Dr.G.

NIRMALA

UNIT-7

Incident Preparation:
Incidents move fast, so a comprehensive preparation phase is critical. Preparation, as
defined by NIST, involves implementing the right tools and setting up the right processes
ahead of an incident occurring. Important steps in this phase include identifying your
“crown jewels”—the assets that must be protected at all costs—and Analyzing data from
previous incidents to guide your planning.
D3 comes equipped with industry-standard playbooks, so you can be sure that your
procedures are set up for a strong response. Our dynamic playbook editor enables you to use
experience from previous incidents to tailor the playbooks to your exact needs. Setting up
communications plans is another important part of preparation, which D3 supports with
automated notifications, scheduled reporting, and an internal communications platform.

Incident Detection and Analysis:

In order to stop an incident from causing damage, you first need to spot the irregular
activity and figure out exactly what is happening. This phase begins with taking in data from
sources such as SIEM, IDPS, network device logs, people in your organization, and more, in
order to identify incidents based on indicators. Once incidents have been detected, you
need to determine false positives, classify the attack vector, understand the scope of the
event, and identify the vulnerabilities being exploited. Following the analysis, you should
document the incident and prioritize response actions.
D3 integrates with all the major SIEMs to support detection. With a couple of clicks, analysts
can escalate SIEM events to D3, bringing all of its associated data with it. D3’s automation
features gather additional important contextual data like IP and file reputation from external
sources. Our threat intelligence integrations also provide information for analysis and
assessment of genuine threats. With all this information at your fingertips, it becomes quick
and easy to conduct analysis. If further insight is required, D3 also provides tools like false
positive scoring and link analysis.

Containment, Eradication, and Recovery:

In this phase, having gathered the information and gained an understanding of the incident,
your IR team will begin to combat the threat. This includes taking actions to prevent further
damage, such as closing ports or blocking IPs. Depending on the incident, you
might gather and preserve evidence for future legal or regulatory cases. Once the threat is
resolved, recovery will involve restoring systems to normal functionality, through actions
like tightening network security, rebuilding systems, and replacing compromised files.
D3 can automate simple containment and eradication tasks to accelerate your processes and
stop as much damage as possible. D3 acts as a centralized hub for coordinating incident
response across the entire organization, with orchestration tools for automated task
assignments, notifications, approval requests, and other communications—even going
beyond the incident response team to bring in other departments like Legal or HR. D3’s case
management module also shines in this phase, giving you the ability to group together related
incidents for deeper investigations, as well as a forensics system for managing evidence.
Dr.G.NIRMALA

Proactive Cyber Services:

A proactive defence posture is intelligence-led, depending on comprehensive cyber security
assessments. It uses cyber threat intelligence feeds working with real-time network
monitoring to develop a detailed picture of the whole security landscape and how threats can
be manifested and exploited. Taking into account the nature and needs of the core business at
threat, the resulting in-depth analysis can help identify and remediate weak spots, before
exploits are available, as well as identify areas for targeted investment to improve the total
security of the system. Active intrusion prevention, data protection, data loss prevention and
encryption or dynamic distribution technologies can protect data at rest, in-motion and in-
use.

In this model, information and assets are assessed for confidentiality, integrity and
availability needs. Defences are tuned to provide the level of protection appropriate to the
value of the information and the risk appetite of the company.

The basis is strategic military principles of taking the fight to the enemy. Honeypots and
(digital) tar traps can be set up to attract, slow down, or funnel attackers to certain parts of a
defended but valueless network. This can help identify and act against zero-day exploits, by
hindering the attacker, and then assist in identifying the attack vector so it can be addressed.

Proactive intelligence will strengthen defences and increase resilience against the effects of
Advanced Persistent Threats (APT) and ensure the smallest possible attack surface for zero-
day attacks. The latter allows faster detection of attacks and identification of remediation
activities. Enhanced and detailed information can then be extracted and passed to the
relevant authorities.

Clearly, staying one step ahead in potential attack vectors can make the defining difference.
Thus, research and development is at the heart of this dynamic approach. But proactive cyber
security posture does not render current firewall and safeguard infrastructure pointless.

The proactive posture is most productively implemented in conjunction with the ‘traditional’
defences. It builds on the active to turn the enterprise from a perimeter and defence in-depth
approach to one that combines data centricity with intelligence. This in turn allows firms to
predict adverse security events before they occur and take proactive defence measures.

To work effectively, this strategy demands long-term commitment. This is a challenge, given
limited resources and shortage of appropriately skilled workers. (Although, over time, these
obstacles will likely reduce.) But for big institutions safeguarding substantial, valuable and
continuously growing data sets, the prospect of proactive - and much more effective – cyber
security is increasingly attractive.
Dr.G.NIRMALA

CIA-Triangle:
A simple but widely-applicable security model is the CIA triad stands for:
 Confidentiality
 Integrity
 Availability
 These are the three key principles which should be guaranteed in any kind of secure
system.
 This principle is applicable across the whole subject of security Analysis, from access
to a user’s internet history to security of encrypted data across the internet.

CONFIDENTIALITY:
Confidentiality is the security principle that controls access to information. It is designed to
ensure the wrong people cannot gain access to sensitive information while ensuring the right
people can access it.

Access to information must be restricted only to those who are authorized to view the
required data. Data can be categorized according to the type and severity of damage that
could happen to it should it fall into unauthorized hands. According to these categories, strict
measures can then be implemented.

Protecting confidentiality may also include special training for those who share sensitive
data, including familiarizing authorized users with security risk factors and teaching them
how to guard vulnerable data assets.

In addition to training, strong passwords and password-related best practices must be used as
well as information about social engineering attacks to prevent them from unwittingly
avoiding proper data-handling rules and potentially causing disastrous results.

An example of a method used to ensure confidentiality is the use of data encryption. Two-
factor authentication is now becoming the norm for authenticating users to access sensitive
data, while user IDs and passwords should be considered standard practice.
Other methods include biometric verification, security tokens, and digital certificates. Users
should also be cautious to reduce the number of places where the information appears and
where sensitive data is transmitted in order to complete a transaction.
Dr.G.NIRMALA

INTEGRITY:

The second component of the triad, integrity assures the sensitive data is trustworthy and
accurate. Consistency, accuracy, and trustworthiness of data should be maintained over its
life cycle. Sensitive data should not be altered in transit, and security measures, such as file
permissions and user access controls, should be taken to make sure that it cannot be modified
by unauthorized users.

In addition, version control should be used to prevent unintentional changes and deletions
from authorized users from becoming a problem. Other measures should also be taken to
detect data changes that might occur due to a non-human-caused event, such as a server crash
or an environmental failure. Sensitive data should also include cryptographic checksums for
verification of integrity. In addition, backups or redundancy plans should be planned and
implemented to restore any affected data in case of an integrity failure or security breach in
order to restore data back to its correct state.

AVAILABILITY:

Availability is the guarantee of reliable and constant access to your sensitive data by
authorized people. It is best guaranteed by properly maintaining all hardware and software
necessary to ensure the availability of sensitive data. It’s also important to keep up with
system upgrades. Providing adequate communication throughput and preventing bottleneck
helps as well. Redundancy, failover, RAID, and clustering are important measures that should
be considered to avoid serious availability problems.

A quick, adaptive disaster recovery plan is crucial for the worst-case scenarios, which will
depend on the successful execution of a full disaster recovery plan.

Safeguards against interruptions in connections and data loss should consider unpredictable
events such as a fire or a natural disaster. To prevent data loss, backup should be located in a
geographically separate location, and in a fireproof, waterproof vault.

To prevent downtime due to malicious attacks such as denial-of-service DOS attacks and
network intrusions, extra software and security equipment should be used as well.