Incident Response

Nitesh · ‎10-25-2020

Dear Experts

I am new to this community and i am preparing for CISSP exam.

During my preparation i have come across below question in one of the practise test and will require you expert input.

When any intrusion is detected what should be your first step?

a) Eliminate all means of intruder access

b) Contain the intrusion

c) Determine to what extent systems and data are compromised

d) Communicate with relevant parties

According to me, the best answer should be option c) as after incident detection our first step to respond by analysing and documenting/verify the impact of the incident and then we go for mitigation and containment of the incident.

Appreciate you inputs here

Thanks

Nitesh

rjduin · ‎10-26-2020

I'm not an expert either, well a little bit, but I would always take action first to prevent further damage, first stop the bad thing from doing further bad things asap, like hospital's triage you first stop the bleeding, first contain the problem. First containment / isolation of problem, than you can take your time to watch, think, and analyze as much as you like, untill you find out for sure what has exactly happened (what further systems are breached / damaged, etc) and what can you do to remediate the problem, take mitigation actions to prevent this incident happening again, and try to recover from the situation, back to normal operations.

rslade · ‎10-26-2020

> Nitesh (Viewer) posted a new topic in Exam Preparation on 10-25-2020 07:34 PM in the (ISC)Â² Community :

> Dear Experts

Oh, I should shut up, then ...

> When any intrusion is detected what should be your first step?

Well, the first step is the most important, so:

> a) Eliminate all means of intruder access

Eliminating all means of intruder access probably means eliminating all means of
access for everyone, which is a good way to DoS yourself, so probably not a good
idea.

> b) Contain the intrusion

My choice. Limit the damage. *Then* take stock.

> c) Determine to what extent systems and data are compromised

Good, but ...

> d) Communicate with relevant parties

Can be left until later, and probably needs to be run by PR and legal beforehand,
anyway.

> According to me, the best answer should be option c) as after incident
> detection our first step to respond by analysing and documenting/verify the
> impact of the incident and then we go for mitigation and containment of the
> incident.

Yeah, we need to do that analysis, and it is important, but the first thing is to limit
the damage, so, b.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Nitesh · ‎10-26-2020

Thanks for your reply and explanation Much appreciated.