cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
RichA69
Viewer

CC question in selfpaced training is confusing.

#spolier - this refers to a sample test question in the CC training#   

 

The incident response video question suggests that when the incident response team establish that the user is known and that the activity discovered is benign then the incident response should stop.   However, i think this is inaccurate as i would expect (and the previous training slides suggest) the responders to carry out a brief retrospective of the incident.   I would also like to see if the responders could suggest ways in which such 'false positives' could be removed from the alerting process, thus making the team more efficient overall.   So in my mind the answer is that the response continues to a conclusion and hence does not stop...

 

welcome any thoughts on that.

 

NOTE: its only a guide question - not an exam - so its not vital...

7 Replies
Steve-Wilme
Advocate II

Possibly.  It depends how you scope RS.IM.  A reduction in false positives could be seen as an improvement, but equally it could be done as part of an improvement in detection.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
tmekelburg1
Community Champion

Technically, the security event shouldn't have been declared an incident. So, the incident process should be immediately stopped and moved to post-incident activities for process improvement, aka adjust tooling to fix false positives. The test won't get this detailed though.

 

 

tmekelburg1_0-1668521199085.png

 

dcontesti
Community Champion

@tmekelburg1 Great diagram but is this really a concept that we would expect someone with little to no experience to understand????

Steve-Wilme
Advocate II

If you take an simple ISO 27035 perspective, that are a great many security events, which get filtered down into the few that are actual incidents.  So if something has been incorrectly called as an incident it should be possible to close it later due to the mistake.  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
RichA69
Viewer

So on that (really good) diagram should there be a section prior to 'declare incident' that says 'initial triage of security event' to determine whether it is really an incident at all???

liudvikas
Viewer III

Hey, what's the source of your diagram? Thanks
tmekelburg1
Community Champion

@RichA69 Yeah, you could. This diagram is just showing the IR phases and what feeds into it.

 

@dcontesti No, but it was easier for me to describe and show in the diagram how it's all connected. The main thing for the OP to know, related to the test, is to stop the IR process if it's not an incident.

 

@liudvikas https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_...