Student Lab Manual

Lab #10: Assessment Worksheet

Part A – Create a CIRT Response Plan for a Typical IT Infrastructure

Overview
The following are the steps required to perform Lab #10 – Create a CIRT Response Plan for a Typical IT
Infrastructure:
1. Refer to Figure 6 – “Mock” IT Infrastructure for Lab #10. Your CIRT response plan must address
one of the following: • Internet ingress/egress
• Headquarters departmental VLANs on LAN Switch 1 and 2 with clear-text privacy data
• Remote branch office locations connected through the WAN
• Data center/server farm

Figure 6 – “Mock” IT Infrastructure for Lab #10

2. For one of the above CIRT response plan items, build a CIRT response plan approach according to
the defined 6-step methodology unique to the risks associated with the item:

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-1-
 Student Lab Manual

• Step 1 – Preparation – what tools, applications, laptops, and communication devices are
needed to address computer/security incident response for this specific breach? Document
this for this lab.

• Step 2 – Identification – when an incident is reported it must be identified, classified, and

documented. During this step, the following information is needed:

i. Validating the incident

ii. Identifying its nature, if an incident has occurred
iii. Identifying and protecting the evidence iv. Logging and
reporting the event or incident

• Step 3 – Containment – the immediate objective is to limit the scope and magnitude of the
computer/security-related incident as quickly as possible, rather than to allow the incident to
continue in order to gain evidence for identifying and/or prosecuting the perpetrator. For the
lab explain how you will solve this challenge.

• Step 4 – Eradication – the next priority is to remove the computer/security related incident
or breach’s affects. Explain what you would do for this lab.
.
• Step 5 – Recovery – recovery is specific to bringing back into production those IT systems,
applications, and assets that were affected by the security-related incident. Define what your
RTO would be for this lab and explain your reasoning.

• Step 6 –Post-Mortem Review – following up on an incident after the recovery tasks and
services are completed is a critical last step in the overall
methodology. A post-mortem report should include a
complete explanation of the incident and the resolution and
applicable configuration management, security
countermeasures, and implementation recommendations to
prevent the security incident or breach from occurring
again. Explain what you would do port-mortem for an
incident that occurs within your portion of the network.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-2-
 Student Lab Manual

Lab #10: Assessment Worksheet

Create a CIRT Response Plan for a Typical IT Infrastructure

Course Name: IAA202

Student Name:Nguyễn Lê Hoàng Thông

Instructor Name: Mai Hoàng Đỉnh

Lab Due Date: __________________________________________________________________

Overview
The best risk mitigation strategy requires building and implementing a CIRT response plan. This means
you are preparing for potential computer/security incidents and practicing how to handle these incidents.
Like any kind of remediation, the more you can plan, prepare, and practice, the more prepared you are to
handle any risk situation. This lab presented how to apply the computer/security incident response
methodology to handling incidents specific to a portion of the network infrastructure.

Lab Assessment Questions

1. What risk mitigation security controls or security countermeasures do you recommend for the portion
of the network that you built a CIRT response plan? Explain your answer.
Implementing firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption for
sensitive data in transit can be crucial. These controls protect data and help prevent unauthorized access,
reducing the risk of data breaches in this network segment. Additionally, access control lists (ACLs) and
network segmentation can limit lateral movement within the network.
2. How does a CIRT plan help an organization mitigate risk?
A CIRT plan provides a structured approach to responding to security incidents, ensuring that the team is
prepared to handle incidents quickly and efficiently. This minimizes damage, limits data loss, and reduces
downtime by allowing the organization to contain and eradicate threats in a timely manner.
3. How does a CIRT response plan help mitigate risk?
The response plan outlines specific steps for containment, eradication, and recovery, helping to manage
security incidents without causing further disruptions. This structured response can reduce the overall
impact on the organization and prevent the incident from escalating.

4. How does the CIRT post-mortem review help mitigate risk?

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-3-
 Student Lab Manual

The post-mortem review provides insights into what went wrong and identifies areas for improvement.
By analyzing the incident thoroughly, the organization can implement corrective actions and update
policies or security measures to prevent similar incidents from occurring.

5. Why is it a good idea to have a protocol analyzer as one of your incident response tools when
examining IP LAN network performance or connectivity issues?
A protocol analyzer helps detect network anomalies and identify malicious traffic patterns, making it
easier to diagnose connectivity issues and monitor performance. This tool is essential for detecting
suspicious behavior in real-time, helping to prevent potential security incidents.
6. Put the following in the proper sequence:
Identification : 2nd
Containment : 3rd
Post-Mortem Review : 6th
Eradication : 4th
Preparation : 1st
Recovery : 5th
7. Which step in the CIRT response methodology relates back to RTO for critical IT systems?
Recovery. This step focuses on bringing affected systems back to operational status within the
defined Recovery Time Objective (RTO).
8. Which step in the CIRT response methodology requires proper handling of digital evidence?
Identification. Proper evidence handling is essential at this stage to ensure that digital evidence is
preserved and protected for potential legal or forensic purposes.
9. Which step in the CIRT response methodology requires review with executive management?
Post-Mortem Review. This step includes a thorough assessment of the incident and outcomes, which is
shared with executive management for transparency and to ensure organizational alignment on
improvements.
10. Which step in the CIRT response methodology requires security applications and tools readiness?
Preparation. This step involves ensuring that all necessary security tools and applications are available,
configured, and ready for immediate use in the event of an incident.

Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 05/30/2011 www.jblearning.com
All Rights Reserved.
-4-