VII

FRN 4301, Principles of Digital Forensics 1

Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:

1. Analyze forensic procedures for investigation. 1.11 Identify terms involved with incident response. 1.12 Describe procedures for information systems control governance and policy enforcement.

2. Perform data reconnaissance activities.

2.4 Describe incidents related to system security. 2.5 Manage an organization’s computer incident response and computer forensics investigation

processes.

Required Unit Resources Chapter 7: Incident Response

Unit Lesson

Introduction In Unit VI, you learned about the different tools and certifications related to digital forensics. In this unit, you will be introduced to the importance of having a strong incident response and disaster recovery and business continuity plan in place. Preparation is the key to a successful recovery from a network security breach. In this lesson, you will learn why digital forensics is a valuable asset to have on the team when attempting to contain a security breach.

Incident Response Incident response is a systematic way to address and deal with the repercussions of a security breach or cyberattack. A security breach is also known as an information technology (IT) incident, computer incident, or a security incident. The purpose of incident response is to deal with the incident, mitigate the harm, and diminish recovery time and cost. In preparation for cyber intrusions and attacks, incident response exercises should be conducted by the organization's Computer Security Incident Response Team (CSIRT). The CSIRT incorporates security and IT personnel and delegates from the human resources (HR) department and public relations department. The CSIRT's reaction adheres to the organization's incident response plan (IRP), a set of guidelines that lay out the team's preparation, response, and after actions to a cyberattack (Irei & Shea, 2023). An IRP outlines the steps that will allow the IT staff to recognize, react to, and recover from a system security incident. The IRT should address issues like cybercrime, data loss, and operation periods of disruption that compromise everyday work. An adequate incident response plan provides a plan for different types of critical incidents. These incidents can lead to enormous system or information breaks that can affect an organization for a considerable length of time (Cisco, n.d.). At the point when an incident occurs, the organization should begin an incident response that will allow the CSIRT team to stop, contain, and control the event as quickly as humanly possible. For natural catastrophic events, such as flooding, earthquakes, and events deemed as an act of God, the organization should have a business continuity plan in place (Cisco, n.d.).

UNIT VII STUDY GUIDE

Incident Response

FRN 4301, Principles of Digital Forensics 2

UNIT x STUDY GUIDE

Title

Disaster Recovery and Business Continuity Planning A disaster recovery plan and business continuity plan (DRP/BCP) work as the organization's last line of defense; when every other control has failed, the DRP/BCP is the last control an organization can implement to ensure that business continues as usual (Citu, 2012). Disaster recovery includes different strategies, methodologies, and tools to enable the recovery of business essentials, the organization's technology, and systems following a human-made or natural disaster. Disaster recovery focusses on the IT or technology frameworks that support the day-to-day business functions rather than business continuity. Disaster recovery planning is a part of a BCP and needs to have controls in place for the resumption of applications, information, hardware, (i.e., networking), and other IT frameworks. After the controls have been put into place, they should be examined and tested regularly. To be viable, every DRP and BCP needs to be thoroughly evaluated (Weinberg, 2021). A BCP incorporates planning for a catastrophic, non-IT-related event such as a major flood or fire. Key personnel would need to know where to go and whom to contact if such an event occurs. A few controls that can help mitigate the impact of a catastrophic event are listed below:

• preventive measures used for keeping an incident from happening;

• identification of events that may occur based on historical facts, such as flooding or earthquakes; and

• corrective measures for reestablishing critical IT functions after an incident happens. The overall objective of a BCP is to guarantee the business can continue functioning after a catastrophic event has occurred. The purpose of a BCP is to protect the business and guarantee that the day-to-day operations are impacted as little as possible. The BCP should include long-term strategy for ensuring the organization can continue to conduct business without interruption (Citu, 2012).

Business Continuity Plan (BCP) Elements According to Citu (2012), BCP consists of four components:

• scope determination,

• business impact assessment,

• identification of preventive controls, and

• implementation. BCP Scope The validity of a BCP depends enormously on whether senior management provides the buy-in to legitimize the scope of the plan (Citu, 2012). Business Impact Assessment (BIA) The BIA is used to identify the consequences that a catastrophic event would have on the business (Citu, 2012). A solid BIA should contain the information listed below.

• Vulnerability assessment: The purpose of any vulnerability assessment is identifying, quantifying, and prioritizing any vulnerabilities in the system (Citu, 2012).

• Fundamental assessment: Colleagues are tasked to quantify the effect of a catastrophic disturbance on day-to-day operations as it relates to their area of expertise.

• Maximum Tolerable Downtime (MTD): This is also called Maximum Tolerable Period of Disruption (MTPD) for a particular IT resource. MTD is the greatest timeframe that a basic business function can be out of commission before the organization starts to suffer critical and long-enduring harm (Citu, 2012).

FRN 4301, Principles of Digital Forensics 3

UNIT x STUDY GUIDE

Title

• Recovery targets: These targets speak to the timeframe from the beginning of a disaster until basic procedures have resumed working. Two essential recuperation targets are built up for every business procedure, and these are listed below. o Recovery Time Objective (RTO): RTO is the greatest timeframe in which business costs must be

reestablished after a disaster. The RTO is called the framework recuperation time. o Recovery Point Objective (RPO): RPO is the most extreme timeframe in which information may

be lost if a disaster strikes. The RPO speaks to the amount of information/work lost for a specific procedure because of a catastrophic event.

• Resource requirements: This is a listing of critical resources required for the organization to maintain basic business operations.

A BCP is a large plan consisting of many plans embedded within it. In addition to the DRP, other plans within the BCP are listed below:

• Continuity of Operations Plan (COOP),

• business resumption/recovery plan (BRP),

• continuity of support plan,

• cyber incident response plan,

• Occupant Emergency Plan (OEP), and

• crisis management plan (CMP).

Phases of an Incident Response Plan An incident response plan instructs the IT staff on how best to detect, respond, and recover from a network breach (Ellis, n.d.). An incident response plan should consist of the stages listed below. 1. Preparation: Preparation is the most crucial stage of any incident response plan. This stage outlines how the incident response team will respond using well-defined guidelines. An incident response team is only as good as the plan that supports it. A well-written plan needs to provide the following elements (Ellis, n.d.):

• proactive and ongoing training for all incident response team members to properly ensure all team members understand their roles in the event of a security incident;

• policies, procedures, and guidelines that outline steps for maintaining an incident response team;

• incident response drill situations and simulated information breaks to assess the preparedness of the incident response team members; and

• current risk detention capabilities to ensure risk assessments are current.

The incident response plan should be well-documented and clearly outline the role and responsibility of each team member. Good preparation will help ensure that all incident response team members are prepared to do their jobs (Ellis, n.d.). The CSIRT needs to perform like a finely tuned machine when the time comes, which takes practice and team member familiarity. Similarly, a corporate security strategy is required to include worthy utilization of organizational resources, ramifications for security infringement, and definitions on what qualifies as a security incident. One should characterize a step-by-step procedure on how the CSIRT should deal with any security incident, including documentation of occurrences as well as inside and outside correspondence (Fox, 2022). 2. Identification: Identification defines what criteria initiates the CSIRT. An example would be if someone found some unidentified USB drives scattered about the building (e.g., a cyber candy drop) or if a system alert was triggered, such as "Brute Force Attack Detected," these events would likely initiate an incident response. For instance, a strange access alert correlated with an alarm regarding a strange transfer to a cloud storage site may be the trigger (Fox, 2022). 3. Containment: Contain the breach, so it does not spread any further. All affected hardware should be disconnected from the internet. If possible, a parallel network should be available to help reestablish business operations. One should update and patch the network, monitor all remote access connections, and require

FRN 4301, Principles of Digital Forensics 4

UNIT x STUDY GUIDE

Title

multifaceted authentication. Change all client and machine access credentials, and reset all passwords (Ellis, 2017). 4. Eradication: Once the issue has been contained, the root cause of the breach needs to be identified and removed. All network components should be hardened with all available updates. Whether the eradication is done internally or if the organization hires an outside third party, the eradication should be as exhaustive as operations/resources warrant. Any malware or security issues that are remaining will increase the risk of a reoccurrence (Ellis, 2017). It is important to establish a procedure to restore as much of the affected network as possible. A good starting point is to reimage all network devices associated with the incident to help prevent the malware from reoccurring (Ellis, n.d.). 5. Recovery: Recovery is the process of returning the infected network and devices to a safe state of operation. During this time, it is important to get the network and any essential business applications going again (Ellis, n.d.). 6. Lesson learned: When the investigation has concluded, management should conduct an after-action review meeting with all incident response team members to discuss lessons learned from the incident. The after-action review is the time to discuss what worked well in the response plan and where to make improvements. Takeaways gained from both fake and genuine occasions will help fortify the network against future attacks (Ellis, n.d.). One should review the documentation of the incident with the CSIRT for training purposes.

Integrating Forensics into an Incident Response Plan The National Institute of Standards and Technology (NIST) characterizes forensics as the utilization of science to the distinguishing proof, gathering, examination, and investigation of information while safeguarding the integrity of the data and keeping up a severe chain of guardianship for the information. Developing, or retaining computer crime scene investigation capability is crucial. When contracting with a crime scene investigator, any evidence seized needs to be protected as if the evidence had to stand up in court if the organization chooses to take legal action against those involved with the information breach. In the scenario where perpetrators erase information to remove any evidence of surreptitious activities, the forensic expert should be able to recover the information. The degree and the expertise of the crime scene investigation should be equal to the needs of the organization. Minor occurrences do not merit a noteworthy number of hours for the four stages of the crime scene investigation process, which include information gathering, examination, analysis, and reporting (Walls, 2015). Without exception, the crime scene investigation group should be a part of the CSIRT to determine more accurately “patient zero”, or the point of the break-in. The crime scene investigation group can also help identify what information was accessed and what information was ignored. Forensic experts can also give recommendations concerning how to avoid any reoccurrence of the event since they will have inspected the hardware and determined exactly how the break-in occurred (Walls, 2015).

Summary In this lesson, you learned about the importance of having forensics as a part of your incident response team. You also learned that disaster recovery and business continuity differ from each other and the importance of good disaster planning. It is never a matter of whether your network will face a serious security breach; rather, it is just a matter of when. Most businesses faced with a serious data breach and the loss of their business- critical data will end up closing their doors for the lack of having a good DRP and BCP.

FRN 4301, Principles of Digital Forensics 5

UNIT x STUDY GUIDE

Title

References Cisco. (n.d.). What is an incident response plan for IT?

https://www.cisco.com/c/en/us/products/security/incident-response-plan.html Citu, A. (2012, October 16). (My) CISSP notes – Business continuity and disaster recovery planning. Adrian

Citu's Technical Blog. https://adriancitu.com/2012/10/16/my-cissp-notes-business-continuity-and- disaster-recovery-planning/

Ellis, D. (n.d.). 6 phases in the incident response plan. Security Metrics.

https://www.securitymetrics.com/blog/6-phases-incident-response-plan Fox, N. (2022, June 6). What is an incident response plan and how to create one. Varonis.

https://www.varonis.com/blog/incident-response-plan Irei, A., & Shea, S. (2023, March 10). What is incident response? A complete guide. TechTarget.

https://www.techtarget.com/searchsecurity/definition/incident-response Walls, T. (2015, March 24). Computer forensics: The key to effective incident response. International

Association of Privacy Professionals. https://iapp.org/news/a/computer-forensics-the-key-to-effective- incident-response/

Weinberg, N. (2021, March 25). Business continuity and disaster recovery planning: The basics. CSO.

https://www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the- basics.html

FRN 4301, Principles of Digital Forensics 1

Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:

1. Analyze forensic procedures for investigation. 1.11 Identify terms involved with incident response. 1.12 Describe procedures for information systems control governance and policy enforcement.

2. Perform data reconnaissance activities.

2.4 Describe incidents related to system security. 2.5 Manage an organization’s computer incident response and computer forensics investigation

processes.

Required Unit Resources Chapter 7: Incident Response

Unit Lesson

Introduction In Unit VI, you learned about the different tools and certifications related to digital forensics. In this unit, you will be introduced to the importance of having a strong incident response and disaster recovery and business continuity plan in place. Preparation is the key to a successful recovery from a network security breach. In this lesson, you will learn why digital forensics is a valuable asset to have on the team when attempting to contain a security breach.

Incident Response Incident response is a systematic way to address and deal with the repercussions of a security breach or cyberattack. A security breach is also known as an information technology (IT) incident, computer incident, or a security incident. The purpose of incident response is to deal with the incident, mitigate the harm, and diminish recovery time and cost. In preparation for cyber intrusions and attacks, incident response exercises should be conducted by the organization's Computer Security Incident Response Team (CSIRT). The CSIRT incorporates security and IT personnel and delegates from the human resources (HR) department and public relations department. The CSIRT's reaction adheres to the organization's incident response plan (IRP), a set of guidelines that lay out the team's preparation, response, and after actions to a cyberattack (Irei & Shea, 2023). An IRP outlines the steps that will allow the IT staff to recognize, react to, and recover from a system security incident. The IRT should address issues like cybercrime, data loss, and operation periods of disruption that compromise everyday work. An adequate incident response plan provides a plan for different types of critical incidents. These incidents can lead to enormous system or information breaks that can affect an organization for a considerable length of time (Cisco, n.d.). At the point when an incident occurs, the organization should begin an incident response that will allow the CSIRT team to stop, contain, and control the event as quickly as humanly possible. For natural catastrophic events, such as flooding, earthquakes, and events deemed as an act of God, the organization should have a business continuity plan in place (Cisco, n.d.).

UNIT VII STUDY GUIDE

Incident Response

FRN 4301, Principles of Digital Forensics 2

UNIT x STUDY GUIDE

Title

Disaster Recovery and Business Continuity Planning A disaster recovery plan and business continuity plan (DRP/BCP) work as the organization's last line of defense; when every other control has failed, the DRP/BCP is the last control an organization can implement to ensure that business continues as usual (Citu, 2012). Disaster recovery includes different strategies, methodologies, and tools to enable the recovery of business essentials, the organization's technology, and systems following a human-made or natural disaster. Disaster recovery focusses on the IT or technology frameworks that support the day-to-day business functions rather than business continuity. Disaster recovery planning is a part of a BCP and needs to have controls in place for the resumption of applications, information, hardware, (i.e., networking), and other IT frameworks. After the controls have been put into place, they should be examined and tested regularly. To be viable, every DRP and BCP needs to be thoroughly evaluated (Weinberg, 2021). A BCP incorporates planning for a catastrophic, non-IT-related event such as a major flood or fire. Key personnel would need to know where to go and whom to contact if such an event occurs. A few controls that can help mitigate the impact of a catastrophic event are listed below:

• preventive measures used for keeping an incident from happening;

• identification of events that may occur based on historical facts, such as flooding or earthquakes; and

• corrective measures for reestablishing critical IT functions after an incident happens. The overall objective of a BCP is to guarantee the business can continue functioning after a catastrophic event has occurred. The purpose of a BCP is to protect the business and guarantee that the day-to-day operations are impacted as little as possible. The BCP should include long-term strategy for ensuring the organization can continue to conduct business without interruption (Citu, 2012).

Business Continuity Plan (BCP) Elements According to Citu (2012), BCP consists of four components:

• scope determination,

• business impact assessment,

• identification of preventive controls, and

• implementation. BCP Scope The validity of a BCP depends enormously on whether senior management provides the buy-in to legitimize the scope of the plan (Citu, 2012). Business Impact Assessment (BIA) The BIA is used to identify the consequences that a catastrophic event would have on the business (Citu, 2012). A solid BIA should contain the information listed below.

• Vulnerability assessment: The purpose of any vulnerability assessment is identifying, quantifying, and prioritizing any vulnerabilities in the system (Citu, 2012).

• Fundamental assessment: Colleagues are tasked to quantify the effect of a catastrophic disturbance on day-to-day operations as it relates to their area of expertise.

• Maximum Tolerable Downtime (MTD): This is also called Maximum Tolerable Period of Disruption (MTPD) for a particular IT resource. MTD is the greatest timeframe that a basic business function can be out of commission before the organization starts to suffer critical and long-enduring harm (Citu, 2012).

FRN 4301, Principles of Digital Forensics 3

UNIT x STUDY GUIDE

Title

• Recovery targets: These targets speak to the timeframe from the beginning of a disaster until basic procedures have resumed working. Two essential recuperation targets are built up for every business procedure, and these are listed below. o Recovery Time Objective (RTO): RTO is the greatest timeframe in which business costs must be

reestablished after a disaster. The RTO is called the framework recuperation time. o Recovery Point Objective (RPO): RPO is the most extreme timeframe in which information may

be lost if a disaster strikes. The RPO speaks to the amount of information/work lost for a specific procedure because of a catastrophic event.

• Resource requirements: This is a listing of critical resources required for the organization to maintain basic business operations.

A BCP is a large plan consisting of many plans embedded within it. In addition to the DRP, other plans within the BCP are listed below:

• Continuity of Operations Plan (COOP),

• business resumption/recovery plan (BRP),

• continuity of support plan,

• cyber incident response plan,

• Occupant Emergency Plan (OEP), and

• crisis management plan (CMP).

Phases of an Incident Response Plan An incident response plan instructs the IT staff on how best to detect, respond, and recover from a network breach (Ellis, n.d.). An incident response plan should consist of the stages listed below. 1. Preparation: Preparation is the most crucial stage of any incident response plan. This stage outlines how the incident response team will respond using well-defined guidelines. An incident response team is only as good as the plan that supports it. A well-written plan needs to provide the following elements (Ellis, n.d.):

• proactive and ongoing training for all incident response team members to properly ensure all team members understand their roles in the event of a security incident;

• policies, procedures, and guidelines that outline steps for maintaining an incident response team;

• incident response drill situations and simulated information breaks to assess the preparedness of the incident response team members; and

• current risk detention capabilities to ensure risk assessments are current.

The incident response plan should be well-documented and clearly outline the role and responsibility of each team member. Good preparation will help ensure that all incident response team members are prepared to do their jobs (Ellis, n.d.). The CSIRT needs to perform like a finely tuned machine when the time comes, which takes practice and team member familiarity. Similarly, a corporate security strategy is required to include worthy utilization of organizational resources, ramifications for security infringement, and definitions on what qualifies as a security incident. One should characterize a step-by-step procedure on how the CSIRT should deal with any security incident, including documentation of occurrences as well as inside and outside correspondence (Fox, 2022). 2. Identification: Identification defines what criteria initiates the CSIRT. An example would be if someone found some unidentified USB drives scattered about the building (e.g., a cyber candy drop) or if a system alert was triggered, such as "Brute Force Attack Detected," these events would likely initiate an incident response. For instance, a strange access alert correlated with an alarm regarding a strange transfer to a cloud storage site may be the trigger (Fox, 2022). 3. Containment: Contain the breach, so it does not spread any further. All affected hardware should be disconnected from the internet. If possible, a parallel network should be available to help reestablish business operations. One should update and patch the network, monitor all remote access connections, and require

FRN 4301, Principles of Digital Forensics 4

UNIT x STUDY GUIDE

Title

multifaceted authentication. Change all client and machine access credentials, and reset all passwords (Ellis, 2017). 4. Eradication: Once the issue has been contained, the root cause of the breach needs to be identified and removed. All network components should be hardened with all available updates. Whether the eradication is done internally or if the organization hires an outside third party, the eradication should be as exhaustive as operations/resources warrant. Any malware or security issues that are remaining will increase the risk of a reoccurrence (Ellis, 2017). It is important to establish a procedure to restore as much of the affected network as possible. A good starting point is to reimage all network devices associated with the incident to help prevent the malware from reoccurring (Ellis, n.d.). 5. Recovery: Recovery is the process of returning the infected network and devices to a safe state of operation. During this time, it is important to get the network and any essential business applications going again (Ellis, n.d.). 6. Lesson learned: When the investigation has concluded, management should conduct an after-action review meeting with all incident response team members to discuss lessons learned from the incident. The after-action review is the time to discuss what worked well in the response plan and where to make improvements. Takeaways gained from both fake and genuine occasions will help fortify the network against future attacks (Ellis, n.d.). One should review the documentation of the incident with the CSIRT for training purposes.

Integrating Forensics into an Incident Response Plan The National Institute of Standards and Technology (NIST) characterizes forensics as the utilization of science to the distinguishing proof, gathering, examination, and investigation of information while safeguarding the integrity of the data and keeping up a severe chain of guardianship for the information. Developing, or retaining computer crime scene investigation capability is crucial. When contracting with a crime scene investigator, any evidence seized needs to be protected as if the evidence had to stand up in court if the organization chooses to take legal action against those involved with the information breach. In the scenario where perpetrators erase information to remove any evidence of surreptitious activities, the forensic expert should be able to recover the information. The degree and the expertise of the crime scene investigation should be equal to the needs of the organization. Minor occurrences do not merit a noteworthy number of hours for the four stages of the crime scene investigation process, which include information gathering, examination, analysis, and reporting (Walls, 2015). Without exception, the crime scene investigation group should be a part of the CSIRT to determine more accurately “patient zero”, or the point of the break-in. The crime scene investigation group can also help identify what information was accessed and what information was ignored. Forensic experts can also give recommendations concerning how to avoid any reoccurrence of the event since they will have inspected the hardware and determined exactly how the break-in occurred (Walls, 2015).

Summary In this lesson, you learned about the importance of having forensics as a part of your incident response team. You also learned that disaster recovery and business continuity differ from each other and the importance of good disaster planning. It is never a matter of whether your network will face a serious security breach; rather, it is just a matter of when. Most businesses faced with a serious data breach and the loss of their business- critical data will end up closing their doors for the lack of having a good DRP and BCP.

FRN 4301, Principles of Digital Forensics 5

UNIT x STUDY GUIDE

Title

References Cisco. (n.d.). What is an incident response plan for IT?

https://www.cisco.com/c/en/us/products/security/incident-response-plan.html Citu, A. (2012, October 16). (My) CISSP notes – Business continuity and disaster recovery planning. Adrian

Citu's Technical Blog. https://adriancitu.com/2012/10/16/my-cissp-notes-business-continuity-and- disaster-recovery-planning/

Ellis, D. (n.d.). 6 phases in the incident response plan. Security Metrics.

https://www.securitymetrics.com/blog/6-phases-incident-response-plan Fox, N. (2022, June 6). What is an incident response plan and how to create one. Varonis.

https://www.varonis.com/blog/incident-response-plan Irei, A., & Shea, S. (2023, March 10). What is incident response? A complete guide. TechTarget.

https://www.techtarget.com/searchsecurity/definition/incident-response Walls, T. (2015, March 24). Computer forensics: The key to effective incident response. International

Association of Privacy Professionals. https://iapp.org/news/a/computer-forensics-the-key-to-effective- incident-response/

Weinberg, N. (2021, March 25). Business continuity and disaster recovery planning: The basics. CSO.

https://www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the- basics.html