Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
RichA69
Viewer
‎11-15-2022 03:53 AM
‎11-15-2022 03:53 AM

CC question in selfpaced training is confusing.

#spolier - this refers to a sample test question in the CC training#   

 

The incident response video question suggests that when the incident response team establish that the user is known and that the activity discovered is benign then the incident response should stop.   However, i think this is inaccurate as i would expect (and the previous training slides suggest) the responders to carry out a brief retrospective of the incident.   I would also like to see if the responders could suggest ways in which such 'false positives' could be removed from the alerting process, thus making the team more efficient overall.   So in my mind the answer is that the response continues to a conclusion and hence does not stop...

 

welcome any thoughts on that.

 

NOTE: its only a guide question - not an exam - so its not vital...

Reply
0 Kudos
7 Replies
Steve-Wilme
Advocate II
‎11-15-2022 08:21 AM
‎11-15-2022 08:21 AM

Possibly.  It depends how you scope RS.IM.  A reduction in false positives could be seen as an improvement, but equally it could be done as part of an improvement in detection.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
0 Kudos
tmekelburg1
Community Champion
‎11-15-2022 09:14 AM
‎11-15-2022 09:14 AM

Technically, the security event shouldn't have been declared an incident. So, the incident process should be immediately stopped and moved to post-incident activities for process improvement, aka adjust tooling to fix false positives. The test won't get this detailed though.

 

 

tmekelburg1_0-1668521199085.png

 

Reply
dcontesti
Community Champion
‎11-15-2022 06:21 PM
‎11-15-2022 06:21 PM

@tmekelburg1 Great diagram but is this really a concept that we would expect someone with little to no experience to understand????

Reply
0 Kudos
Steve-Wilme
Advocate II
‎11-16-2022 04:25 AM
‎11-16-2022 04:25 AM

If you take an simple ISO 27035 perspective, that are a great many security events, which get filtered down into the few that are actual incidents.  So if something has been incorrectly called as an incident it should be possible to close it later due to the mistake.  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
RichA69
Viewer
‎11-16-2022 06:36 AM
‎11-16-2022 06:36 AM

So on that (really good) diagram should there be a section prior to 'declare incident' that says 'initial triage of security event' to determine whether it is really an incident at all???

Reply
0 Kudos
liudvikas
Viewer III
‎11-16-2022 08:48 AM
‎11-16-2022 08:48 AM

Hey, what's the source of your diagram? Thanks
Reply
0 Kudos
tmekelburg1
Community Champion
‎11-16-2022 08:54 AM
‎11-16-2022 08:54 AM

@RichA69 Yeah, you could. This diagram is just showing the IR phases and what feeds into it.

 

@dcontesti No, but it was easier for me to describe and show in the diagram how it's all connected. The main thing for the OP to know, related to the test, is to stop the IR process if it's not an incident.

 

@liudvikas https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_... 

Reply