According to the National Institute of Standards and Technology (NIST) cybersecurity framework, incident handling activities can be divided into phases.
In which incident handling phase do you quarantine a compromised host in order to prevent an adversary from using it as a stepping stone to the next phase of an attack?
- Containment
- Analysis
- Eradication
- Recovery
Answer(s): A
Explanation:
NIST Cybersecurity Framework Overview:
The NIST Cybersecurity Framework provides a structured approach for managing and mitigating cybersecurity risks. Incident handling is divided into several phases to systematically address and resolve incidents.
Incident Handling Phases:
Preparation: Establishing and maintaining an incident response capability. Detection and Analysis: Identifying and investigating suspicious activities to confirm an incident.
Containment, Eradication, and Recovery:
Containment: Limiting the impact of the incident.
Eradication: Removing the root cause of the incident.
Recovery: Restoring systems to normal operation.
Containment Phase:
The primary goal of the containment phase is to prevent the incident from spreading and causing further damage.
Quarantining a Compromised Host:
Quarantining involves isolating the compromised host from the rest of the network to prevent adversaries from moving laterally and causing more harm.
Techniques include network segmentation, disabling network interfaces, and applying access controls.
Reference:
NIST Special Publication 800-61, "Computer Security Incident Handling Guide" NIST Incident Handling
Detailed Process:
Step 1: Detect the compromised host through monitoring and analysis.
Step 2: Assess the impact and scope of the compromise.
Step 3: Quarantine the compromised host to prevent further spread. This can involve disconnecting the host from the network or applying strict network segmentation. Step 4: Document the containment actions and proceed to the eradication phase to remove the threat completely.
Step 5: After eradication, initiate the recovery phase to restore normal operations and ensure that the host is securely reintegrated into the network.
Importance of Containment:
Containment is critical in mitigating the immediate impact of an incident and preventing further damage. It buys time for responders to investigate and remediate the threat effectively.
SANS Institute, "Incident Handler's Handbook" SANS Incident Handling
NIST Special Publication 800-61, "Computer Security Incident Handling Guide" SANS Institute, "Incident Handler's Handbook"
By quarantining a compromised host during the containment phase, organizations can effectively limit the spread of the incident and protect their network from further compromise.
Reveal Solution Next Question