Module 1: Incident Response Overview

What Is a Cyber Incident?

Characteristics of a Cyber Incident

The whos and hows to cyber incidents.

Risk = Threat * Vulnerability * Impact

The Cyber Kill Chain

Cybersecurity Within an IT Incident

Incident Management in the ITIL Framework

ITIL conists of five key stages:

Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement

The Incident Management Process in ITILv3

The Incident Management process starts whenever:

A user, customer, or supplier reports an issue
Technical staff notice a system failure
An event monitoring system raises an alert

Common Types of Incidents

The European Union Incident Classification Taxonomy

Classification

Examples

Abusive Content

Spam, harmful speech, pornography

Malicious code

Viruses, worms, trojans, spyware, rootkits

Information Gathering

Scanning, sniffing social engineering

Intrusion Attempts

Exploit and login attempts

Intrusions

Account and application compromise, bots

Availability

DDoS, sabotage

Information security

Unauthorized data access or modification

Fraud

Unauthorized use, phishing, copyright

Understand the Open Threat Taxonomy

Enclave Cybersecurity Threats

Code

Description

TEC003

System fingerprinting via scanning

TEC004

System fingerprinting via sniffing

TEC006

Credential discovery via scanning

The MITRE ATT&CK Threat Taxonomy

MITRE ATT&CK Tactics and Techniques Example

Tactic

Example Techniques

Reconnaissance

Active Scanning, Search open sources

Resource Development

Acquire infrastructure, Develop capabilities

Initial Access

Drive-by access, Phishing

Execution

Serverless execution, deploy container

Persistence

Account manipulation, implant internal image

Privilege Escalation

Abuse elevated control mechanism, process injection

Defense Evasion

Access token manipulation, Hide artifacts

Credential Access

Adversary-in-the-middle, Brute force

Discovery

Account discovery, Network sniffing

Lateral Movement

Exploitation of remote services, Internal spearphishing

Collection

Archive collected data, Clipboard data

Command and Control

Application layer protocol, Protocol tunneling

Exfiltration

Automated exfiltration, Exfiltration over physical medium

Impact

Data encrypted, System shutdown

Case Studies

The Colonial Pipeline Ransomware Attack

Good password hygiene is important, and sharing password management improvements is a key part of the post-mortem stage of incident response.

The Peloton Data Breach

Check your API perms.

PreviousIR-200 NextModule 2: Fundamentals of Incident Response

Last updated 1 year ago

hashtagWhat Is a Cyber Incident?

hashtagCharacteristics of a Cyber Incident

hashtagThe Cyber Kill Chain

hashtagCybersecurity Within an IT Incident

hashtagIncident Management in the ITIL Framework

hashtagThe Incident Management Process in ITILv3

hashtagCommon Types of Incidents

hashtagThe European Union Incident Classification Taxonomy

hashtagUnderstand the Open Threat Taxonomy

hashtagThe MITRE ATT&CK Threat Taxonomy

hashtagCase Studies

hashtagThe Colonial Pipeline Ransomware Attack

hashtagThe Peloton Data Breach