Microsoft Word - MSc in Cybersecurity.docx MSc in Cybersecurity (MSCCYB1-JAN21I) Incident Response and Analytics (H9IRSAN) - CA (40%) Semester3 – XXXXXXXXXX Date CA Released to Students: 12th July at...

Question 1
After each of the incident clear needs some substantial effort for the documentation and instigation about whatever happened in the incident get the feedback for the earlier incidents and also enable better preparation for detection and the analysis for the future incidents which can take place. It also has the feedback loop collected from the eradication and containment step to the analysis and detection. There are many parts of the attack which are not explained completely at the detection stage, and they are revealed only when the incident responders are entering into it. There are few steps which can be followed for documenting the incident response. This tips on preparation, detection and analysis, containment, recovery and eradication and at last post incident activity.
· Preparation
when we are preparing for the incidents then it is important that we are compiling with the list of IT assets like servers, endpoints and the network and also identified their importance and understand which elements are critical or holding sensitive data. We can set up the monitoring so that we have the baseline of normal activity. We need to determine the type of the security events which can be investigated and then create details steps for similar types of incidents.
· Detection and Analysis
The detection step involves collection of the data from system publicly available information, security tools and the people which are internally or externally related with the organization and then try to identify precursors and the indicators. The precursors are the science that the incident can happen in the future and indicators are used as the data to show that attack has already taken place, or it is going to happen now. The analysis is done to find out the baseline or the normal activity on the affected systems and correlate all the related evidence and events. This activity is done to check how they are deviating from normal behaviour.
· Containment, Eradication and Recovery
The major goal of containment is to stop the attacks before it is able to damage the resources or create any issue. The containment strategy is completely dependent over the level of damage which can be done, the requirement of keeping critical service available for the customers and the employees and at last the duration of the whole solution and the temporary solution can be either for few hours, days or the week or this can be the permanent solution.
When we are doing containment, it is important to find out the attacking host and also validate IP address. This will allow the user to block any type of communication from the attacker and also helps in finding out threat actor. With the help of this information, we can easily understand the mode of operation, search and then block other types of communication channels which can be used by the attacker.
If we talk about the eradication and recovery stage, then we need to perform some tasks and remove all the elements of the incident from working environment. It can also include the identification of all the affected hosts, close passwords, remove malware or reset them for the user account who was breached. Once we are able to eradicate the threat, restore system and recover the normal operations as quickly as possible then we can take steps to make sure that same assets will not be attacked again in future.
· Post-Incident Activity
The most important part of the president response methodology is to from all the previous incidents so that we can improve the process. We need to ask, investigate and document the answers for few required questions. We can check for the whatever incident took place and how many times. We can find the answer for how well the team was able to deal with the...