We may earn an affiliate commission when you visit our partners.
(ISC)² Education & Training
Course 7: Incident Detection and Response
Read more
Course 7: Incident Detection and Response
Read more
Course 7: Incident Detection and Response
Welcome to course seven, Incident Detection and Response. Having an intruder inside your systems for months unnoticed by your systems, administrators, security specialists, and end-users is tantamount to giving the intruder, the keys to your business or organization. In many cases, organizations discover that they have been subjected to a data breach when they are told by others that their private data has been offered for sale on the dark web. Many leading voices within the security profession state that we all must do better to detect the intruders in our myths. Many people even say that detecting intruders should be the priority for security professionals. Ransomware attacks have become a big business involving not only large scale extortion attacks, but also the sell of ransomware attack tools and services, as well as the exploitation of any data ex-filtrated during the breach. Government officials and industry professionals worldwide have been raising their voices about this new and very troubling variant in the business model of advanced persistent threat or APT attackers. In this chapter, we'll focus on intrusion and incident detection. Many of the tools, techniques, technologies, and ideas, you'll see here have already been examined in previous chapters. This course brings them together and begins by discussing the central theme of detecting the intruder. Model one uses the concepts of precursors and indicators, the signals that give us advanced warning and a genuine alert about a risk event and the indicators of compromise concept which are those signals that we're certain can only mean a hostile agent has gained access. Module two will extend these ideas and concepts around the idea of what to do after you've discovered a possible intrusion, expanding your understanding of incident response. Module three continues with a deeper look at supporting forensic investigations. Forensics is an evidence-based process of logically and dispassionately reasoning about a situation or an event. It's your inner child, looking at something and asking questions. Then following each of those questions with more questions, letting the facts that you find frame and shape your growing understanding of what happened, how why and where, who did it and what impacts it may have. With these questions answered you can circle back to reviewing risk mitigation controls to see which if any, need to be modified, replaced or augmented.
Course 7 Learning Objectives
After completing this course, the participant will be able to:
L7.1 - Review the steps for monitoring, incident detection and data loss prevention using all-source intelligence.
L7.2 - Identify the elements of an incident response policy and members of the incident response team (IRT).
L7.3 - Classify the security professional’s role in supporting forensic investigations.
Course Agenda
Module 1: Operate All-source Intelligence for Monitoring and Incident Detection (Domain 3 - Risk Identification, Monitoring, and Analysis)
Module 2: Support Incident Lifecycle (Domain 4 - Incident Response and Recovery)
Module 3: Understand and Support Forensic Investigations (Domain 4 - Incident Response and Recovery)
Who Should Take This Course: Beginners
Experience Required: No prior experience required
Register for this course and see more details by visiting:
OpenCourser.com/course/bzo9eh/incident
Three deals to help you save
We found three deals and offers that may be relevant to this course.
Save money when you learn.
All coupon codes, vouchers, and discounts are applied automatically unless otherwise noted.
Valid until December 12
Annual Subscription Savings
Unlock programs from Google, Microsoft, and IBM and join 77% of learners who reported positive career outcomes.
Only $239!
Valid for a limited time only
Future-proof your career
Access O'Reilly books, live events, courses, and more. Save with an annual subscription.
Take
15%
off
What's inside
Syllabus
Module 1: Operate All-source Intelligence for Monitoring and Incident Detection
We saw in Chapter 5 the evolution from simple host-based intrusion detection, through network-based intrusion prevention and on to integrated security information and event management (SIEM) systems. Each step along this path was attempting to bring together every possible signal, from every element of an organization’s IT and OT architectures, and then analyze and exploit those signals to see if any were indicators of a possible attack or intrusion taking place. The goal of such a set of processes, the objective of gathering, collating and assessing all of that information, is to try to answer three questions:
What just happened to us?
What happened to us a while ago, but we didn’t notice it?
Is it too late to do anything about what happened in either case?
Part of that evolution to SIEMs and the next generation of intrusion detection and response systems (and the next generation after that) is the idea of all-source intelligence as the input and the process. This idea of using every possible piece of data from even the most unlikely of channels is nothing new; business forecasting and market analysis does it, national weather services do it and, of course, military and national security organizations have been doing it for years. These professions and many others know that transforming information into actionable intelligence, the kinds of conclusions and assertions on which leaders and managers can base their decision-making, requires as broad a spectrum of analysis approaches and ideas as the spread of the sources it observes.
All-source intelligence as a cybersecurity operation takes in far more than just monitoring. Monitoring in general involves observing the things you already know about: the systems, the endpoints, the people using them and the traffic on the networks. Monitoring is often about comparing observations to clip levels or alarm thresholds. As we’ll see, all-source intelligence as a process goes beyond monitoring; but it plays a vital role in enhancing the monitoring function, which still must be performed well.
No examination of monitoring or incident detection would be complete without looking at the compliance requirements that relate to it, and we’ll use that topic to bring the many threads of this module together.
Read more
Syllabus
Module 1: Operate All-source Intelligence for Monitoring and Incident Detection
We saw in Chapter 5 the evolution from simple host-based intrusion detection, through network-based intrusion prevention and on to integrated security information and event management (SIEM) systems. Each step along this path was attempting to bring together every possible signal, from every element of an organization’s IT and OT architectures, and then analyze and exploit those signals to see if any were indicators of a possible attack or intrusion taking place. The goal of such a set of processes, the objective of gathering, collating and assessing all of that information, is to try to answer three questions:
What just happened to us?
What happened to us a while ago, but we didn’t notice it?
Is it too late to do anything about what happened in either case?
Part of that evolution to SIEMs and the next generation of intrusion detection and response systems (and the next generation after that) is the idea of all-source intelligence as the input and the process. This idea of using every possible piece of data from even the most unlikely of channels is nothing new; business forecasting and market analysis does it, national weather services do it and, of course, military and national security organizations have been doing it for years. These professions and many others know that transforming information into actionable intelligence, the kinds of conclusions and assertions on which leaders and managers can base their decision-making, requires as broad a spectrum of analysis approaches and ideas as the spread of the sources it observes.
All-source intelligence as a cybersecurity operation takes in far more than just monitoring. Monitoring in general involves observing the things you already know about: the systems, the endpoints, the people using them and the traffic on the networks. Monitoring is often about comparing observations to clip levels or alarm thresholds. As we’ll see, all-source intelligence as a process goes beyond monitoring; but it plays a vital role in enhancing the monitoring function, which still must be performed well.
No examination of monitoring or incident detection would be complete without looking at the compliance requirements that relate to it, and we’ll use that topic to bring the many threads of this module together.
Read more
Module 2: Support Incident Lifecycle
An information security incident is a set of one or more events, or changes in the state of an information system, asset or architecture, which needs prompt and immediate security action to assess, contain, respond and recover from. Well-prepared organizations can, with skill and luck, limit the damages to assets and the disruption to business processes that an incident might otherwise cause. Poorly prepared organizations are more likely to make serious mistakes in characterizing and handling an incident and may cause themselves more harm in the process.
Proper handling of information security incidents depends as much upon the day-to-day business processes as it does the specifics of the incident response processes. Incident detection, assessment, escalation, communication, recovery and learning from the event are activities typically integrated into the organization’s incident response process. Clarifying who does what in an incident and under what circumstances will greatly help the organization recover its business functions. The security professional should understand their legal and organizational responsibilities for incident management and be able to evaluate the activities and overall effectiveness of the organization’s incident response practice.
Module 3: Understand and Support Forensic Investigations
Digital forensics investigation as a process and as a field of study is a fascinating and exciting combination of challenges. Those who participate in such investigations find that their creative skills, their attention to detail, and their innate curiosity will be stretched to the limit as they attempt to embrace the human, organizational and technical aspects of an information security incident. Those who support the investigators, either before or during the investigation, are equally challenged but in very different ways. The support team has tasks they must perform as part of providing services to the investigators, to organizational leaders and managers, and to end users in the organization and they must perform these tasks with rock-solid reliability and dependability to the best of their ability. Simply put, they must follow procedures and make sure that all of the required processes are followed, step by step, in detail.
Module 2 stressed the need for solid preparation and planning before the first incident occurs, and for a flexible, responsive and agile mindset to adjust those plans when that first incident does happen and shows the plans need to be changed. Preparing for incident investigation is a major part of what the security operations team needs to accomplish.
To put that preparation into perspective, this module will look in more detail at the investigative process itself. Along the way, we’ll highlight opportunities for the forward-thinking security professional to get the organization, its users, its IT and OT staff and its managers and leaders prepared to support different types of forensic investigations when and as they become necessary.
Module 3 will introduce some of the techniques of a digital forensics investigation. You may find them useful, and called for, as you’re troubleshooting an incident involving older technology systems (such as in OT architectures), or smaller, locally hosted SOHO or SMB environments. The same basic concepts still apply in the cloud and in the world of big data but scaling to that level requires a very different approach and mindset to thinking about forensics. Let’s take a closer look.
Module 4: Chapter 7 Review
This chapter has shown how the focus, perspective and emphasis on incident detection and response have all shifted, and shifted dramatically, over the last decade or so. Previously, security professionals focused substantial efforts on identifying, enumerating and securing assets; they focused on hardening systems and networks. These were necessary efforts, but they sometimes meant that detecting a breach or intrusion was a lower-priority effort. Many of the headline-making cyber breaches and ransom attacks of the last few years show that attackers have taken advantage of the six to eight months it takes the average enterprise to notice that they’ve had (past tense) an intruder in their systems. This must change.
All-source intelligence as a means of identifying and characterizing possible intrusions is proving to be a powerful way to gain insight about your systems and about detecting intrusions (or attempts to intrude into them). Combined with analytics for security, it’s also turning around a time-tested practice of being very selective in what events generate log signals, which signals get logged (and how often) and how log files are managed, collated and analyzed. Today’s security professional needs to be a bit more of a data scientist than they were in the past and perhaps more of an intelligence data analyst as well.
We also looked at digital forensics, largely from the perspective of small systems rather than cloud-hosted, large, enterprise environments. Either way, in most cases, the investigation itself and the analysis of evidence is best left to the certified, trained, expert computer systems examiners to do; but as an on-scene security professional, having some background in what digital evidence might be, how it might be analyzed and what might be learned from it can help you better prepare the organization for when it has to call in the investigators.
Good to know
Good to know
Know what's good ,
what to watch for , and
possible dealbreakers
Provides a solid knowledge base for those who want to become cybersecurity practitioners or network security professionals
Emphasizes tool and technology agnostic approaches to developing core security skills
Includes tools, techniques, and technologies used in the real world by security professionals
Designed for experienced professionals, particularly those interested in managerial positions
Save this course
Save Incident Detection and Response to your list so you can find it easily later:
Save
Save
Activities
Be better prepared
before
your course. Deepen your understanding
during
and
after
it. Supplement your coursework and achieve mastery of the topics covered
in Incident Detection and Response with these
activities:
Security Awareness Training
Show steps
Reviewing the basics of security awareness will help you stay vigilant and protect yourself and your organization from common threats.
Browse courses on
Security Awareness
Show steps
-
Review security awareness materials and best practices.
-
Identify areas where you can improve your security awareness.
-
Implement new security measures in your daily routine.
Review intrusion detection fundamentals
Show steps
Brush up on the basics of intrusion detection to refresh your knowledge and ensure a solid foundation for this course.
Browse courses on
Intrusion Detection
Show steps
-
Review concepts such as signatures, anomalies, and heuristics.
-
Go through examples of common intrusion detection techniques.
-
Practice identifying and classifying different types of intrusion attempts.
Participate in peer-to-peer learning discussions
Show steps
Engage with fellow learners in online forums or discussion groups to exchange insights, ask questions, and reinforce your understanding.
Show steps
-
Join an online forum or discussion group related to the course topic.
-
Actively participate in discussions, sharing your thoughts and perspectives.
-
Ask questions to clarify concepts and seek different viewpoints.
-
Provide constructive feedback to other participants.
Eight other activities
Expand to see all activities and additional details
Show all 11 activities
Security Tools and Resources
Show steps
Create a comprehensive list of security tools and resources that you can use to enhance your security posture and stay up-to-date with the latest threats.
Browse courses on
Security Tools
Show steps
-
Research and identify relevant security tools and resources.
-
Categorize and organize them based on their functionality and purpose.
-
Share the compilation with your team or other stakeholders.
Participate in Industry Meetups
Show steps
Networking can provide insights into how others are approaching your challenges and helps you to get help and resources from your peers.
Show steps
-
Identify relevant events and meetups in your area.
-
Attend events and engage with attendees.
-
Follow up and connect with people you meet for future reference.
Incident Response Discussion Group
Show steps
Engaging in discussions with peers will allow you to share knowledge, learn from others' experiences, and stay informed about best practices in incident response.
Browse courses on
Incident Response
Show steps
-
Identify and join a relevant discussion group or forum.
-
Actively participate in discussions, ask questions, and share your insights.
-
Take notes and summarize key takeaways for future reference.
Explore advanced incident response techniques
Show steps
Enhance your incident response skills by following guided tutorials that cover advanced techniques and methodologies.
Browse courses on
Incident Response
Show steps
-
Learn about threat hunting and proactive threat detection.
-
Practice conducting digital forensic investigations.
-
Develop a plan for incident recovery and business continuity.
-
Simulate and test your incident response capabilities.
Contribute to Open Source Security Projects
Show steps
Participating in open source security projects will not only enhance your technical skills but also provide valuable insights into real-world security challenges and solutions.
Browse courses on
Open Source Security
Show steps
-
Identify open source security projects that align with your interests.
-
Review the project's documentation and contribute to discussions.
-
Submit bug reports, feature requests, or code contributions.
Security Operations Testing
Show steps
Follow vendor provided walkthroughs on how to assess your situation. This will help you identify potential gaps or weaknesses in your security posture.
Browse courses on
Security Operations
Show steps
-
Review vendor documentation for your tools and platforms.
-
Identify use cases that align with your needs.
-
Follow walkthroughs and identify any discrepancies or gaps.
Security Log Review
Show steps
Practice analyzing security logs to identify potential threats and incidents. This activity will improve your ability to detect and respond to security breaches in a timely manner.
Browse courses on
Security Monitoring
Show steps
-
Gather sample security logs from various sources.
-
Use log analysis tools and techniques to review and identify suspicious patterns.
-
Document and escalate any potential threats or incidents.
Incident Response Plan
Show steps
Creating a comprehensive plan will make sure that you're prepared for different incidents and scenarios, and that you are able to respond quickly and efficiently.
Browse courses on
Incident Response
Show steps
-
Review existing incident response frameworks and templates.
-
Customize the plan to fit your organization's specific needs and environment.
-
Share the plan with your team and stakeholders for feedback.
Security Awareness Training
Show steps
Reviewing the basics of security awareness will help you stay vigilant and protect yourself and your organization from common threats.
Browse courses on
Security Awareness
Show steps
Show steps
Show steps
- Review security awareness materials and best practices.
- Identify areas where you can improve your security awareness.
- Implement new security measures in your daily routine.
Review intrusion detection fundamentals
Show steps
Brush up on the basics of intrusion detection to refresh your knowledge and ensure a solid foundation for this course.
Browse courses on
Intrusion Detection
Show steps
Show steps
Show steps
- Review concepts such as signatures, anomalies, and heuristics.
- Go through examples of common intrusion detection techniques.
- Practice identifying and classifying different types of intrusion attempts.
Participate in peer-to-peer learning discussions
Show steps
Engage with fellow learners in online forums or discussion groups to exchange insights, ask questions, and reinforce your understanding.
Show steps
Show steps
Show steps
- Join an online forum or discussion group related to the course topic.
- Actively participate in discussions, sharing your thoughts and perspectives.
- Ask questions to clarify concepts and seek different viewpoints.
- Provide constructive feedback to other participants.
Eight other activities
Expand to see all activities and additional details
Show all 11 activities
Security Tools and Resources
Show steps
Create a comprehensive list of security tools and resources that you can use to enhance your security posture and stay up-to-date with the latest threats.
Browse courses on
Security Tools
Show steps
Show steps
Show steps
- Research and identify relevant security tools and resources.
- Categorize and organize them based on their functionality and purpose.
- Share the compilation with your team or other stakeholders.
Participate in Industry Meetups
Show steps
Networking can provide insights into how others are approaching your challenges and helps you to get help and resources from your peers.
Show steps
Show steps
Show steps
- Identify relevant events and meetups in your area.
- Attend events and engage with attendees.
- Follow up and connect with people you meet for future reference.
Incident Response Discussion Group
Show steps
Engaging in discussions with peers will allow you to share knowledge, learn from others' experiences, and stay informed about best practices in incident response.
Browse courses on
Incident Response
Show steps
Show steps
Show steps
- Identify and join a relevant discussion group or forum.
- Actively participate in discussions, ask questions, and share your insights.
- Take notes and summarize key takeaways for future reference.
Explore advanced incident response techniques
Show steps
Enhance your incident response skills by following guided tutorials that cover advanced techniques and methodologies.
Browse courses on
Incident Response
Show steps
Show steps
Show steps
- Learn about threat hunting and proactive threat detection.
- Practice conducting digital forensic investigations.
- Develop a plan for incident recovery and business continuity.
- Simulate and test your incident response capabilities.
Contribute to Open Source Security Projects
Show steps
Participating in open source security projects will not only enhance your technical skills but also provide valuable insights into real-world security challenges and solutions.
Browse courses on
Open Source Security
Show steps
Show steps
Show steps
- Identify open source security projects that align with your interests.
- Review the project's documentation and contribute to discussions.
- Submit bug reports, feature requests, or code contributions.
Security Operations Testing
Show steps
Follow vendor provided walkthroughs on how to assess your situation. This will help you identify potential gaps or weaknesses in your security posture.
Browse courses on
Security Operations
Show steps
Show steps
Show steps
- Review vendor documentation for your tools and platforms.
- Identify use cases that align with your needs.
- Follow walkthroughs and identify any discrepancies or gaps.
Security Log Review
Show steps
Practice analyzing security logs to identify potential threats and incidents. This activity will improve your ability to detect and respond to security breaches in a timely manner.
Browse courses on
Security Monitoring
Show steps
Show steps
Show steps
- Gather sample security logs from various sources.
- Use log analysis tools and techniques to review and identify suspicious patterns.
- Document and escalate any potential threats or incidents.
Incident Response Plan
Show steps
Creating a comprehensive plan will make sure that you're prepared for different incidents and scenarios, and that you are able to respond quickly and efficiently.
Browse courses on
Incident Response
Show steps
Show steps
Show steps
- Review existing incident response frameworks and templates.
- Customize the plan to fit your organization's specific needs and environment.
- Share the plan with your team and stakeholders for feedback.
Career center
Learners who complete Incident Detection and Response will develop knowledge and skills
that may be useful to these careers:
Incident Responder
Incident Responder
Incident Responders investigate and resolve computer security incidents, such as data breaches and malware attacks.
Digital Forensic Analyst
Digital Forensic Analyst
Digital Forensic Analysts investigate computer crimes by analyzing digital evidence, such as computer hard drives and mobile devices.
Cybersecurity Analyst
Cybersecurity Analyst
Cybersecurity Analysts protect computer networks and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Security Analyst
Security Analyst
Security Analysts collect and analyze information to identify security risks and vulnerabilities in computer systems and networks.
Information Security Manager
Information Security Manager
Information Security Managers plan and carry out security measures to protect an organization’s computer networks and systems.
Information Security Analyst
Information Security Analyst
Information Security Analysts operate complex systems to detect and trace systems intrusions, prevent hacks while safeguarding software and data. This course gives you a head start with that by giving you a comprehensive outline of the field, such as the steps to monitor, incident detection, and data loss prevention using all-source intelligence. With this background, you are well-prepared to start developing your knowledge toward this career with this course.
Systems Engineer
Systems Engineer
Systems Engineers analyze, design, and implement computer systems.
Network Administrator
Network Administrator
Network Administrators plan, implement, and maintain computer networks.
Computer Systems Analyst
Computer Systems Analyst
Computer Systems Analysts study an organization’s current computer systems and procedures, and design, implement, and maintain new or upgraded systems.
Computer Network Architect
Computer Network Architect
Computer Network Architects design, build, and maintain data communication networks, such as local area networks (LANs), and wide area networks (WANs). They also develop security measures to protect network systems.
Database Administrator
Database Administrator
Database Administrators are responsible for the performance, availability, and security of an organization’s databases.
Technical Support Specialist
Technical Support Specialist
Technical Support Specialists provide technical assistance to computer users, such as troubleshooting and resolving their issues with hardware and software.
Computer Hardware Engineer
Computer Hardware Engineer
Computer Hardware Engineers research, design, develop, and test computer systems and components such as processors, circuit boards, memory devices, and power supplies.
Software Developer
Software Developer
Software Developers design, develop, and test software applications.
Web Developer
Web Developer
Web Developers design and develop websites.
For more career information including salaries, visit:
OpenCourser.com/course/bzo9eh/incident
Reading list
We've selected eight books
that we think will supplement your
learning. Use these to
develop background knowledge, enrich your coursework, and gain a
deeper understanding of the topics covered in
Incident Detection and Response.
Covers the entire spectrum of computer forensics, from collecting evidence to preparing a report. It valuable resource for both beginners and experienced professionals.
Provides a comprehensive overview of security engineering. It good choice for professionals who want to learn more about this topic.
Provides a comprehensive overview of malware analysis. It good choice for professionals who want to learn more about this topic.
Save
Provides a comprehensive overview of reverse engineering. It good choice for professionals who want to learn more about this topic.
Provides a detailed overview of memory forensics. It good choice for professionals who want to learn more about this topic.
Provides a comprehensive overview of hacking techniques. It good choice for professionals who want to learn more about this topic.
Provides a comprehensive overview of digital forensics with a focus on open source tools. It good choice for professionals who want to learn more about digital forensics.
Provides a comprehensive overview of incident response and computer forensics. It good choice for beginners who want to learn more about these topics.
For more information about how these books relate to this course, visit:
OpenCourser.com/course/bzo9eh/incident
Share
Similar courses
Here are nine courses similar to
Incident Detection and Response.
Sound the Alarm: Detection and Response
OpenCourser.com/course/yi17v4/sound
Sound the Alarm: Detection and Response
Most relevant
Incident Response: Detection and Analysis
OpenCourser.com/course/qcfqtm/incident
Incident Response: Detection and Analysis
Most relevant
Incident Response: Containment, Eradication and Recovery
OpenCourser.com/course/pmf1wn/incident
Incident Response: Containment, Eradication and Recovery
Most relevant
Penetration Testing and Incident Response
OpenCourser.com/course/9x9b52/penetration
Penetration Testing and Incident Response
Most relevant
AWS: Threat Detection, Logging and Monitoring
OpenCourser.com/course/rmh33r/aws
AWS: Threat Detection, Logging and Monitoring
Most relevant
Penetration Testing, Incident Response and Forensics
OpenCourser.com/course/7k7q4v/penetration
Penetration Testing, Incident Response and Forensics
Most relevant
Monitoring, Logging and Responding to Incidents
OpenCourser.com/course/580lhu/monitoring
Monitoring, Logging and Responding to Incidents
Most relevant
Incident Response and Recovery for SSCP®
OpenCourser.com/course/6bzumc/incident
Incident Response and Recovery for SSCP®
Most relevant
Introduction to SIEM (Splunk)
OpenCourser.com/course/fksbo6/introduction
Introduction to SIEM (Splunk)
Most relevant
Level
Introductory
Via
Coursera
Institution
ISC2
Instructor
(ISC)² Education & Training
Language
English
Transcripts
Español
Français
Português
Deutsch
Italiano
中文
العربية
한국어
日本語
हिंदी
Nederlands
Svenska
Pусский
Türkçe
Polski
Ελληνικά
українська мова
Bahasa Indonesia
ไทย
қазақша
This course belongs to a
collection
called
(ISC)² Systems Security Certified Practitioner (SSCP) . It's comprised of seven courses:
Good to know
Provides a solid knowledge base for those who want to become cybersecurity practitioners or network security professionals
Emphasizes tool and technology agnostic approaches to developing core security skills
Includes tools, techniques, and technologies used in the real world by security professionals
Designed for experienced professionals, particularly those interested in managerial positions
Our mission
OpenCourser helps millions of learners each year. People visit us to learn workspace skills, ace their exams, and nurture their curiosity.
Our extensive catalog contains over 50,000 courses and twice as many books. Browse by search, by topic, or even by career interests. We'll match you to the right resources quickly.
Find this site helpful? Tell a friend about us.
Affiliate disclosure
We're supported by our community of learners. When you purchase or subscribe to courses and programs or purchase books, we may earn a commission from our partners.
Your purchases help us maintain our catalog and keep our servers humming without ads.
Thank you for supporting OpenCourser.
© 2016 - 2024 OpenCourser