CYB404 Incident Response, Investigations and Forensics Assessment Answer

Introduction

Organizations' security breaches and cyberattacks must be identified and resolved via computer incident investigations. These investigations must be done properly to be lawful, ethical, and effective. To ensure the inquiry is legal and does not violate privacy rights, relevant laws and professional procedures must be used. To succeed, an investigation must grasp the methods, personnel, and instruments of planned and organized big event investigations. Analyzing how evidence is held, evaluated, processed, and deployed in a big cyber-related investigation is crucial to ensuring court admissibility. This paper discusses computer incident investigations, including the people, structures, processes, and tools used in incident response, the roles of a Computer Emergency Response Team (CERT), and the standards, protocols, and concepts underlying business continuity, disaster recovery, and crisis management. The study also addresses how applicable laws and professional standards are applied to computer incident investigations and the methods, people, and technologies employed in a planned and organized significant incident investigation. This paper's findings are crucial for incident response, forensic investigation, and law enforcement.

Task 1

Explain the People, Structures, Processes, and Tools Involved in Computer Incident Responses

Security analysts, incident response teams, forensic investigators, IT personnel, legal counsel, and management may all play a role in the incident response process. When an event occurs, everyone involved must fulfill a certain function (Boeke, 2018). Network and system monitors may fall under the purview of security analysts, while forensic investigators may be tasked with delving further into occurrences to determine their root cause.

Because of the complexity of responding to an incident, having clear structures in place is crucial. Plans, rules, procedures, and guidelines may all be part of a formalized approach to handling incidents. In the case of a security breach, the incident response plan details the actions to be taken. The incident response plan lays out who is responsible for what, how they'll do it, what resources they'll have access to, and how they'll get the word out.

Incident response processes are crucial because they offer a methodical way to detect, investigate, and fix security breaches. Steps like "prepare," "identify," "contain," "investigate," and "recover" are common in incident response protocols. Several actions are taken at each stage to assist pinpoint the problem and lessen its impact. The goal of the containment procedure, for example, is to stop the incident from spreading to other systems.

Since tools help with both detection and containment, tools play a crucial role in incident response. Tools like network scanners, intrusion detection systems, forensic analysis programs, and malware analysis utilities may fall into this category. With the help of network monitoring technologies, security analysts can keep tabs on all network activity and quickly spot any signs of malicious intent. Systems and applications may be scanned for security flaws using vulnerability scanners, and intrusions can be detected with intrusion detection systems. Malware analysis tools evaluate the behavior of malicious software, whereas forensic analysis tools gather and examine data from impacted systems to pinpoint the origin of the event.

Discuss the Different Roles Within a Computer Emergency Response Team and Their importance.

Some of the most crucial roles in a CERT and why they're so crucial are as follows:

1. The Incident Manager is the person in charge of directing the team's reaction to an event, as well as dealing with any complications that arise and keeping everyone informed. They watch over the incident response process to make sure everything goes according to plan and that no time is wasted.
2. The role of the Investigator is to perform a technical investigation into the occurrence, determine the cause of the incident, and assess the damage (Tanczer et al, 2018). They investigate the event by gathering information from impacted systems and analyzing it using forensic analytic tools.
3. The Analyst's job is to look at all the information gathered throughout the inquiry and figure out what it all means. They collaborate with the investigator to control the situation and lessen its consequences.
4. The Communications Specialist's primary function is to effectively convey information to internal and external parties, such as management and customers. They update those involved in the event on its progress and provide advice on how to proceed.
5. The Technical Specialist's job is to aid in the incident response process, particularly in the implementation of security measures meant to lessen the impact of the occurrence. They make sure the vulnerable software is fixed and protected against subsequent attacks.
6. The success of a CERT's reaction to security issues depends on the contributions of every member of the team. The CERT can reduce the effect of events on the business by working together to swiftly detect and address them.

Task 2

Explain the Terms BC, DR, and CM.

BC : The goal of business continuity (BC) planning is to keep critical company processes running smoothly in the face of an interruption. It entails making preparations for the continuity of essential business activities and putting those preparations into action.

DR: Restoring information technology (IT) systems and infrastructure to working order after a disaster is known as disaster recovery (DR). Data, programs, and infrastructure that have been lost or compromised as a result of a catastrophe or other occurrence must be recovered.

CM : Managing a crisis such that it has little effect on an organization is the goal of Crisis Management (CM). Organizational crisis management is the process of creating and enforcing strategies and protocols for dealing with unexpected events.

Analyse the Standards, Protocols, and Concepts Underpinning BC, DR, and CR and Their Application with in Organizations.

Continuity of operations (COOP), recovery from disaster (DR), and crisis management (CM) are all essential parts of a comprehensive approach to mitigating risk. An organization's ability to execute BC, DR, and CM strategies depends on its familiarity with the underlying standards, protocols, and concepts.

ISO 22301

Requirements for a business continuity management system are outlined in ISO 22301, a standard that has gained widespread recognition (BCMS) (Arianto & Anggraini, (2019). To ensure that a company can effectively plan for, react to, and recover from disruptive situations, this document outlines best practices for creating, implementing, maintaining, and improving a business continuity management system (BCMS) (Nyre-Yu et al, 2019). Organizations may guarantee that their BC strategies are thorough, strong, and efficient if they follow this guideline.

NIST SP 800-34

 Another well-known standard that offers guidance on creating BC and DR strategies for IT is NIST SP 800-34. Key processes in developing a contingency plan are outlined in this standard, including determining the scope of the plan, conducting a business impact analysis (BIA), determining recovery measures, and performing frequent tests and updates.

COBIT 5

It is a framework for corporate IT governance that helps with things like business continuity, disaster recovery, and configuration management. The framework highlights the necessity for continuous development and the significance of matching these plans with the overarching aims of the company.

Incident Response Plan (IRP)

Another essential part of a business's BC, DR, and CM policies is the Incident Response Plan (IRP). The IRP details the actions to be done in the case of a security incident, such as the composition of the incident response team, the methods to be used, and the channels via which information will be disseminated. With a solid IRP in place, businesses can swiftly recover from security breaches with little disruption.

Business Impact Analysis (BIA)

 It is a crucial part of any business continuity (BC) or disaster recovery (DR) strategy. It helps businesses in determining which operations are crucial and how many interruptions each may cause. By assessing their unique vulnerabilities and threats, businesses are better able to use their limited resources effectively.

Recovery Time Objective (RTO) 

Two crucial metrics utilized in DR planning are the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). The Recovery Time Objective measures how long it takes to get IT back up and running after an interruption, whereas the Recovery Point Objective measures how much data may be lost. Organizations may use these data to set recovery targets and devise plans to mitigate the effects of disruptions.

Task 3

Explain the Processes, People, and Tools Used in a Planned and Structured Major Incident Investigation.

In order to detect and respond to a big event in a timely and efficient way, it is necessary to conduct an investigation that is both planned and organized. Some of the most crucial parts are as follows:

1. The incident response team (IRT) is a group of experts whose job it is to determine what caused the event, keep it under control, and lessen its effect. At most organizations, members of the IT, legal, and management departments all contribute to the IRT.
2. The Incident Response Team's (IRT) duties, as well as the steps to take when an event is detected, dealt with, and reported, are all spelled out in detail in the IRT's incident response plan (IRP).
3. Identifying the issue, gauging its severity, and setting priorities for the response are all part of this process. As part of this process, you may need to configure alerts and notifications, examine logs, and run scans.
4. Whenever an incident is discovered, the IRT must contain it to stop it from spreading and mitigate its effects on the business as much as possible. System isolation or detachment from the network may be required.
5. Investigate the situation, determine its scope, and draw conclusions about what has to be done to fix the problem or take legal action, if necessary. Log analysis software, forensics software, and network scanning software might all play a role here.
6. The IRT should create a strategy to remedy the problem and stop it from occurring again based on the findings of the study. This may include applying fixes to systems, revising processes, and instructing staff.
7. Reporting and Dissemination: The IRT must keep meticulous records of its work, from gathering evidence to conducting in-depth analyses. The event, its effects, and the corrective measures have done must all be documented in order to create a thorough report. Stakeholders include workers, consumers, and regulatory authorities, all of whom the IRT should keep in the loop with.
8. When an event has occurred, the IRT should undertake a review to assess how well the IRP was implemented and where adjustments need to be made.

The IRT may use a variety of technologies, including intrusion detection systems, antivirus software, and forensic analysis tools, to help with the identification, containment, and investigation of the event. Communication tools may also be used by the IRT to help team members and stakeholders work together.

Analyse How Evidence is Contained, Analyzed, Processed and Deployed in a Major Cyber-related Investigation.

Network traffic logs, system logs, user account information, and network settings are all valid types of evidence in a large cyber-related inquiry. It is crucial to secure and store the evidence so that it may be utilized in court if required without tampering with its integrity.

To guarantee its admissibility in court, the evidence must first be properly identified and collected using forensic techniques (Settanni et al, 2017). This requires the use of specific tools and methods that do not impact the integrity of the original evidence.

As evidence is gathered, it is investigated using methods like digital forensics to determine what caused the event and what signs of the breach were there (Kitchin & Dodge, 2019). This may require evaluating user account information or network traffic records in search of suspicious behavior.

The evidence is then analyzed and compiled into a chronology and a comprehensive picture of the incident's effects. If required, this data will be shared with law police to aid with their investigation and cleanup efforts.

At last, the evidence is used to back any disciplinary or legal action taken against individuals at fault. This might include submitting the material to a judge or utilizing it in an internal reprimand.

Task 4

Examine How Relevant Laws and Professional Practice are Applied to Computer Incident Investigations.

To guarantee that a computer incident investigation is handled lawfully, ethically, and successfully, it is crucial to follow applicable laws and professional standards. The following are some examples of legislation and professional standards that are relevant to computer incident investigations:

1. Data protection regulations oblige businesses to take precautions to ensure the safety of their customers' private information. Examples of such laws are the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA) (Boeke, 2018). In order to guarantee compliance with these regulations, investigators conducting a computer incident investigation must restrict the acquisition, processing, and storage of personal data to just what is required to complete the investigation.
2. Hacking, cyberbullying, and cyberstalking are all illegal under the many computer misuse and cybercrime laws that have been enacted (Nyre-Yu et al, 2019). It is the responsibility of the investigator to guarantee that the investigation is conducted following these laws.
3. Guidelines for Conducting Professional, Ethical, and Effective Computer Incident Investigations Those established by organizations like the International Association of Computer Investigative Specialists (IACIS) are examples of professional standards. Evidence collection, documenting, and reporting are all areas addressed by these norms.
4. Chain of Custody: The chain of custody is a procedure that tracks digital evidence from the moment it is gathered until it is presented in court to guarantee its authenticity. If investigators want their findings to hold up in court, they need to follow the chain of custody protocol.
5. The collection and analysis of digital evidence require the use of forensic tools and procedures, which investigators must use. These instruments should be trustworthy, well-verified, and able to provide credible, defendable findings.
6. In order to present evidence in court, investigators need to follow the rules set out by the law (Arianto & Anggraini, 2019). The investigation must be documented, pertinent evidence must be gathered, and the results must be presented clearly and succinctly.

In conclusion, for a computer incident investigation to be lawful, ethical, and productive, investigators must follow applicable laws and professional standards. Data protection regulations, computer abuse and cybercrime legislation, professional standards, a chain of custody processes, usage of forensic technologies, and judicial procedures must all be followed.

Summary

This paper delves into the many facets of computer incident investigations, which are crucial to finding and fixing security lapses and cyberattacks inside a business. Business continuity, catastrophe recovery, and crisis management are all discussed in depth, as are the people, structures, procedures, and technologies involved in incident response, as well as the various responsibilities within a Computer Emergency Response Team (CERT). The article also looks at how applicable legislation and professional standards are applied to computer incident investigations, as well as the procedures, personnel, and technologies employed in a planned and organized significant incident investigation.

The study concludes by stressing the need for incident response teams to conduct investigations in accordance with applicable laws and professional norms to guarantee that they are doing so in a way that is legal, ethical, and fruitful. The report stresses the need of preserving the chain of custody, use reliable forensic equipment, and adhere to established protocols when presenting evidence in court. To perform computer incident investigations promptly and successfully, the information in this paper is crucial for businesses and people engaged in incident response, forensic investigation, and law enforcement.

References

Boeke, S., 2018. National cyber crisis management: Different European approaches. Governance , 31 (3), pp.449-464.

Tanczer, L.M., Brass, I. and Carr, M., 2018. CSIRT s and global cybersecurity: How technical experts support science diplomacy. Global policy , 9 , pp.60-66.

Arianto, A.R. and Anggraini, G., 2019. BUILDING INDONESIA’S NATIONAL CYBER DEFENSE AND SECURITY TO FACE THE GLOBAL CYBER THREATS THROUGH INDONESIA SECURITY INCIDENT RESPONSE TEAM ON INTERNET INFRASTRUCTURE (ID-SIRTII). Jurnal Pertahanan & Bela Negara| April , 9 (1).

Nyre-Yu, M., Gutzwiller, R.S. and Caldwell, B.S., 2019, November. Observing cyber security incident response: qualitative themes from field research. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 63, No. 1, pp. 437-441). Sage CA: Los Angeles, CA: SAGE Publications.

Settanni, G., Shovgenya, Y., Skopik, F., Graf, R., Wurzenberger, M. and Fiedler, R., 2017, June. Acquiring cyber threat intelligence through security information correlation. In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) (pp. 1-7). IEEE.

Kitchin, R. and Dodge, M., 2019. The (in) security of smart cities: Vulnerabilities, risks, mitigation, and prevention. Journal of urban technology , 26 (2), pp.47-65.

You Might Also Like:-

Computer Science Homework Help

What Are the Key Components of Enterprise Systems Architecture?