From the course: CompTIA Security+ (SY0-601) Cert Prep: 9 Operations and Incident Response
Mitigation
From the course: CompTIA Security+ (SY0-601) Cert Prep: 9 Operations and Incident Response
Mitigation
- [Instructor] As the full incident response team assembles, they move from the isolation and quarantine strategy used by first responders into a full incident mitigation mode. The goal of this next step is controlling the damage and loss caused to the organization by performing a full range of incident containment activities. The nature of those activities will vary based upon the severity of the incident. The National Institute for Standards and Technology suggests six criteria that responders may use when evaluating a potential containment strategy. First, they should look at the potential for damage and theft of resources. Second, they should look at the need for evidence preservation and the effect that the strategy might have on the ability to preserve evidence. Third, they should look at service available requirements and the impact of a containment strategy on that availability. Fourth, they need to look at the time and resources required to implement the strategy. Fifth, the expected effectiveness of the strategy. Will it fully contain the incident, or is it only a partial fix? And finally, they need to look at the length of time that the solution will remain in place. Organizations can use these criteria to help choose between different containment options. The goal is to select a containment strategy that balances the business needs of the organization with the security objectives of incident response. This is a tricky balance to strike and there are no certain answers. Incident responders will always need to use their best judgment, and when possible, seek input from management and other stakeholders. Once an organization begins implementing containment actions, responders must keep in mind that the attacker will likely detect those actions and know that investigators are on the trail. This may cause the attacker to speed up their activities, destroy evidence, or perform other actions that are detrimental to the incident response or the organization's business. At the end of the containment process, the organization should be in a semi-stable state. Responders should be confident that the incident is over and that there is no immediate danger to the organization. Business operations should be functioning at least on a limited basis, although they may be using temporary workarounds. Everything is generally okay, and the organization is ready to move on to the next step of the process, recovery and reconstitution.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Build an incident response program4m 13s
-
Creating an incident response team2m 15s
-
Incident communications plan2m 42s
-
Incident identification4m 26s
-
Escalation and notification2m 29s
-
Mitigation2m 22s
-
Containment techniques3m
-
Incident eradication and recovery5m 28s
-
Validation2m 24s
-
Post-incident activities3m 50s
-
Incident response exercises1m 37s
-
-
-
-
-