8.8. Reflection Checkpoint

Key Takeaways

• IR lifecycle: Preparation → Detection & Analysis → Containment/Eradication/Recovery → Post-Incident. Sequence matters. Contain before eradicate. Preserve evidence before remediate.
• Dwell time (time from compromise to detection) is the most impactful IR metric — it determines how much damage is done before response.
• Forensics: collect most volatile evidence first (RAM before disk). Work on forensic copies, never originals. Hash before and after imaging. Chain of custody for admissibility.
• Threat intelligence levels: strategic (executives), operational (managers), tactical (analysts). IOCs are short-lived; TTPs are durable. MITRE ATT&CK provides the common language.
• UEBA detects behavioral anomalies that static threshold rules miss — but requires a training period and generates false positives during legitimate behavior changes.
• Configuration management continuously compares live systems against approved baselines. Drift detection is the operational reality; change management governs authorized modifications.
• Patch management lifecycle: identify → evaluate → test → deploy → verify → document. Emergency patches bypass normal CAB but still require ECAB authorization and retrospective documentation.
• Change categories: standard (pre-approved), normal (CAB review), emergency (ECAB expedited). An unauthorized change is a security finding regardless of outcome.
• Incident classification (P1–P4) determines response urgency, team activation, and notification requirements. GDPR 72-hour notification clock starts at awareness, not investigation completion.
• IDS monitors and alerts; IPS blocks inline. False-positive risk profiles differ dramatically — IPS false positives cause outages.
• NGFWs inspect application-layer content and decrypt TLS; WAFs protect web applications at Layer 7 with virtual patching capability.
• Honeypots provide near-zero false-positive detection because no legitimate user should touch them. Canary tokens extend deception into documents, credentials, and DNS.
• EDR provides behavioral telemetry beyond signature-based AV — detects fileless attacks, enables remote containment, supports post-compromise investigation.
• BCP answers "how do we keep running?" DR answers "how do we restore IT?" Both are needed.
• MTD > RTO — MTD is the business ceiling; RTO must be below it. RPO drives backup frequency. RTO + WRT ≤ MTD.
• 3-2-1 backup rule (3 copies, 2 media types, 1 offsite). For ransomware: 3-2-1-1 adds immutable/air-gapped copy.
• Recovery sites: hot (minutes, expensive), warm (hours, moderate), cold (days, cheap), cloud DR (flexible).
• RAID is availability, not backup. RAID does not protect against ransomware, corruption, or site loss.
• BCP/DR testing progression: checklist → tabletop → parallel → full interruption. Untested plans are assumptions.
• Physical security rings: deterrence → detection → delay → response. Tailgating bypasses electronic controls; requires both mantraps and security culture.
• Insider threat controls: separation of duties, dual control, mandatory vacation, job rotation. Mandatory vacation and job rotation are detective controls, not preventive.

Connecting Forward

Phase 9 (Domain 8 — Software Development Security) closes the CISSP content by addressing the root cause of most vulnerabilities: insecure software. The secure SDLC, secure coding practices, and software assessment methods from Domain 8 connect directly back to the assessment methodologies from Domain 6 and the vulnerability management operations from Domain 7. Software security is where prevention begins.

Self-Check Questions

• A ransomware incident is discovered at 6 PM on a Friday. The affected systems hold the company's ERP database. The IR team lead wants to immediately restore from backup to minimize business disruption. The forensic analyst wants to preserve the disk images first. Who is correct, why, and how should the IR team balance speed of recovery with forensic preservation requirements?
• Your organization's DR plan was written three years ago and has never been tested. The BIA shows the critical order management system has an MTD of 4 hours. The IT team believes recovery would take about 8 hours based on the documented procedures. Identify all the problems with this situation and describe a realistic testing plan to address them.