Skip to content
Home » Google Career Certificates » Google Cybersecurity Professional Certificate » Sound the Alarm: Detection and Response » Module 3: Incident investigation and response

Module 3: Incident investigation and response

You will learn about the various processes and procedures in the stages of incident detection, investigation, analysis, and response. Then, you’ll analyze the details of suspicious file hashes. You’ll learn about the importance of documentation and evidence collection during the detection and response stages. Finally, you’ll approximate an incident’s chronology by mapping artifacts to reconstruct an incident’s timeline.

Learning Objectives

  • Perform artifact investigations to analyze and verify security incidents.
  • Illustrate documentation best practices during the incident response lifecycle.
  • Assess alerts using evidence and determine the appropriate triaging steps.
  • Identify the steps to contain, eradicate, and recover from an incident.
  • Describe the processes and procedures involved in the post-incident phase.
Table Of Contents
  1. Incident detection and verification
  2. Key takeaways
  3. Create and use documentation
  4. Response and recovery
  5. Post-incident actions
  6. Review: Incident investigation and response

Incident detection and verification

Video: Welcome to module 3

  • You’ve built a strong foundation in networking and practical security skills like packet capture and analysis.
  • Next, you’ll tackle the entire life cycle of security incidents, from detection to recovery.
  • We’ll start with incident investigation and verification, diving into response plans and processes.
  • Finally, you’ll explore post-incident actions for learning and improvement.
  • Get ready to master the complete incident lifecycle!

Video: The detection and analysis phase of the lifecycle

  • The Detection and Analysis phase: Identifying and verifying security incidents.
  • Detection: Promptly finding security events, but not all events are incidents.
  • Tools like IDS and SIEM: Analyzing event data and sending alerts for potential threats.
  • Analysis: Investigating and validating alerts to determine if an incident occurred.
  • Challenges:
    • Incomplete detection: Tools have limitations, and deployment might be incomplete.
    • High alert volume: Often caused by misconfigured settings or real threats.
  • As a security analyst, you’ll learn to effectively analyze alerts.

This summary captures the key points of the text, focusing on the Detection and Analysis phase, its challenges, and the importance of analyst skills. It also highlights the upcoming dive into alert analysis training.

Welcome, Cyber Detectives! This tutorial plunges you into the heart of incident response – the Detection and Analysis phase. Buckle up as we equip you with the skills to identify lurking threats and separate true alarms from the digital noise.

What is the Detection and Analysis Phase?

Imagine a security incident as a shadowy intruder in your network. This phase is about shining a light on that intruder, verifying their presence, and understanding their motives. You, the analyst, are the detective hot on their trail.

The Art of Detection:

  • From Events to Incidents: Not all network events are security breaches. Think website visits or password resets – normal business. Your challenge is to spot unusual activity, often with the help of specialized tools like:
    • IDS (Intrusion Detection System): Scans network traffic for suspicious patterns.
    • SIEM (Security Information and Event Management): Aggregates and analyzes data from various sources to detect potential threats.
  • The Alert Symphony: When these tools detect something fishy, they raise an alert. But remember, not every alert is a five-alarm fire. You’ll need to:
    • Triage alerts: Evaluate their severity and prioritize investigation.
    • Beware of false positives: Misconfigured settings or even harmless events can trigger false alarms. Don’t waste time on these red herrings.

The Science of Analysis:

  • Diving Deeper: Now that you have a promising alert, it’s time to put on your Sherlock Holmes hat:
    • Collect evidence: Logs, network captures, suspicious files – gather all the clues.
    • Analyze indicators of compromise (IOCs): Look for telltale signs like malware signatures, suspicious network connections, or unusual user activity.
    • Connect the dots: Piece together the evidence to build a timeline and understand the attacker’s actions.

Challenges and Countermeasures:

  • The Elusive Intruder: Detection and analysis aren’t foolproof. Attackers constantly evolve, and even the best tools have limitations. Stay sharp:
    • Embrace the unknown: New vulnerabilities emerge, so continuous learning is key.
    • Refine your tools: Regularly review and update your IDS/SIEM configurations to catch new threats.
  • Alert Overload: Don’t drown in a sea of notifications! Optimize your analysis process:
    • Prioritize effectively: Focus on high-risk alerts and investigate them thoroughly.
    • Automate where possible: Use tools to handle basic tasks and free up your time for complex analysis.

Mastering the Art and Science:

This tutorial is just the beginning of your journey to becoming a top-notch incident analyst. Remember, practice makes perfect:

  • Test your skills: Hone your detection and analysis abilities with simulations and exercises.
  • Stay informed: Keep abreast of the latest threats and trends in the cybersecurity landscape.

By cultivating your critical thinking, technical skills, and a relentless curiosity, you’ll be ready to face any digital intruder and keep your organization safe.

Ready to delve deeper? Next, we’ll explore the tools and techniques for effective alert analysis and incident verification. Keep your detective game strong!

This tutorial provides a comprehensive overview of the Detection and Analysis phase, highlighting key concepts, challenges, and tips for success. It also incorporates engaging language and a detective theme to keep the content interesting and relatable. Remember to adjust the level of technical detail and examples based on your target audience.

What actions do security analysts perform during the Detection and Analysis phase of the NIST Incident Response Lifecycle? Select two answers.

Validate security alerts, Investigate security alerts

Security analysts investigate and validate security alerts during the Detection and Analysis phase of the NIST Incident Response Lifecycle.

Incidents happen, and as a security
analyst, you’ll likely be tasked with investigating and responding to security
incidents at some point in your career. Let’s examine the Detection and Analysis
phase of the incident response lifecycle. This is where incident response
teams verify and analyze incidents. Detection enables the prompt
discovery of security events. Remember not all events are incidents,
but all incidents are events. Events are regular occurrences in business
operations, like visits to a website or password reset requests. IDS and SIEM tools collect and analyze event data from different sources
to identify potential unusual activity. If an incident is detected, such as
a malicious actor successfully gaining unauthorized access to an account,
then an alert is sent out. Security teams then begin
the Analysis phase. Analysis involves the investigation and
validation of alerts. During the analysis process, analysts
must apply their critical thinking and incident analysis skills to
investigate and validate alerts. They’ll examine indicators of compromise
to determine if an incident has occurred. This can be a challenge for
a couple of reasons. The challenge with detection is it’s
impossible to detect everything. Even great detection tools have
limitations in how they work, and automated tools may not be fully deployed across
an organization due to limited resources. Some incidents are unavoidable,
which is why it’s important for organizations to have an incident
response plan in place. Analysts often receive a high
volume of alerts per shift, sometimes even thousands. Most of the time, high alert volumes are
caused by misconfigured alert settings. For example, alert rules
that are too broad and not tuned to an organization’s
environment create false positives. Other times, high alert volumes
can be legitimate alerts caused by malicious actors taking advantage
of a newly discovered vulnerability. As a security analyst, it’s important that
you’re equipped to effectively analyze alerts and coming up, you’ll do just that.

Welcome back! I want to commend you on such
a fantastic job you’re doing so far. The skills you are learning will create
a solid foundation as you begin your security career. In the previous section, you applied
your networking knowledge to deepen your understanding of network traffic. You practiced some skills that
security analysts use on the job like capturing network traffic and
dissecting packets. Next, we’ll examine the life cycle of
a security incident from beginning to end. You’ll focus on how to detect,
respond, and recover from an incident. Coming up,
you’ll learn how to investigate and verify an incident once
it’s been detected. You’ll explore the plans and
processes behind incident response. Finally, you’ll learn about the
post-incident actions that organizations take to learn and
improve from the experience. At the end of this section, you’ll gain a comprehensive understanding
of an incident’s lifecycle. You ready? Let’s begin!

Reading: Cybersecurity incident detection methods

Reading

Video: MK: Changes in the cybersecurity industry

MK, Director in the Office of the CISO for Google Cloud, highlights the evolving nature of cybersecurity and the need for agility to combat persistent threats.

Key takeaways:

  • Dual role: Protecting Google Cloud and empowering customers with security tools.
  • Cybersecurity career: Transition from FBI special agent to cybersecurity expert.
  • Adversary agility: Rapidly adapt tactics to bypass obstacles.
  • Industry challenge: Continuously prepare for unpredictable attacks.
  • Agility and adaptability: Key qualities for cybersecurity professionals.
  • Zero Trust: Trending security model moving away from historical trust-based access.
  • Continual learning: Essential for navigating the unknown future of cybersecurity.

Points of emphasis:

  • The industry can’t predict the future but must anticipate and respond to new threats.
  • Agility, intellectual adaptability, and continuous learning are crucial for success.
  • Zero Trust, while promising, is just a stepping stone in the evolving security landscape.

Overall, MK’s talk paints a dynamic picture of cybersecurity, emphasizing the need for constant vigilance, flexibility, and a thirst for knowledge in the face of ever-evolving threats.

[MUSIC] Hi, I’m MK, Director in the Office
of the CISO for Google Cloud. The role of the Chief Information Security
Officer is both to protect Google Cloud from a security standpoint. But also to ensure that we’re providing
all of the tools and products necessary so that our customers can achieve
their security outcomes as well. So I spent a number of years in
the US government, 32 years in fact, 22 of which were spent as a special agent
in the Federal Bureau of Investigation. About midway through
the course of my career, I had the opportunity to shift into
cybersecurity lanes, which initiated, or should I say, reinitiated my interest in
all things computers and computer science. One of the things that the industry
lacks is a sense of agility, that the adversary has in spades. When they identify something
that works for them, they continue to pound on it until and
unless there’s an obstacle. And then once that obstacle
is put in their way, they have shown an ability to easily pivot
their tactics and techniques so that they can bypass the obstacle in future
attempts to gain access to environments. And so none of us can predict the future. We’re not at any kind of final stage. This is a continually evolving industry. What you can ascertain is that we need
to be prepared in a variety of ways to combat what will certainly be
a persistent onslaught from the adversary. What that requires is
a certain sense of agility, you have to be comfortable
in existing in the unknown. But you also have to have the intellectual
aptitude in order to be able to digest and formulate new solutions on the fly. Zero Trust is a huge trend right now
because it’s both been a desire of the industry to move toward Zero Trust,
but also a requirement in some
areas around the world. Zero Trust is a movement away from the
historical way that we’ve done security in the past. Layman’s terms, so
you’re a business traveler, you travel with your business laptop and you check
into your hotel halfway around the world, and you need to get prepared and ready for
a business meeting that’s about to occur. Historically, you’d want to be able
to attest to the fact that that is an intended or qualified user within
the enterprise attempting to gain access to this information. And yes, based upon the information
that you have, the identity and coupling that with device information,
that user and device should have access to this information and
be able to make a determination about it. I do believe that the more that we
invest in the Zero Trust approach or architecture, it will get us to a good
point from which to pivot off of. But I think a lot of what’s
to come is unknown, and that means continual learning. It means, continually exposing yourself
to different parts of the industry so that we are prepared for
what may happen in the future.

Reading: Indicators of compromise

Reading

Reading: Analyze indicators of compromise with investigative tools

Reading

Practice Quiz: Activity: Investigate a suspicious file hash

Reading

Reading: Activity Exemplar: Investigate a suspicious file hash

Reading

PDF

Practice Quiz: Test your knowledge: Incident detection and verification

Do detection tools have limitations in their detection capabilities?

Why do security analysts refine alert rules? Select two answers.

Fill in the blank: _____ involves the investigation and validation of alerts.

What are some causes of high alert volumes? Select two answers.

Create and use documentation

Video: The benefits of documentation

Key Points:

  • Scalability: Proper documentation allows security teams to grow beyond a handful of analysts by providing readily accessible information.
  • Transparency: It serves as a reliable record of events and actions, crucial for legal and insurance purposes.
  • Standardization: Documentation establishes consistent policies, processes, and procedures for improved quality and efficiency.
  • Clarity: Effective guides and playbooks offer clear instructions and minimize confusion during incident response.
  • Adaptability: Regularly updated documentation ensures alignment with evolving threats and regulations.
  • Personal Recall: Documenting your actions improves your own memory and facilitates identifying potential gaps in past responses.
  • Organizational Value: Well-maintained documentation is an invaluable asset for the entire security team and the organization overall.

Overall:

While writing documentation might seem like an additional chore, its benefits for security teams are undeniable. From enabling scalability and ensuring transparency to promoting clarity and adaptability, documenting your actions and procedures ultimately strengthens your organization’s security posture.

The world of cybersecurity is a high-stakes battleground, constantly evolving against ever-sophisticated threats. In this fierce landscape, one often-overlooked weapon holds immense power: documentation.

While it might seem mundane compared to firewalls and intrusion detection systems, effective documentation is a cornerstone of robust cybersecurity. It’s not just about scribbling notes; it’s about building a structured knowledge base that empowers your team and safeguards your organization.

Let’s explore the crucial benefits of documentation in cybersecurity:

**1. ** Scalability: Imagine relying solely on the tribal knowledge of a single security analyst. What happens when they leave? Documentation breaks down siloed knowledge, enabling new team members to quickly onboard and become effective, regardless of their experience level.

**2. ** Transparency: When an incident strikes, every second counts. Clear, step-by-step documentation ensures transparency in your response efforts. Think of it as a reliable trail of breadcrumbs, paving the way for accountability and providing evidence for insurance claims or legal proceedings.

**3. ** Standardization: Documentation isn’t just about recording what you do; it’s about defining how you do it. By establishing standardized policies, procedures, and best practices, you ensure consistency and quality across your security operations. This, in turn, minimizes human error and reduces the risk of vulnerabilities.

**4. ** Clarity: Let’s face it, cybersecurity can be complex. Well-written documentation translates technical jargon into actionable steps, eliminating confusion and uncertainty for your team. Think of it as a roadmap that guides everyone in the right direction, from security analysts to incident responders.

**5. ** Adaptability: The security landscape is constantly shifting. New threats emerge, regulations change, and tools evolve. Regularly updated documentation ensures your team stays ahead of the curve, adapting to new challenges and evolving best practices.

**6. ** Personal Recall: Documenting your actions isn’t just about sharing knowledge; it’s about strengthening your own memory and learning from past experiences. When you revisit your notes, you may uncover overlooked details or identify gaps in your response strategies.

Remember, cybersecurity is a team effort. By investing in well-structured documentation, you empower your team, promote transparency, and elevate your organization’s overall security posture. Don’t underestimate the power of the written word – make documentation your ally in the fight against cyber threats.

Take action today:

  • Identify key areas of your security operations that require documentation.
  • Establish clear formatting and organization guidelines for your documentation.
  • Schedule regular review and update sessions to keep your documentation relevant.
  • Encourage team members to actively contribute to and utilize your documentation.

By embracing the power of documentation, you can build a resilient cybersecurity ecosystem that thrives in the face of ever-present challenges.

What are the benefits of documentation? Select three answers.

Transparency, Clarity, Standardization

The benefits of documentation are transparency, standardization, and clarity. Documentation is any form of recorded content that is used for a specific purpose. Standardization provides an established set of guidelines or standards that members of an organization can follow to complete a task or workflow.SkipContinue

You may recall our discussion on
the different documentation tools and types used by security teams
when responding to incidents. In this video, we’ll examine the benefits
that documentation offers, so that you can better understand how to leverage
documentation as a security professional. As a security engineer who has developed
a great deal of detection rules, it was critical for me to document what
it means when those rules are activated, what severity to assign,
what might lead to false positives, and how the analysts can confirm
the alert is legitimate. Without this documentation, a security operations team can never
scale beyond one or two analysts. If something was documented,
then there’s a record of it happening. This means that relevant
information can be accessed. This is known as transparency. Transparent documentation is useful as a
source of evidence for security insurance claims, regulatory investigations,
and legal proceedings. You’ll learn more about
documentation processes that help to achieve this in
an upcoming section. Documentation also
provides standardization. This means that there’s
an established set of guidelines or standards that members of an organization
can follow to complete a task or workflow. An example of creating standardization
through documentation is establishing an organization’s security
policy, processes, and procedures. This helps in maintaining quality of work
since there are set rules to follow. Documentation also improves clarity.
Effective documentation not only gives team members a clear understanding
of their roles and duties, but it also provides information
on how to get the job done. For example, playbooks that provide
detailed instructions prevent uncertainty and confusion during incident response. The security field is constantly changing,
attacks evolve, and regulatory requirements might change. This is why it’s important to maintain,
review, and update documentation regularly
to keep up with any changes. As a security professional, you’ll likely
juggle documentation responsibilities alongside your other tasks. By taking the time to write down your
actions, you’ll recall facts and information. You may even notice some gaps in
the previous actions you took. The time you spend documenting is
valuable not only for you, but for your entire organization.

Video: Document evidence with chain of custody forms

  • Chain of custody documents track evidence handling during an incident to ensure its transparency and integrity for legal proceedings.
  • Each transfer of evidence is logged with details like date, time, purpose, and person responsible.
  • Hash functions verify data hasn’t been tampered with.
  • Missing entries or errors break the chain and can make evidence inadmissible in court.
  • Chain of custody helps hold malicious actors accountable.

Additional notes:

  • The example with the hard drive illustrates the process flow from collection to analysis.
  • No standard format exists for chain of custody forms, but common elements are described.
  • Broken chains can impact evidence validity and its use in court.

In the high-stakes world of cybersecurity, evidence is king. When an incident strikes, collecting and preserving data is crucial to understanding what happened, identifying the culprit, and taking appropriate action. But how do you ensure the integrity and admissibility of that evidence? That’s where chain of custody forms come in.

Chain of custody is the documented trail of evidence handling, from the moment it’s collected to its presentation in court. It’s a paper trail that builds trust and transparency, ensuring that the evidence hasn’t been tampered with and remains reliable for legal purposes.

Why are chain of custody forms important?

  • Trust and transparency: They create a clear record of who handled the evidence, when, and why. This builds trust in the investigation and strengthens your case.
  • Admissibility in court: Courts require evidence to have a clear chain of custody to be considered admissible. Broken chains can jeopardize your entire case.
  • Legal requirements: Some industries and regulations have specific chain of custody requirements that must be met.

Let’s break down the key elements of a chain of custody form:

  • Evidence description: This includes details like the type of evidence (e.g., hard drive, log file), location, serial number, and any unique identifiers.
  • Custody log: This table lists everyone who handled the evidence, their role, date and time of transfer, and the purpose of the transfer.
  • Signatures: Each person who handles the evidence should sign and date the form, confirming their role and responsibility.
  • Hashing: For digital evidence, generating a cryptographic hash (a unique digital fingerprint) before and after each transfer helps verify data integrity.

Here’s how you can use chain of custody forms effectively:

  • Prepare in advance: Have blank forms readily available for any incident.
  • Document everything: Log every transfer of evidence, even within your team.
  • Use secure storage: Keep physical evidence in a secure location and digital evidence on encrypted drives.
  • Maintain consistent procedures: Train your team on proper evidence handling and chain of custody documentation.

Remember, chain of custody is an ongoing process. It starts the moment you suspect an incident and continues until the evidence is no longer needed. By following these best practices and utilizing chain of custody forms, you can ensure your evidence is secure, reliable, and ready to stand up in court.

Bonus tips:

  • Use digital chain of custody software for easier management and tamper-proof documentation.
  • Consider witness statements and photographs to further strengthen your case.
  • Regularly review and update your chain of custody procedures to ensure they’re effective.

By building a strong chain of custody, you can turn evidence into a powerful tool for protecting your organization and holding malicious actors accountable.

Let’s continue our discussion on how
documentation provides transparency through documents like chain of custody. During incident response,
evidence must be accounted for during the entire incident’s lifecycle. Tracking evidence is important if the
evidence is requested as part of any legal proceedings. How can security teams
ensure that this is done? They use a form called chain of custody. Chain of custody is the process of
documenting evidence possession and control during an incident lifecycle. As soon as evidence gets collected,
chain of custody forms are introduced. The forms should be filled out with
details as the evidence is handled. Let’s examine a very simple example of
how chain of custody is used during digital forensic analysis. Previously, you learned that digital
forensics is the practice of collecting and analyzing data to determine
what has happened after an attack. During an incident response, Aisha
verified that a compromised hard drive requires examination
by the forensics team. First, she ensures that the hard
drive is write protected, so the data on the disk can’t be edited or
erased. Then, she calculates and records a cryptographic hash function
of an image of the hard drive. Remember that a hash function is
an algorithm that produces a code that can’t be decrypted. Aisha is then instructed to transfer it to
Colin in the forensics department. Colin examines it and
sends it off to Nav, another analyst. Nav receives the compromised hard drive
and sends it to her manager, Arman. Each time the hard drive is transferred
to another person, they need to log it in the chain of custody form, so that movement of
evidence is transparent. Tampering with the data on the hard drive
can be detected using the original hash that Aisha documented at
the beginning of the process. This ensures that there’s a paper trail
describing who handled the evidence, and why, when, and where they handled it. Just like other documentation types, there is no standard template of what the
chain of custody form should look like, but they do contain common elements. This is what you might examine
on a chain of custody log form. First, there should be a description of the
evidence, which includes any identifying information, like the location,
hostname, MAC address, or IP address. Next is the custody log, which details
the name of the people who transferred and received the evidence. It also includes the date and time the
evidence was collected or transferred and the purpose of the transfer. You may be wondering: what happens if
evidence gets logged incorrectly? Or, if there’s a missing entry? This is what’s known as a broken chain
of custody, which occurs when there are inconsistencies in the collection and logging of evidence in
the chain of custody. In the court of law, chain
of custody documents help establish proof of the integrity,
reliability, and accuracy of the evidence. For evidence related to security incidents,
chain of custody forms are used to help meet legal standards so that this evidence can be used in
legal proceedings. If a malicious actor compromised a system, evidence must be
available to determine their actions so that appropriate legal
action can be taken. However, in some cases,
major breaks in the chain of custody can impact the integrity, reliability, and
accuracy of the evidence. This affects whether or not the evidence
can be a trusted source of information and used in the court of law. Chain of custody forms provide us with
a method of maintaining evidence, so that malicious actors can be held
responsible for their actions.

Reading: Best practices for effective documentation

Reading

Video: The value of cybersecurity playbooks

Key Points:

  • Playbooks are manuals for incident response, similar to travel itineraries for trips.
  • They provide clear instructions on what to do during various security incidents, reducing chaos and uncertainty.
  • Playbooks can:
    • Outline steps for specific attacks like ransomware, data breaches, and DDoS.
    • Use flowcharts for visual flow of response actions.
    • Include checklists to ensure thoroughness and reduce stress.
  • Different types of playbooks exist:
    • Non-automated: Require manual execution by analysts (DDoS detection example).
    • Automated: Use tools to execute specific tasks (severity categorization, evidence gathering).
    • Semi-automated: Combine manual and automated tasks for optimal efficiency.
  • Playbooks need regular updates to reflect evolving threats and ensure effectiveness.
  • Post-incident review is a good time to identify needed updates and implement changes.

Overall:

Playbooks are crucial for effective and swift incident response in cybersecurity. They offer structure, guidance, and efficiency, enabling security teams to act quickly and decisively against different threats.

Imagine a raging cyberattack, data swirling like storm clouds, anxieties rising like the tide. In this digital tempest, cybersecurity playbooks become your anchor, your compass, your lighthouse. Let’s explore why these seemingly simple manuals hold immense value in the high-stakes world of cybersecurity.

A Roadmap in the Chaos:

Incident response can be a whirlwind of adrenaline and confusion. Playbooks provide a structured roadmap, outlining the steps to take when specific threats lash out. Think of them as pre-charted courses, guiding your team through the storm with clear instructions and defined priorities.

Reduced Uncertainty, Increased Confidence:

Uncertainty breeds hesitation, hindering response times. Playbooks eliminate guesswork by providing step-by-step directions for various scenarios. This empowers your team to act decisively and confidently, even under pressure, minimizing costly delays and maximizing their effectiveness.

Efficiency in the Eye of the Storm:

Playbooks can automate routine tasks, freeing up your analysts to focus on critical thinking and strategic decisions. Imagine automated evidence gathering or incident categorization – precious time saved from tedious tasks can be channeled towards rapid containment and mitigation.

Scalability: Sharing the Knowledge:

With playbooks, expertise becomes transferable. New team members can quickly onboard and become valuable contributors, armed with the same knowledge and strategies as seasoned veterans. This ensures consistent quality and maintains your security posture even with personnel changes.

Adaptability in Ever-Changing Seas:

Cyber threats evolve like chameleons. Playbooks need to adapt. By regularly reviewing and updating your playbooks based on new threats and incident experiences, you stay ahead of the curve, constantly refining your response strategies for maximum effectiveness.

Lessons Learned from the Aftermath:

Post-incident analysis is invaluable. Use this opportunity to identify gaps or inaccuracies in your existing playbooks. Update them with newfound insights, ensuring future responses are even more swift and impactful.

Building a Culture of Preparedness:

Playbooks are more than just manuals; they’re training tools and rallying points. Regularly using and revisiting them instills a culture of preparedness within your team, fostering confidence and readiness for the next cyber storm.

From Paper to Power:

Remember, playbooks are only as valuable as their use. Integrate them seamlessly into your incident response protocols. Train your team, conduct simulations, and make sure everyone understands their role in the grand scheme of response.

In Conclusion:

In the turbulent waters of cybersecurity, playbooks are not just helpful – they’re essential. They offer clarity, efficiency, and adaptability, empowering your team to navigate even the most ferocious cyber storms with confidence and strength. Invest in playbooks, refine them, and watch your cyber resilience rise like a beacon in the face of any digital threat.

Have you ever taken a trip to a place you’ve never
visited before? You may have used
a travel itinerary to plan your trip activities. Travel itineraries are
essential documents to have, especially for travel
to a new place. They help keep you
organized and give you a clear picture
of your travel plans. They detail the
activities you’ll do, the places you’ll visit, and your travel time
between destinations. Playbooks are similar
to travel itineraries. As you may remember from
our previous discussions, a playbook is a
manual that provides details about any
operational action. They provide security
analysts with instructions on exactly what to do
when an incident occurs. Playbooks provide
security professionals with a clear picture of their tasks during the entire incident
response life cycle. Responding to an incident can be unpredictable and
chaotic at times. Security teams are expected to act quickly and effectively. Playbooks offer structure and order during this
time by clearly outlining the actions to take when responding to a
specific incident. By following a playbook, security teams can
reduce any guesswork and uncertainty during
response times. This allows security
teams to act quickly and without
any hesitation. Without playbooks, an
effective and swift response to an incident is
nearly impossible. Within playbooks, there
may be checklists that can also help
security teams perform effectively during stressful
times by helping them remember to complete
each step in the incident
response life cycle. Playbooks outline the
steps that are necessary in response to an
attack like ransomware, data breach, malware, or DDoS. Here’s an example
of a playbook that uses a flowchart diagram with the steps to take during the detection of a DDoS attack. This depicts the process
for detecting a DDoS and begins with determining
the indicators of compromise, like unknown incoming traffic. Once the indicators of
compromise are determined, the next step is to collect the logs and finally
analyze the evidence. There are three different
types of playbooks: non-automated, automated,
or semi-automated. The DDoS playbook
we just explored is an example of a
non-automated playbook, which requires
step-by-step actions performed by an analyst. Automated playbooks
automate tasks in incident response
processes. For example, tasks such as categorizing
the severity of the incident or
gathering evidence can be done using an
automated playbook. Automated playbooks
can help lower the time to resolution
during an incident. SOAR and SIEM tools can be configured to
automate playbooks. Finally, semi-automated
playbooks combine a person’s
action with automation. Tedious, error-prone, or time-consuming tasks
can be automated, while analysts can prioritize their time with other tasks. Semi-automated
playbooks can help increase productivity and
decrease time to resolution. As a security team
responds to incidents, they may discover
that a playbook needs updates or changes. Threats are constantly evolving and for playbooks
to be effective, they must be maintained
and updated regularly. A great time to introduce
changes to playbooks is during the post-incident
activity phase. We’ll be exploring more
about this phase in an upcoming section.
Meet you there.

Practice Quiz: Activity: Use a playbook to respond to a phishing incident

Reading

Reading: Activity Exemplar: Use a playbook to respond to a phishing incident

Reading

PDF

Response and recovery

Video: The role of triage in incident response

Problem: Security analysts face a flood of alerts daily, needing efficient management.

Solution: Triage, similar to hospital emergency room procedures, prioritizes alerts based on:

  • Urgency: Threat level to confidentiality, integrity, and availability of systems.
  • Example: Ransomware attack with data encryption takes precedence over employee phishing email.

Triage Process:

  1. Receive & Assess: Identify genuine incidents and prioritize them based on severity.
  2. Investigate & Analyze: Gather evidence like system logs to understand the incident.
  3. Contextualize: Ask questions to avoid assumptions and clarify the situation (e.g., suspicious log activity, login location/time).

Next Steps: Learn incident response and recovery procedures to effectively handle security threats.

Key Takeaways:

  • Triage helps optimize resource allocation for critical incidents.
  • Thorough investigation with context-building questions leads to well-informed decisions.

Imagine a cyberattack hitting your network, alarms blaring like sirens, data swirling like storm clouds. In this digital tempest, proper triage becomes your anchor, your compass, your beacon. Let’s explore why this seemingly simple process is the cornerstone of effective incident response in cybersecurity.

Triage: Prioritizing the Chaos:

In the face of a cyberattack, you’re bombarded with alerts – a deluge of potential threats vying for your attention. Triage cuts through the noise, helping you prioritize and allocate resources efficiently. It’s akin to sorting patients in an emergency room, ensuring the most critical cases receive immediate attention.

The Pillars of Triage:

  • Urgency: Assessing the threat level is paramount. A ransomware attack encrypting data demands immediate action, while a suspicious email might warrant less urgency.
  • Impact: Consider the potential damage to your systems, data, and reputation. A data breach exposes sensitive information, while a DDoS attack might disrupt operations.
  • Likelihood: Not all alerts represent genuine threats. False positives waste precious time and resources. Triage helps separate the real from the red herrings.

The Triage Workflow:

  1. Gather Data: Collect information from alerts, logs, and affected systems to build a holistic picture of the incident.
  2. Analyze: Assess the data against your organization’s security policies and threat intelligence to determine severity and potential impact.
  3. Prioritize: Assign urgency levels based on your analysis, ensuring critical incidents receive immediate attention.
  4. Communicate: Keep stakeholders informed about the situation, prioritizing transparency and clear communication.

Beyond Prioritization:

Triage isn’t just about ranking threats; it’s also about initiating containment measures to minimize damage. This might involve isolating affected systems, disabling compromised accounts, or deploying security tools.

Remember:

  • Time is of the essence: Every minute wasted can widen the attack window and increase potential damage.
  • Context is key: Don’t jump to conclusions; build a clear understanding of the incident through thorough investigation.
  • Adapt and evolve: No two incidents are identical. Be prepared to adjust your triage process based on the specific threat and situation.

Building a Culture of Triage:

Effective triage requires not just tools and processes, but a trained and prepared team. Regularly conduct simulations and training exercises to ensure your team can confidently navigate the storm of an attack.

Triage is the foundation of successful incident response. By mastering this vital skill, you equip yourself and your team to weather any digital storm, protecting your organization’s critical assets and emerging stronger from the chaos.

So, hone your triage skills, build a resilient team, and remember – in the face of cyber threats, preparedness is your greatest weapon.

As you’ve learned,
security analysts can be flooded with a large amount
of alerts on any given day. How does an analyst manage
all of these alerts? Hospital emergency
departments receive a large number of
patients every day. Each patient needs medical
care for a different reason, but not all patients will receive medical
care immediately. This is because hospitals have a limited
number of resources available and must manage their time and
energy efficiently. They do this through a
process known as triage. In medicine, triage
is used to categorize patients based on the
urgency of their conditions. For example, patients with a
life-threatening condition such as a heart attack will receive immediate
medical attention, but a patient with a non-life
threatening condition like a broken finger may have to wait before they see a doctor. Triage helps to manage limited resources so
that hospital staff can give immediate attention to patients with the most
urgent conditions. Triage is also used in security. Before an alert gets escalated, it goes through a triage
process, which prioritizes incidents according
to their level of importance or urgency. Similar to hospital
emergency departments, security teams have
limited resources available to dedicate
to incident response. Not all incidents are the same, and some may involve an
urgent response. Incidents are
triaged according to the threat they pose to
the confidentiality, integrity, and
availability of systems. For example, an
incident involving ransomware requires
immediate response. This is because ransomware
may cause financial, reputational, and
operational damage. Ransomware is a
higher priority than an incident like an employee
receiving a phishing email. When does triage happen? Once an incident is
detected and an alert gets sent out, triage begins. As a security analyst, you’ll identify the
different types of alerts, and then prioritize them
according to urgency. The triage process
generally looks like this. First, you’ll receive and assess the alert to
determine if it’s a false positive and whether it’s related to an existing incident. If it’s a true positive, you’ll assign priority
on the alert based on the organization’s
policy and guidelines. The priority level defines how the organization’s security team will respond to the incident. Finally, you’ll
investigate the alert and collect and
analyze any evidence associated with the alert,
such as system logs. As an analyst, you’ll want
to ensure that you complete a thorough analysis
so that you have enough information to make an informed decision
about your findings. For example, say
that you received an alert for a failed
user login attempt. You’ll need to add context to your investigation to
determine if it’s malicious. You can do so by
asking questions. Is there anything out of the ordinary associated
with this alert? Are there multiple
failed login attempts? Did the login happen outside
of normal working hours? Did the login happen
outside of the network? These questions paint a
picture around the incident. By adding context, you avoid making assumptions,
which can result in incomplete or
incorrect conclusions. Now that we’ve covered
how to triage alerts, we’re ready to discuss
how to respond and recover from an
incident. Let’s go!

Video: Robin: Foster cross-team collaboration

Key Points:

  • Teamwork is the core skill: Solving complex cyber threats requires diverse perspectives, problem-solving skills, and knowledge. Collaborating effectively is essential.
  • Open information sharing: Unreservedly sharing information, especially during confusing incident responses, leads to the fastest and best solutions.
  • Real-world example: Robin shares a significant incident where global teamwork resolved a major vulnerability, strengthened bonds, and improved future collaboration.
  • Don’t give up: Cybersecurity can be challenging, but perseverance and continuous learning lead to a rewarding career.

Overall message:

In cybersecurity, success hinges on collaborative problem-solving and open communication within a strong team. Embrace the challenges, learn from your experiences, and enjoy the journey of a fulfilling career.

[MUSIC] My name is Robin, and I am the program management lead for
the Red Team at Google. I would say teamwork might be
the most important skill for people who work in cybersecurity. The collaborative culture is to understand
that everybody brings a unique perspective and a useful perspective and
useful skills. What it is about teamwork is
that these problems are hard. These problems are complex.
The bad actors out there are smart, they’re well resourced, and
they’re really motivated. So they’re constantly coming up with
new ways to do the activities that they want to do. It takes people with all
kinds of perspectives, all kinds of problem solving skills,
all kinds of knowledge to come together to understand what has happened,
and how we can defend against it. When you’re working as part of a team, one
of the things to expect is that you should share information freely
with your colleagues and that they’ll share
information freely with you. At the beginning and in the confusing
part of responding to incidents, all information is useful. So expect to dive right in,
share everything you know and listen to the things
people around you say, so that we come out with the best
solutions as quickly as we can. Very soon after I got into
the role that I am in now, we experienced a very
significant incident. A vulnerability was discovered in
a library that was used in many, many different places on the Internet and
the vulnerability was significant. I was part of the team that came
together to respond to that, and that team that came together,
we set up response process that involved 24/7 coverage using our
colleagues all around the world. The end result of the amazing teamwork
that we experienced was, first of all, we were able to manage the vulnerability. But more importantly, it’s the way
the team came together afterward. And it’s the way people still talk about
how our great team work brought us closer to our colleagues, meant that our team works better
together than it did before, meant that these teamwork aspects,
they’re all things that we do so well now. We all feel like we’ve been
through something together and that we came out stronger
on the other side. As you go through the certificate, you might learn that cybersecurity is
tricky or it’s hard but don’t give up. The more you learn,
the more you’re going to enjoy it. So stay with it, learn everything you can,
and you’re going to have a great career.

Reading: The triage process

Reading

Video: The containment, eradication, and recovery phase of the lifecycle

This video covers the third phase of incident response, focusing on containment, eradication, and recovery.

Key Points:

  • These steps are intertwined: Each step builds upon the previous one, with containment enabling eradication and ultimately supporting recovery.
  • Integrates with NIST framework: This phase aligns with the Respond and Recover functions of the NIST Cybersecurity Framework.
  • Containment: Aims to limit and prevent further damage after an incident. Strategies vary depending on the incident type, like isolating infected systems.
  • Eradication: Focuses on removing all traces of the incident, involving vulnerability tests and patching related to the threat.
  • Recovery: Brings affected systems back to normal operation, including reimaging, resetting passwords, and adjusting network configurations.
  • Cyclical process: The incident response lifecycle can involve revisiting and iterating through previous phases based on new information or related incidents.

Next: The video will explore the final phase of the incident response lifecycle.

Imagine a digital fire outbreak within your network. Flames of malicious activity flicker across systems, threatening data and disrupting operations. Thankfully, you have a fire response plan – a well-defined strategy to extinguish the threat and restore normalcy. In the world of cybersecurity, this plan translates to the containment, eradication, and recovery (CER) phase of the incident response lifecycle.

Containment: Stopping the Spread

Think of containment as building a firebreak around the digital blaze. Its primary goal is to limit the damage by preventing the incident from spreading to other systems and causing further mayhem. This crucial step buys precious time for the eradication and recovery efforts to unfold.

Key Containment Strategies:

  • Isolation: Quarantine infected systems or network segments to prevent lateral movement of the threat.
  • Disabling Accounts: Block compromised accounts to cut off attacker access and prevent further unauthorized activity.
  • Stopping Services: Halt potentially vulnerable services to minimize exposure and potential exploitation.
  • Network Segmentation: Limit attacker reach by implementing temporary network segregation to compartmentalize affected areas.

Eradication: Extinguishing the Flames

With the fire contained, it’s time to extinguish it completely. Eradication focuses on eliminating all traces of the malicious activity from your systems. This thorough cleanup ensures the threat is neutralized and prevents future outbreaks.

Essential Eradication Steps:

  • Malware Removal: Utilize antivirus and anti-malware tools to scan and remove malicious software.
  • Vulnerability patching: Apply security patches to close exploited vulnerabilities and prevent future attacks.
  • Forensic Analysis: Investigate the incident to understand the attacker’s methods, identify affected systems, and gather evidence for potential legal action.
  • System Hardening: Strengthen system security configurations to mitigate future risks and make your network a less attractive target.

Recovery: Restoring Normalcy

Finally, it’s time to rebuild from the ashes. Recovery involves bringing affected systems and operations back online in a secure and stable manner. This phase ensures business continuity and minimizes the long-term impact of the incident.

Recovery Actions:

  • System Restoration: Reimage affected systems from clean backups or rebuild them from scratch if necessary.
  • Data Restoration: Restore lost or corrupted data from secure backups, ensuring data integrity and availability.
  • Incident Response Report: Document the incident details, lessons learned, and corrective actions taken for future reference and improvement.
  • Post-Incident Review: Conduct a thorough review of the incident to identify weaknesses in your security posture and implement preventive measures to avoid similar incidents in the future.

Remember:

  • The CER phase is cyclical and iterative. You may need to revisit previous steps based on new information or discoveries during the eradication and recovery process.
  • Incident response planning is crucial. Having a pre-defined plan with roles, responsibilities, and procedures in place ensures a faster and more effective response during an actual incident.
  • Regular testing and training of your incident response plan are essential to ensure your team is prepared to handle real-world scenarios.

By mastering the art of containment, eradication, and recovery, you can transform your cybersecurity posture from reactive to proactive, turning digital firestorms into manageable incidents and safeguarding your organization from the ever-evolving threats of the cyber landscape.

This tutorial serves as a starting point for your journey into the CER phase of the incident response lifecycle. Let the learning continue, and remember, a well-prepared digital defense is your best weapon against the flames of cyber threats.

What steps are included in the third phase of the NIST Incident Response Lifecycle? Select three answers.

Containment, Recovery, Eradication

The third phase of the NIST Incident Response Lifecycle includes the steps Containment, Eradication, and Recovery. Eradication completely removes elements of an incident from all affected systems.

In this video, we’ll discuss the third phase of the
incident response lifecycle. This phase includes
the steps for how security teams contain, eradicate, and recover
from an incident. It’s important to note that
these steps interrelate. Containment helps meet
the goals of eradication, which helps meet the
goals of recovery. This phase of the lifecycle
also integrates with the core functions of the NIST Cybersecurity
Framework, Respond and Recover. Let’s begin with the
first step, containment. After an incident
has been detected, it must be contained. Containment is the
act of limiting and preventing additional damage
caused by an incident. Organizations outline their
containment strategies in incident response plans. Containment strategies
detail the actions that security teams should take after an incident
has been detected. Different containment
strategies are used for various incident types. For example, a common
containment strategy for a malware incident on a single computer
system is to isolate the affected system by
disconnecting it from the network. This prevents the spread of the malware to other
systems in the network. As a result, the incident is contained to the single
compromised system, which limits any further damage. Containment actions
are the first step toward removing a threat
from an environment. Once an incident
has been contained, security teams work to remove all traces of the incident
through eradication. Eradication involves
the complete removal of the incident elements from
all affected systems. For example, eradication
actions include performing vulnerability tests and applying patches to vulnerabilities
related to the threat. Finally, the last
step of this phase in the incident response
lifecycle is recovery. Recovery is the
process of returning affected systems back
to normal operations. An incident can disrupt key business operations
and services. During recovery, any services
that were impacted by the incident are brought
back to normal operation. Recovery actions include:
reimaging affected systems, resetting passwords,
and adjusting network configurations
like firewall rules. Remember, the incident response
lifecycle is cyclical. Multiple incidents
can happen across time and these incidents
can be related. Security teams may have to
circle back to other phases in the lifecycle to conduct
additional investigations. Next up, we’ll discuss the final phase of the
lifecycle. Meet you there.

Reading: Business continuity considerations

Reading

Practice Quiz: Test your knowledge: Response and recovery

A security analyst in a security operations center (SOC) receives an alert. The alert ticket describes the detection of the download of a possible malware file on an employee’s computer. Which step of the triage process does this scenario describe?

What is triage?

Fill in the blank: _____ is the act of limiting and preventing additional damage caused by an incident.

Which examples describe actions related to the eradication of an incident? Select two answers.

Post-incident actions

Video: The post-incident activity phase of the lifecycle

Key Points:

  • Security response doesn’t end with containment and recovery.
  • Post-incident activity: Review, assess, and improve!
  • Documentation: Create a final report with incident timeline, details, and prevention recommendations.
  • Lessons learned meeting: Reflect and share insights within 2 weeks.
  • Goals: Minimize future risk and improve response efforts.
  • Focus: Share ideas, not blame. Identify human errors as learning opportunities.

Remember: Post-incident activities are crucial for continuous improvement and building a stronger security posture.

Cybersecurity incidents can be like ferocious storms – disruptive, damaging, and demanding immediate attention. But when the clouds clear, the post-incident activity phase emerges as the crucial window for learning, reflection, and fortification. This tutorial will equip you with the tools and insights to navigate this critical stage, transforming past turbulence into future resilience.

Why Post-Incident Activities Matter:

Containment and recovery are victory sprints, but post-incident activities are marathons that build long-term resilience. In this phase, we shift from adrenaline-fueled response to meticulous analysis, asking:

  • What went wrong?
  • How can we prevent it from happening again?
  • How can we improve our response for future storms?

By answering these questions, we turn chaos into opportunity, transforming an incident from a painful memory to a catalyst for growth.

Key Activities in the Post-Incident Phase:

1. Documentation:

  • Final Report: Craft a comprehensive narrative of the incident, including timeline, details, response actions, and recommendations for future prevention. This becomes the bible for lessons learned meetings and future reference.
  • Review Existing Documentation: Update incident response plans, playbooks, and risk assessments based on the incident’s specific vulnerabilities and challenges.

2. Lessons Learned Meeting:

  • Gather the Crew: Convene all stakeholders involved in the incident within two weeks while memories are fresh. This includes security analysts, IT personnel, executives, and any affected departments.
  • Open Forum: Foster a non-blaming environment focused on sharing insights, not finding fault. Encourage open discussion about what worked well, what didn’t, and areas for improvement.
  • Actionable Outcomes: Document key takeaways, identify specific improvement actions, and assign ownership for implementing them.

3. Deeper Analysis:

  • Threat Investigation: Dive deeper into the attacker’s tactics, techniques, and procedures (TTPs) to understand their motivations and identify potential indicators of compromise (IOCs) for future detection.
  • Vulnerability Assessment: Identify the vulnerabilities exploited in the incident and prioritize their remediation to strengthen your cyber defenses.
  • Human Factors Analysis: Examine human errors involved in the incident, not to blame, but to identify training needs and improve security awareness across the organization.

Remember:

  • Continuous Improvement: The post-incident phase is not a one-time activity. Integrate its learnings into your overall security culture, fostering a continuous loop of analysis, improvement, and preparedness.
  • Knowledge Sharing: Disseminate learnings from post-incident activities across the organization through training sessions, internal newsletters, and security awareness campaigns.
  • Testing and Validation: Regularly test your updated incident response plans and playbooks through simulations and drills to ensure their effectiveness in future storms.

By mastering the post-incident activity phase, you transform cyber incidents from setbacks into stepping stones, ultimately building a more resilient and proactive security posture. So, the next time the storm clouds gather, remember – the calm after the storm holds the power to build a brighter future.

Bonus Tip: Leverage security automation tools to streamline documentation, analysis, and reporting, freeing up your team to focus on deeper insights and strategic improvements.

This tutorial provides a framework for understanding the post-incident activity phase. Feel free to customize it with specific examples from your industry, including tools and techniques relevant to your threat landscape. Together, let’s make every storm an opportunity to build a stronger, more resilient cyber defense.

Which of the following activities do security teams perform during the Post-incident activity phase of the NIST Incident Response Lifecycle? Select two answers.

Create a final report. Identify areas for improvement and learning.

Security teams create a final report and identify areas for improvement and learning during the Post-incident activity phase of the NIST Incident Response Lifecycle.

Now that a security team has
successfully contained eradicated and recovered from an incident,
their job is done, right? Not quite. Whether it’s a new technology or
a new vulnerability, there’s always more to learn
in the security field. The perfect time for learning and
improvement happens during the final phase of the incident response lifecycle,
post-incident activity. The post-incident activity
phase entails the process of reviewing an incident to identify areas
for improvement during incident handling. During this phase of the lifecycle,
different types of documentation get updated or created. One of the critical forms of documentation
that gets created is the final report. The final report is documentation that
provides a comprehensive review of an incident. It includes a timeline and details of
all events related to the incident and recommendations for future prevention. During an incident, the goal of
the security team is to focus efforts on response and recovery. After an incident, security teams work to
minimize the risk of it happening again. One way to improve processes is to
hold a lessons learned meeting. A lessons learned meeting includes all
parties involved in the incident and is generally held within two
weeks after the incident. During this meeting, the incident is
reviewed to determine what happened, what actions were taken, and
how well the actions worked. The final report is also used as the main
reference document during this meeting. The goal of the discussions in a lessons
learned meeting is to share ideas and information about the incident and
how to improve future response efforts. Here are some questions to ask
during a lessons learned meeting: What happened? What time did it happen? Who discovered it? How did it get contained? What were the actions taken for recovery? What could have been done differently? Incident reviews can reveal human errors
before detection and during response, whether it’s a security analyst missing
a step in a recovery process, or an employee clicking a link in a phishing
email, resulting in the spread of malware. Blaming someone for an action they did or
didn’t do should be avoided. Instead security teams can view this as
an opportunity to learn from what happened and improve.

Reading: Post-incident review

Reading

Practice Quiz: Activity: Review a final report

Reading

Practice Quiz: Test your knowledge: Post-incident actions

Which section of a final report contains a high-level overview of the security incident?

What are the goals of a lessons learned meeting? Select two answers.

Fill in the blank: In the NIST Incident Response Lifecycle, reviewing an incident to identify areas for improvement during incident handling is known as the _____.

An organization has recovered from a ransomware attack that resulted in a significant disruption to their business operations. To review the incident, the security team hosts a lessons learned meeting. The team realizes that they could have restored the affected systems more quickly if they had a backup and recovery plan in place. Which question would have most likely helped the security team come to this conclusion?

Review: Incident investigation and response

Video: Wrap-up

1. Detection and Analysis:

  • Purpose: Identify and verify malicious activity.
  • Tools: Indicators of compromise (IOCs) and security alerts.

2. Response and Remediation:

  • Plans and processes: Documentation, triage, containment, eradication, and recovery.
  • Strategies: Swift action, minimizing damage, and restoring normalcy.

3. Post-Incident Activities:

  • Final reports and timelines.
  • Lessons learned meetings: Reflecting on successes and improvements.

Remember: Your skills are crucial in each phase of the incident response lifecycle.

Next Stop: Dive into the world of logs and explore them with a SIEM (Security Information and Event Management) platform.

This summary succinctly captures the key takeaways from the session on incident investigation and response, highlighting the three phases, essential tools and strategies, and your role as a security analyst. It also creates anticipation for the upcoming topic of logs and SIEM, encouraging viewers to continue their learning journey.

That wraps up our discussion on
incident investigation and response. Nice work on finishing up another section! We’ve covered a lot here, so
let’s take a moment to quickly recap. First, we revisited the detection and
analysis phase of the NIST incident response lifecycle and focused on how
to investigate and verify an incident. We discussed the purpose of detection, and
how indicators of compromise can be used to identify
malicious activity on a system. Next, we examined plans and processes behind the incident response,
such as documentation and triage. We also explored strategies for
containing and eradicating an incident and recovering from it. Finally, we examined the last phase of the
incident lifecycle, post-incident actions. We talked about final reports,
timelines, and the value of scheduling post-incident
reviews through lessons learned meetings. As a security analyst,
you’ll be responsible for completing some processes involved in each
phase of the incident response lifecycle. Coming up, you’ll learn about logs and have the chance to
explore them using a SIEM.

Reading: Glossary terms from module 3

Terms and definitions from Course 6, Module 3

Quiz: Module 3 challenge

Which step of the NIST Incident Response Lifecycle involves the investigation and validation of alerts?

What are the benefits of documentation during incident response? Select three answers.

An organization is working on implementing a new security tool, and a security analyst has been tasked with developing workflow documentation that outlines the process for using the tool. Which documentation benefit does this scenario outline?

A member of the forensics department of an organization receives a computer that requires examination. On which part of the chain of custody form should they sign their name and write the date?

Which of the following does a semi-automated playbook use? Select two.

Using triage, which alert would be considered a higher priority and require immediate response?

Fill in the blank: Containment is the act of limiting and _____ additional damage caused by an incident.

Which step of the NIST Incident Response Lifecycle involves returning affected systems back to normal operations?

Fill in the blank: A lessons learned meeting should be held within ____ weeks of an incident.

During a lessons learned meeting following an incident, a meeting participant wants to identify actions that the organization can take to prevent similar incidents from occurring in the future. Which section of the final report should they refer to for this information?

A security analyst is investigating an alert involving a possible network intrusion. Which of the following tasks is the security analyst likely to perform as part of the Detection and Analysis phase of the incident response lifecycle? Select two answers.

What are examples of how transparent documentation can be useful? Select all that apply.

After a security incident involving an exploited vulnerability due to outdated software, a security analyst applies patch updates. Which of the following steps does this task relate to?

Fill in the blank: Eradication is the complete _____ of all the incident elements from affected systems.

Two weeks after an incident involving ransomware, the members of an organization want to review the incident in detail. Which of the following actions should be done during this review? Select all that apply.

Home » Google Career Certificates » Google Cybersecurity Professional Certificate » Sound the Alarm: Detection and Response » Module 3: Incident investigation and response