Systems and Security : Operations and Incident Response

1.4 Given an incident, apply mitigation techniques or controls to secure an environment

Reconfigure endpoint security solutions

-Application approved list
-Application blocklist/deny list
-Quarantine

Reconfiguring endpoint security solutions is an important aspect of incident response and mitigation. Some common techniques include creating an application approved list, which allows only known and trusted applications to run on an endpoint. An application blocklist or deny list can be created to prevent specific applications from running. Quarantine is another technique that involves isolating infected systems to prevent them from spreading malware or other malicious activities. Additionally, updating endpoint security solutions to the latest versions can help protect against the latest threats. It is important to remember that these controls should be part of a comprehensive security plan, and should be tested and reviewed regularly to ensure they are effective in protecting the environment.

Configuration changes

-Firewall rules
-MDM
-DLP
-Content filter/URL filter
-Update or revoke certificates

Making configuration changes is another important step in incident response and mitigation. For example, updating firewall rules can help prevent unauthorized access to sensitive systems and data. Mobile device management (MDM) can be used to secure mobile devices and limit access to sensitive data. Data Loss Prevention (DLP) solutions can be configured to identify and prevent sensitive data from being leaked. Content filters and URL filters can be used to prevent access to malicious websites and prevent the download of malicious software. Updating or revoking certificates can help prevent unauthorized access and prevent encrypted communication with malicious actors. These configuration changes should be made with caution, as they can impact the normal functioning of the network. It is important to thoroughly test and validate these changes before implementing them in a production environment.

Isolation

Isolation, containment, and segmentation are important techniques for mitigating the impact of security incidents.

Isolation involves separating infected or compromised systems from the rest of the network to prevent the spread of malicious activity.

Containment

Containment is the process of limiting the damage caused by a security incident by isolating infected systems, stopping malicious activity, and preventing the spread of the incident.

Segmentation

Segmentation involves dividing the network into smaller, isolated segments, with each segment having limited access to other segments. This helps to prevent malicious activity from spreading across the entire network.

SOAR

SOAR (Security Orchestration, Automation, and Response) is a framework that automates incident response activities and integrates security tools and systems. SOAR helps to standardize incident response processes, improve response times, and reduce manual efforts.

Runbooks and playbooks are detailed instructions and procedures that outline the steps to be taken during an incident response. They are an essential part of incident response planning and help ensure that the incident response team can effectively respond to an incident. These documents provide a step-by-step guide for incident response activities, including preparation, identification, containment, eradication, recovery, and lessons learned.