# Module 27: Digital Forensics and Incident Analysis and Response :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### **27.1 Evidence Handling and Attack Attribution** --- #### **27.1.1 Digital Forensics** Digital forensics involves the recovery and investigation of information on digital devices for criminal activity. - **Indicators of Compromise**: Data or traces left from incidents such as logs, pcaps, memory, or storage devices. - **Internal Threats**: Conducted by users within the organization. Could involve policy violations or criminal activities. - **External Threats**: Attacks originating outside the organization. Evidence determines the scope and regulatory actions. **Example**: Under HIPAA, a breach involving 500+ individuals requires media notification. --- #### **27.1.2 The Digital Forensics Process** | **Step** | **Description** | |----------------|-------------------------------------------------------------------------------------------------------| | **Collection** | Identify and acquire forensic data sources. Handle and store the data carefully to avoid damage. | | **Examination**| Extract relevant data. Involves decompression, decryption, and removing irrelevant data. | | **Analysis** | Correlate and document conclusions from data: people, places, events, and times. | | **Reporting** | Prepare impartial reports including findings, limitations, and suggestions for further investigation.| :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/question/which-technique-includes-preparation-and-presentation-of-the-information-which-resulted-from-the-analysis). ::: --- #### **27.1.4 Types of Evidence** | **Type of Evidence** | **Description** | |---------------------------|------------------------------------------------------------------------------------------------------| | **Best Evidence** | Original, unaltered evidence (e.g., storage devices, original files). | | **Corroborating Evidence** | Supports an assertion based on best evidence. | | **Indirect Evidence** | Circumstantial evidence; establishes a hypothesis by linking facts (e.g., past behavior patterns). | :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/28-1-5-check-your-understanding-identify-the-type-of-evidence-answers.html). ::: --- #### **27.1.6 Evidence Collection Order** **Volatility of Evidence**: Most volatile data must be collected first. ![image](https://hackmd.io/_uploads/HkT6M5hN1g.png) 1. **Memory Registers, Caches** 2. **Routing Table, ARP Cache, Process Table, Kernel Statistics, RAM** 3. **Temporary File Systems** 4. **Non-volatile Media (Fixed/Removable Disks)** 5. **Remote Logging/Monitoring Data** 6. **Physical Topologies** 7. **Archival Media (Tapes/Backups)** --- #### **27.1.7 Chain of Custody** The **Chain of Custody** ensures evidence integrity and admissibility in court. Detailed records must include: 1. **Who discovered/collected the evidence?** 2. **Details of handling**: Times, locations, personnel involved. 3. **Custody assignments**: Who was responsible for evidence and when it changed hands? 4. **Access details**: Who had physical access during storage? --- #### **27.1.8 Data Integrity and Preservation** - **Preserve Original State**: Timestamping and bit-level copies are critical. - **Avoid Analysis on Originals**: Use copies to prevent unintentional tampering. - **Volatile Memory**: Use special tools to capture volatile data before shutdown. - **Process Documentation**: Ensure collection, copying, and verification methods are recorded. --- #### **27.1.9 Attack Attribution** **Threat Attribution** identifies the individual, group, or nation responsible for the attack. - **Key Methods**: - Correlate **Tactics, Techniques, and Procedures (TTPs)** with known threats. - Use threat intelligence sources to map attacks to previously observed patterns. - **Evidence Types**: - **IP Addresses, MAC Addresses, DHCP logs**: Trace internal attacks. - **Code features, tools, domains**: Identify external attackers. - **Bias Avoidance**: Avoid speculating on motivations without evidence. --- #### **27.1.10 The MITRE ATT&CK Framework** The **MITRE ATT&CK** Framework maps threat actor behavior into a matrix of tactics, techniques, and procedures (TTPs). - **Tactics**: Technical goals (e.g., persistence, lateral movement). - **Techniques**: Methods to accomplish goals. - **Procedures**: Specific actions real-world threat actors use. **Purpose**: - Describes threat actor behavior for defense and attribution. - Enables automated threat intelligence sharing. >[!Warning]Recap >Digital forensics is the recovery and investigation of information found on digital devices as it relates to criminal activity. Indicators of compromise are the evidence that a cybersecurity incident has occurred. These must be preserved for future analysis and attack attribution. An organization must develop well-documented processes and procedures for digital forensic analysis. NIST Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response is a valuable resource. The forensic process includes four steps: collection, examination, analysis, and reporting. IETF RFC 3227 describes an order for the collection of digital evidence based on the volatility of the data. Chain of custody involves the collection, handling, and secure storage of evidence. > >Identifying responsible threat actors (called threat attribution) should occur through the principled and systematic investigation of the evidence. In an evidence-based investigation, the incident response team correlates Tactics, Techniques, and Procedures (TTP) that were used in the incident with other known exploits. Threat intelligence sources can help to map the TTP identified by an investigation to known sources of similar attacks. For internal threats, uncovering the devices from which an attack was launched can lead directly to the threat actor. One way to attribute an attack is to model threat actor behavior. The MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Framework enables cybersecurity technicians to detect attacker tactics, techniques, and procedures (TTP) as part of threat defense and attack attribution. ### 27.2 The Cyber Kill Chain --- The Cyber Kill Chain specifies what an attacker must complete to accomplish their goal. If the attacker is stopped at any stage, the chain of attack is broken. Breaking the chain means the defender successfully thwarted the threat actor’s intrusion. Threat actors are successful only if they complete Step 7. | **Step** | **Adversary Tactics** | **SOC Defense** | |-------------------------|-----------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| | **1. Reconnaissance** | - Plan and conduct research<br>- Harvest email addresses<br>- Identify employees on social media<br>- Collect PR info<br>- Discover internet-facing servers<br>- Conduct network scans to identify IPs and ports | - Discover adversary’s intent:<br>- Web log alerts and historical search data<br>- Data mine browser analytics<br>- Build playbooks for recon activity detection<br>- Prioritize defense around targeted technologies/people | | **2. Weaponization** | - Obtain automated tools for malware payload delivery<br>- Select or create a document for the victim<br>- Set up a backdoor and command/control infrastructure | - Detect and collect weaponization artifacts:<br>- Ensure IDS rules/signatures are updated<br>- Conduct full malware analysis<br>- Build detections for known weaponizers<br>- Identify tailored vs “off-the-shelf” malware<br>- Collect files/metadata for analysis<br>- Map artifacts to campaigns | | **3. Delivery** | - Launch malware directly at targets (e.g., web servers)<br>- Indirect delivery through malicious email, USBs, social media, or compromised websites | - Block delivery of malware:<br>- Analyze infrastructure delivery paths<br>- Understand targeted servers/people/data<br>- Infer adversary’s intent<br>- Collect email/web logs for forensic reconstruction | | **4. Exploitation** | - Exploit vulnerabilities to gain access:<br>- Use software, hardware, or human vulnerabilities<br>- Acquire or develop the exploit<br>- Use adversary- or victim-triggered exploits | - Train employees, secure code, and harden devices:<br>- Security awareness training/email testing<br>- Developer training for secure coding<br>- Regular vulnerability scanning<br>- Endpoint hardening and auditing | | **5. Installation** | - Install a persistent backdoor:<br>- Webshell for persistent access<br>- Add services, AutoRun keys<br>- Modify malware timestamp to blend with OS | - Detect, log, and analyze installation activity:<br>- Use HIPS to alert/block installation paths<br>- Detect elevated vs user-level privileges<br>- Endpoint audits for abnormal file creation<br>- Identify known/new malware variants | | **6. Command & Control**| - Open CnC communications channel:<br>- Use web, DNS, or email protocols<br>- CnC infrastructure may be adversary-owned or another victim network | - Last chance to block operations:<br>- Research and discover new CnC infrastructures<br>- Isolate DNS traffic to suspect servers<br>- Block CnC channels to prevent impact<br>- Consolidate internet points of presence<br>- Customize proxy rules for CnC protocol blocking | | **7. Actions on Objectives** | - Reap attack rewards:<br>- Collect credentials<br>- Privilege escalation<br>- Perform reconnaissance/lateral movement<br>- Exfiltrate, destroy, modify, or corrupt data | - Detect using forensic evidence:<br>- Establish incident response playbooks<br>- Detect exfiltration, lateral movement, and credential usage<br>- Rapid analyst response to alerts<br>- Conduct endpoint forensic analysis<br>- Recreate network activity via packet captures<br>- Assess damage caused by the attack | :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/28-2-9-check-your-understanding-identify-the-kill-chain-step-answers.html). ::: >[!Warning]Recap >There are seven steps to the Cyber Kill Chain. These steps help analysts understand the techniques, tools, and procedures of threat actors. When responding to a security incident, the objective is to detect and stop the attack as early as possible in the kill chain progression. > >The steps in the Cyber Kill Chain are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Reconnaissance is when the threat actor performs research, gathers intelligence, and selects targets. Weaponization is using the information from reconnaissance to develop a weapon against specific targeted systems or individuals in the organization. During Delivery, the weapon is transmitted to the target using a delivery vector. After the weapon has been delivered, the threat actor Exploits it to gain control of the target. Installation is when the threat actor establishes a back door into the system to allow for continued access to the target. To preserve this backdoor, it is important that remote access does not alert cybersecurity analysts or users. Command and Control, or CnC, establishes the threat actor's control over the target system. CnC channels are used by the threat actor to issue commands to the software that they installed on the target. Actions on Objectives describes the threat actor achieving their original objective. This may be data theft, performing a DDoS attack, or using the compromised network to create and send spam or mine Bitcoin. ### **27.3 The Diamond Model of Intrusion Analysis** --- The **Diamond Model** represents a security incident as an event where an adversary uses a capability over infrastructure to attack a victim. This model connects the four **core features** of an intrusion event and expands further with **meta-features**. #### **27.3.1 Diamond Model Overview** The **Diamond Model** consists of the following core features: ![image](https://hackmd.io/_uploads/ByNQGc2NJx.png) - **Adversary** The party responsible for the intrusion. *Example*: Hackers, nation-state actors, or criminal organizations. - **Capability** The tools or techniques used by the adversary to carry out the attack. *Example*: Malware, phishing emails, or ransomware. - **Infrastructure** The network paths or systems used to establish control and execute the attack. *Example*: CnC servers, malicious domains, or IP addresses. - **Victim** The target of the attack. The victim can later be used as infrastructure for further attacks. *Example*: A compromised endpoint, server, or user account. The **Meta-Features** provide additional dimensions to an intrusion event: - **Timestamp**: Tracks the start and end times of the event. - **Phase**: Aligns with the Cyber Kill Chain steps. - **Result**: Defines what the adversary achieved (e.g., confidentiality, integrity, or availability compromise). - **Direction**: Identifies the flow of the attack (e.g., Adversary-to-Infrastructure or Infrastructure-to-Victim). - **Methodology**: Classifies the type of attack (e.g., phishing, port scanning, or DDoS). - **Resources**: Lists external tools, software, knowledge, or credentials used in the attack. --- #### **27.3.2 Pivoting Across the Diamond Model** The Diamond Model is ideal for tracking **pivoting**, where adversaries progress between events to extend their attacks. **Example Process**: ![image](https://hackmd.io/_uploads/SyMrG9hNkg.png) 1. A user reports abnormal computer behavior (**Victim**). 2. A scan detects malware on the system (**Capability**). 3. Analysis of the malware uncovers **Command-and-Control (CnC)** domains (**Infrastructure**). 4. The CnC domains resolve to specific IP addresses. 5. The IP address logs reveal the **Adversary** controlling the infrastructure. Each step demonstrates the progression across the model, moving between victims, infrastructure, and the adversary to analyze the full attack chain. --- #### **27.3.3 The Diamond Model and the Cyber Kill Chain** The **Diamond Model** aligns with the **Cyber Kill Chain**, threading multiple events together to map the full lifecycle of an attack. **Example Scenario**: ![image](https://hackmd.io/_uploads/ByT8z5241e.png) 1. **Reconnaissance**: Adversary gathers public information about a target company (e.g., domains, employees). 2. **Weaponization**: Adversary creates a phishing payload (e.g., Trojan horse malware). 3. **Delivery**: Phishing emails are sent to network administrators. 4. **Exploitation**: An administrator opens the attachment, triggering malware execution. 5. **Installation**: The malware establishes a backdoor and connects to a CnC server. 6. **Command and Control (C2)**: The adversary issues commands to the compromised host. 7. **Actions on Objectives**: The adversary uses the compromised host to pivot to other systems, exfiltrate data, or launch further attacks. The Diamond Model maps each stage of the attack, illustrating the relationships between **adversary**, **capability**, **infrastructure**, and **victim**. This enables cybersecurity analysts to identify attack paths, pivot points, and connections to broader adversarial activity. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/28-3-4-check-your-understanding-identify-the-diamond-model-features-answers.html). ::: >[!Warning]Recap >The Diamond Model of Intrusion Analysis represents a security incident or event. An event is a time-bound activity that is restricted to a specific step in which an adversary uses a capability over infrastructure to attack a victim to achieve a specific result. The four core components of an intrusion event are the adversary, the capability, the infrastructure, and the victim. Meta-features, which expand the model slightly, include Timestamp, Phase, Result, Direction, Methodology, and Resources. > >As a cybersecurity analyst, you may be called on to use the Diamond Model of Intrusion Analysis to diagram a series of intrusion events. Adversaries do not operate in just a single event. Instead, events are threaded together in a chain in which each event must be successfully completed before the next event. This thread of events can be mapped to the Cyber Kill Chain. ### **27.4 Incident Response** Incident response involves policies, procedures, and strategies to manage cyberattacks effectively. The goal is to **limit damage**, **analyze impact**, and **implement recovery plans**. --- #### **27.4.1 Establishing an Incident Response Capability** Organizations establish an **incident response capability** (CSIRC) to manage and handle security incidents effectively. **NIST Special Publication 800-61r2** provides a framework for incident response: - **Policy Elements**: - Statement of management commitment - Purpose, scope, and objectives - Roles, responsibilities, and authority levels - Prioritization of incidents and performance measures - **Plan Elements**: - Mission, goals, and strategies - Communication strategy within and outside the organization - Metrics for incident handling effectiveness - **Procedure Elements**: - Technical processes, SOPs, checklists - Detailed steps to minimize errors during high-pressure incidents --- #### **27.4.3 Incident Response Stakeholders** Key stakeholders collaborate with the CSIRT during incidents: - **Management**: Oversees policies, coordinates with teams, and minimizes damage. - **Information Assurance**: Adjusts firewall rules and implements changes during containment or recovery. - **IT Support**: Handles systems, preserving evidence and minimizing impact. - **Legal Department**: Ensures policies comply with laws and manages legal aspects. - **Public Affairs**: Communicates with the public or media for incidents like data breaches. - **Human Resources**: Takes action if employees cause incidents. - **Business Continuity Planners**: Adjusts plans to account for disruptions. - **Physical Security**: Secures facilities and evidence during physical breaches. --- #### **27.4.4 NIST Incident Response Life Cycle** NIST outlines four phases in the **Incident Response Life Cycle**: ![image](https://hackmd.io/_uploads/SJHab9hNyg.png) 1. **Preparation** - Train the CSIRT and acquire incident response tools. - Create processes for communication and risk mitigation. - Maintain jump kits with forensic software, backups, and critical resources. 2. **Detection and Analysis** - **Attack Vectors**: Web attacks, email, theft, impersonation, attrition, media. - **Indicators**: - *Precursor*: Signs an incident *might* occur (e.g., port scan logs). - *Indicator*: Signs an incident *has* occurred (e.g., IDS alerts, malware). - **Scoping**: Assess affected systems, origin, and scope of the incident. - **Notification**: Inform stakeholders like CIO, legal, or law enforcement. 3. **Containment, Eradication, and Recovery** - **Containment**: Stop the incident, preserving evidence for analysis. - **Evidence Handling**: Maintain proper chain of custody. - **Eradication and Recovery**: Eliminate threats, restore hosts using clean backups, and patch vulnerabilities. 4. **Post-Incident Activities** - Conduct a **lessons-learned meeting** to assess and refine incident response: - What happened, and what went well or poorly? - Were procedures followed, and how can detection improve? - What tools or processes need enhancements? --- #### **27.4.5 Preparation** The preparation phase ensures the CSIRT is ready for incidents. Key actions include: - Training team members and establishing communication processes. - Deploying tools (e.g., packet sniffers, forensic software). - Developing **security awareness training** for users. - Maintaining **jump kits** for rapid deployment during incidents. --- #### **27.4.6 Detection and Analysis** This phase focuses on identifying incidents through **automated tools** and manual detection. - **Attack Vectors**: - Web, email, theft/loss, impersonation, attrition, and external media. - **Incident Indicators**: - *Precursor*: Signs of a potential attack (e.g., port scans). - *Indicator*: Signs an attack is happening or has occurred (e.g., malware alerts). - **Scoping**: Determine affected systems, attack origin, and extent. - **Notification**: Inform internal and external stakeholders for coordinated response. --- #### **27.4.7 Containment, Eradication, and Recovery** 1. **Containment** - Implement predefined strategies to prevent further damage. - Preserve evidence and redirect attackers if possible (e.g., sandboxing). 2. **Eradication** - Identify and remediate all affected hosts. - Eliminate vulnerabilities, malware, and compromised accounts. 3. **Recovery** - Restore systems using clean backups or rebuild systems if needed. - Update software, patch systems, and enhance security. --- #### **27.4.8 Post-Incident Activities** Post-incident activities focus on reviewing processes and identifying improvements. - **Lessons-Learned Meeting**: - Assess what happened, response effectiveness, and gaps. - Identify corrective measures and tools needed to prevent similar incidents. - **Hardening Systems**: Improve existing security measures and processes. --- #### **27.4.9 Incident Data Collection and Retention** Data collected during incidents can inform **budgeting**, **incident trends**, and **process improvements**. - **Objective Assessment**: - Review logs, analyze causes, and evaluate impact. - Determine weaknesses in detection or response. - **Retention Factors**: - **Prosecution**: Keep evidence for legal proceedings. - **Data Type**: Retain critical incident data as per policy. - **Cost**: Manage costs for long-term data storage and maintenance. --- #### **27.4.10 Reporting Requirements and Information Sharing** Organizations must comply with **legal reporting requirements** and share information responsibly: - Plan incident coordination before incidents occur. - Automate information sharing where possible. - Balance sharing benefits with protecting sensitive data. - Share incidents with organizations like the VERIS community to strengthen collective defenses. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/28-4-11-check-your-understanding-identify-the-incident-handling-term-answers.html). ::: >[!Warning]Recap >Incident Response involves the methods, policies, and procedures that are used by an organization to respond to a cyberattack. The goals of incident response are to limit the impact of the attack, assess the damage caused, and implement recovery procedures. It is essential that organizations create and maintain detailed incident response plans and designate personnel who are responsible for executing all aspects of that plan. NIST recommendations for incident response are detailed in their Special Publication 800-61, revision 2 entitled “Computer Security Incident Handling Guide”. > >The first step for an organization is to establish a computer security incident response capability (CSIRC). NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. Some of the CSIRC stakeholders include Management, Information Assurance, IT Support, the Legal Department, Public Affairs and Media Relations, Human Resources, Business Continuity Planners, Physical Security and Facilities Management. Governmental regulations should be consulted by the legal team to determine the organization’s responsibility for reporting the incident. Beyond the legal requirements and stakeholder considerations, NIST recommends that an organization coordinate with organizations to share details for the incident. There should be a policy in place in each organization that outlines how long evidence of an incident is retained. > >The CMMC framework was created to assess the ability of organizations that perform functions for the U.S. DoD to protect the military supply chain from disruptions or losses due to cybersecurity incidents. The CMMC specifies 17 domains, each of which has a varying number of capabilities that are associated with it. The organization is rated by the maturity level that has been achieved for each of the domains. The CMMC certifies organizations by level. > >NIST defines four steps in the incident response process life cycle: 1. Preparation, 2. Detection and Analysis, 3. Containment, Eradication, and Recovery, and 4. Post-Incident Activities. The preparation phase is when the CSIRT is created and trained. This phase is also when the tools and assets that will be needed by the team to investigate incidents are acquired and deployed. Incidents are detected in many different ways and not all of these ways are very detailed or provide detailed clarity. There are two categories for the signs of an incident: Precursor and Indicator. The use of complex algorithms and machine learning often help to determine the validity of security incidents. One method that can be used is network and system profiling. > >When the CSIRT believes that an incident has occurred, it should immediately perform an initial analysis to determine the incident’s scope, such as which networks, systems, or applications are affected, who or what originated the incident, and how the incident is occurring. When an incident is analyzed and prioritized, the incident response team needs to notify the appropriate stakeholders and outside parties so that all who need to be involved will play their roles. Clear and concise documentation surrounding the preservation of evidence is critical. Identifying attackers is secondary to containing, eradicating, and recovering hosts and services. After containment, the first step to eradication is identifying all of the hosts that need remediation. All of the effects of the security incident and all of the vulnerabilities that were exploited by the attacker must also be corrected or patched so that the incident does not occur again. Following an incident, the organization should debrief to review the effectiveness of the incident handling process and identify necessary hardening needed for existing security controls and practices. ### **27.5 Disaster Recovery** Disaster recovery ensures that organizations continue operating during and after a disaster by implementing effective plans and controls to mitigate risks and restore operations. --- #### **27.5.2 Types of Disasters** Disasters are categorized into **natural** and **human-caused**: - **Natural Disasters**: - **Geological**: Earthquakes, landslides, volcanoes, tsunamis. - **Meteorological**: Hurricanes, tornadoes, lightning, hail. - **Health**: Pandemics, widespread illnesses, quarantines. - **Miscellaneous**: Fires, floods, solar storms, avalanches. - **Human-Caused Disasters**: - **Labor Events**: Strikes, walkouts, slowdowns. - **Sociopolitical**: Vandalism, sabotage, terrorism, protests, war. - **Materials**: Hazardous spills, fires. - **Utility Disruptions**: Power failures, outages, fuel shortages, radioactive fallout. --- #### **27.5.3 Disaster Recovery Plan** The **Disaster Recovery Plan (DRP)** outlines steps to assess, salvage, repair, and restore systems during a disaster. To create a DRP, answer the following: - **Who**: Who is responsible? - **What**: What resources are needed? - **Where**: Where does the process occur? - **What (Process)**: What steps are involved? - **Why**: Why is the process critical? --- #### **27.5.4 Avatar** Prioritizing **mission-critical systems** ensures that recovery efforts focus on processes essential for business survival. --- #### **27.5.5 Implementing Disaster Recovery Controls** Disaster recovery controls minimize disaster impact and facilitate recovery: 1. **Preventive Controls**: - Measures to identify and mitigate risks to prevent disasters. 2. **Detective Controls**: - Tools and processes to detect threats and uncover new risks. 3. **Corrective Controls**: - Measures to restore systems and recover from disasters. --- #### **27.5.6 Avatar** Organizations cannot prepare for every scenario, making a **Business Continuity Plan (BCP)** essential for sustaining operations. --- #### **27.5.7 Business Continuity Planning** The **BCP** ensures critical systems and business processes operate from alternate locations if the primary site is damaged. The BCP begins with a **Business Impact Analysis (BIA)** to identify key processes, resources, and system interdependencies. - **Recovery Time Objectives (RTO)**: Maximum tolerable downtime for a system after failure. - **Recovery Point Objectives (RPO)**: The maximum tolerable loss of data. - **Mean Time to Repair (MTTR)**: Average time required to repair a failed component. - **Mean Time Between Failures (MTBF)**: Average time between system failures. --- #### **27.5.8 Business Continuity Considerations** Effective business continuity requires: - Correct personnel placement. - Documenting configurations and processes. - Establishing alternate communication channels. - Ensuring power availability. - Identifying application/process dependencies. - Developing manual processes for automated tasks. --- #### **27.5.9 Business Continuity Best Practices** NIST provides best practices for developing a BCP: 1. **Develop the Policy Statement**: Assign roles and responsibilities. 2. **Conduct the BIA**: Identify and prioritize critical systems. 3. **Calculate Risk**: Analyze threats, vulnerabilities, and risks. 4. **Identify Preventive Controls**: Implement measures to reduce risk. 5. **Develop Recovery Strategies**: Plan methods for quick recovery. 6. **Develop the Contingency Plan**: Write detailed procedures for continuity. 7. **Test the Plan**: Verify the plan’s effectiveness through exercises. 8. **Maintain the Plan**: Update and refine regularly. --- #### **27.5.10 Exercising Your Disaster Recovery Plan** Organizations test DRPs through the following methods: 1. **Tabletop Exercises**: - Teams discuss scenarios and examine processes without actual execution. 2. **Functional Tests**: - Specific parts of the plan are tested for effectiveness. 3. **Operational Exercises**: - Full-scale simulations where services are intentionally disrupted to test the DRP under real conditions. >[!Warning]Recap >Natural disasters differ depending on location and are sometimes difficult to predict. Human-caused disasters involve people or organizations. An organization’s DRP includes the activities the organization takes to assess, salvage, repair and restore damaged facilities or assets. Preventive measures include controls that prevent a disaster from occurring. Detective measures include controls that discover new potential threats. Corrective measures include controls that restore the system after a disaster or an event. > >Business continuity controls are more than just backing up data and providing redundant hardware. Creating a business continuity plan starts with carrying out a business impact analysis (BIA) to identify critical business processes, resources, and relationships between systems. The BIA focuses on the consequences of the interruption to critical business functions and examines the key considerations listed here: RTOs, RPOs, MTTR, and MTBF. The National Institute of Standards and Technology (NIST) developed best practices in relation to business continuity. > >Training for the disaster recovery plan can use several methods. Consider a tabletop exercise in which participants sit around a table with a facilitator who supplies information related to a scenario incident and processes that are being examined. No actual processes or procedures are invoked; they are just discussed. Another type of exercise is a functional test where certain aspects of a plan are tested to see how well they work (and how well-prepared personnel is). At the most extreme are full operational exercises, or simulations. These are designed to interrupt services to verify that all aspects of a plan are in place and sufficient to respond to the type of incident that is being simulated.