Incident Recovery and Post-Incident Response Process is a subdomain that falls under the CySA+ certification objectives 3.0: Cyber Incident Response. But before diving deep into this article to understand the last step of the incident response process, we need to have a short look at the previous incident response steps that have been completed in previous sub-domains.
Previously, we have learned how security analysts or a Computer Security Incident Response Team (CSIRT) distinguishes threat data or behavior to determine the impact of an incident (subdomain 3.1), how they prepare a toolkit and use appropriate forensic tools during an investigation (subdomain 3.2), the importance of communication during the incident response process (subdomain 3.3) and how a CSIRT team analyzes common symptoms to select the best course of actions to support incident response (subdomain 3.4).
Finally, in this article, we will cover incident recovery and post-incident response processes, including containment techniques, eradication techniques, validation, corrective actions and incident summary reports. Let’s take a look.
What do I need to know about containment techniques?
Incident containment techniques help CSIRT teams to minimize and prevent further damage and restore normal business operations as soon as possible. Preventing the destruction of forensic evidence is also indispensable, as it may be required to bring the perpetrators to justice. Below are some containment techniques that are covered in the CySA+ exam.
Segmentation is the act of separating groups of systems, applications and networks from one another for the purpose of achieving maximum security. If you have a breach on one part of the network, you can contain that breach and make sure that it doesn’t affect the other part of the network through network segmentation. Intruders don’t get access to the segmented area of the network.
Network segments are often (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Fakhar Imam. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/JIXpTOBvB5o/