Incident management and the CISSP exam: What you need to know

In the IT industry, incident management is the management of activities to detect, analyze, respond to and correct an organization's security situation. The operational security measures that the CISSP certification exam establishes decrease the possibility of a security incident occurring. Sadly, these events are still inevitable, regardless of the organization's precautions. Because of the inevitability of incidents, the CISSP addressed the need to use regimented and carefully organized methodologies to identify and respond to breaches and other security issues. 

Incident response and handling refer to how an organization reacts to security incidents. Ensuring you report these incidents accurately can be stressful. Not surprisingly, in these types of situations, the documentation often gets overlooked because responders are hyper-focused on resolving the issue. Respondents may even wonder whether the incident will result in a court case or other forms of litigation. 

For more CISSP exam prep, get our free CISSP exam tips ebook, or watch our free one-hour CISSP exam prep course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Incident response methodology 

Different organizations use different terms and phases when describing incident response processes. The NIST Computer Security Incident Handling Guide divides the incident response lifecycle into the following four steps: 

1. Preparation 
2. Detection and Analysis 
3. Containment, Eradication and Recovery 
4. Post-incident Activity 

The CISSP breaks down the process even further. The following seven steps are essentially more detailed subdivisions of NIST's four points: 

1. Detection 
2. Response 
3. Mitigation 
4. Reporting 
5. Recovery 
6. Remediation 
7. Lessons learned 

Detection

This is the primary and the most important step in the incident response process. Detection, sometimes also called the identification phase, is the phase in which events are analyzed to determine whether a compromise or a security incident has occurred. The organization will not be in a great position to respond promptly to a security incident without a proper and effective detection and analyzing mechanism. This mechanism should include an automated and regimented operation for pulling system event logs. It's also necessary to contextualize incident details by identifying how they impact the organization. Context is an important element of analysis because it may prevent overlooking an event that might be important but not immediately apparent. The goal of this phase is to deal with the situation quickly and decisively, whether the incident is currently occurring or has occurred in the past. 

Response 

The response phase is also called the containment phase. As the name suggests, this phase deals with actual interactions of the response team with the affected system. The intent is to try to prevent further damage from occurring and affecting more systems. Responses depend upon the scenario, but general responses might include taking a system off the network, powering off the system, isolating traffic and other related tasks. This phase typically starts with forensically backing up the system involved in the incident. Volatile memory capturing and dumping are also performed in this step before the system is powered off. 

Bringing your systems down can hurt the organization, so it's important to receive permission from management before shutting down any systems. Also, as the incident progresses, you need to update them on the evolving severity of the situation continually. In the short term, stopping an incident from spreading takes priority — even over addressing the root cause. 

Mitigation 

Mitigation is also sometimes referred to as eradication. It involves analyzing the incident, which includes understanding its cause. This understanding can then help clean the systems and implement security measures to protect against future incidents. 

Once the team has identified the cause, they can return the system to a stable state, preferably without risking a reoccurrence. It should be noted at this stage that merely removing malware is insufficient. The goal is to understand what led to the situation in the first place. 

Once your team has identified the cause, you can return the system to a functioning state. This restoration process should involve rebuilding the system from scratch, if necessary. However, the restoration process is sometimes faster and easier because you have access to a backup. 

Because the root-cause analysis process involves identifying when each element of the event occurred, it can also help locate a trustworthy backup image — one created before the incident began. 

The final facet of the mitigation phase involves preventing similar incidents from occurring in the future. This may involve applying patches and using stronger firewall configurations. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Reporting 

The reporting phase extends through the entire incident life cycle, from beginning to end. 

Reporting must begin immediately after detecting the incident. This phase can be divided into two categories: 

• Technical 
• Non-technical 

The incident response team is responsible for reporting the technical details of the incident. They must also update management throughout, especially when dealing with serious incidents. Non-technical stakeholders should also be updated as the incident-handling process progresses. This is an important step that shouldn't be ignored. 

Preparing a formal report for all stakeholders starts as the process reaches its recovery phase. The incident handling team will then send the formal report to technical and non-technical management staff after they recover the systems and put them back into production. 

Recovery 

As the name indicates, the recovery phase involves restoring the system to its operational state. As a normal procedure, the business unit responsible for the system will decide when the system will go back online. It's important to be cautious because the infection or the attack may have persisted — even through the mitigation phase. 

The best time for restoring operations is during non-peak production hours because this makes it easier to evaluate its state as time passes after the incident. Once the system is back up and running, it's important to monitor it closely for further issues. 

Remediation 

Remediation steps are taken during the mitigation phase, where the team mitigates the vulnerabilities they found during their root-cause analysis. Remediation starts directly after mitigation. 

Root-cause analysis also plays a role in the remediation process because it helps determine the vulnerabilities that lead to the incident. Without root-cause analysis, the recovered system could still have a weakness that could impact other systems — or even cause the initial incident to occur again. 

For example, if the team chooses a previous backup that wasn't compiled far enough back in the past, the restored version could have the same vulnerability that caused the problem in the first place. 

Lessons learned 

"Lessons Learned" is the post-incident phase and, unfortunately, is often ignored. However, the lessons learned phase can have a significant positive impact — if done right. It serves as a vehicle for introducing changes to the organization's overall security. 

This phase aims to prepare a final report on the incident and deliver it to management, along with the suggested improvements for avoiding similar situations in the future. 

In the lessons learned phase, the team may describe ways of identifying the issue sooner or responding faster. The report may also outline organizational shortcomings that might have contributed to the incident and how the team can improve the system. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Conclusion

The importance of incident management in creating an actionable framework cannot be overstated. It might be tempting to rush at the problem head-on in an attempt to simply "put out the fire," but choosing speed over process can leave you open to further vulnerabilities. Worse yet, you may find yourself putting out the same fires repeatedly without learning how to prevent them in the future. 

To learn more about what's on the CISSP — and how to pass the exam — check out our CISSP exam tips and tricks ebook. And to launch your CISSP preparation program, you can start with our CISSP training hub. And if you're looking for the fastest, most immersive prep experience, you can attend a CISSP Boot Camp, which gets you ready to pass the exam in only a few days.