservation of Scene – In order to contain an incident, you’ll need to take some action. However, incident responders need to take precautions to ensure that they don’t accidentally tamper with or destroy evidence along the way. For example, a responder may decide to power down a computer that has been infected with malware. What would happen to the data stored in RAM once the computer loses power? That’s right. That data (evidence) would be gone forever.

 

Understand and Support BCP and DRP

If something really bad happens, your security incident response won’t be enough.

What if a fire destroys your primary office location, or a hurricane destroys your data center? What if a rogue system administrator encrypts all of your databases and then destroys both the backups and the decryption key?

Incidents with much greater impact often require a combination of a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). A BCP helps you continue operating during the recovery process (short term), while a DRP helps you get back to normal operations (long term).

Emergency response plans and procedures must be documented in order to minimize disruptions between when the incident occurs and when the BCP and DRP can be enacted. These include things like an information system contingency plan, or a plan that outlines what hardware and software will be available when the primary system is unavailable.

An SSCP understands that during the recovery process, security controls (technical and procedural) may slip as people try to adjust to the new (temporary) way of doing business. It is important that someone from the security team actively contributes to both plans to minimize these risks.

Elements of BCP’s and DRP’s include (but are not limited to):

  • Interim or alternate processing strategies – How will each team continue to perform their work while the BCP and DRP are in effect? Some teams may work from home, while others may work from a secondary location. Some teams may use backup systems and applications, while other teams may revert to paper-based processing.
  • Restoration planning – Determining what to restore, how to restore it, and the order in which systems will be brought back online is crucial.
  • Backup and redundancy implementation – Many organizations deploy multiple network devices to ensure that if one fails, the other will be able to pick up the slack. You may even subscribe to multiple Internet Service Providers (ISP’s), to ensure that an outage on their side doesn’t impact your business. This redundancy can be expensive, though, and the value of these solutions often varies based on how much risk leadership is willing to accept.
  • Testing and drills – It’s not enough to put backups in place and call it day. Testing your backups will help you really understand how prepared you are. These tests can range from tabletop exercises (meetings where the team talks through mock incidents) to failover tests (technical tests of specific backup systems) to full disaster recovery simulations.

 

What Else Should I Know About Incident Response and Discovery?

This is a high level introduction to the concepts you need to know as an SSCP, based on the (ISC)2 SSCP Certification Exam Outline. It’s not intended to be a deep-dive into everything you need to know in order to pass the exam.

You’ll increase your chances of passing the exam the first time if you read these two (2) books next:

If you prefer videos to books, use our list of recommended online training providers to take advantage of FREE offers to help you prepare for the exam.

Keep at it!


SSCP Domain 3 – Risk Identification, Monitoring, and Analysis  |  SSCP Domain 5 – Cryptography


You want a career in cyber security. We want to help you get there.






This page may contain affiliate links. For more info, check out my disclosure.