"IR planning is the key element on taking necessary actions when an incident is triggered for security breach. This can assist in faster remediation and recovering from a security threat."
Incident Response Cycle
Preparation
Policy Creation
- Policy should contain statements that provide authority for incident response, assign responsibility to the IR team, and describe the role of individual users and state organizational priorities.
Building PPP (Plan/Process/Procedures)
- The Plan is needed to organized things, meet requirements and improve coordination.
- Process will streamline the incident handling and escalations to correct the team/department.
- Develop a procedure (playbook) that describe the steps that individuals will follow in the event of a specific type of cybersecurity incident.
Communication
- List on correct individuals to be reach out during the incident (can be also based on severity)
- Internal: within the organization
- External
- Customers
- Public Relations/Media
- ISP/Vendors
- Law Enforcement/Regulatory requirements
Technical
- Building strong cybersecurity defenses to reduce the likelihood and impact of future incidents.
- Backup running
- Network Equipment (FW)
- AV Installed
- Logs collection/retention
- Packet capture
- Permissions
- NTP
- SIEM
Testing/Training
- Security Awareness and security programs to non-technical staff
- Technical Certification /Courses /learning provided to IT professionals.
- Practice makes perfect (testing). Simulates live conditions.
Documentation
- Everything needs to be recorded so that it can be referenced.
Detection & Analysis
24x7 Monitoring and Alerting
- SIEM - Logs (Physical & Cloud)
- Network Traffic (IDS/IPS)
- Antivirus
Vulnerabilities
- Internal/External Scans
People
- Insider Threat
Incident Investigation
“Analysis is often more art than science and is very difficult work.”
- Finding odd behaviour/anomalies and documenting all the related information.
- Reverse Engineering
- Note all the actions taken on the incident findings.
- Determine Severity Level Classification.
- Next steps base on the incident severity/impact and investigation outcomes.
- Notification (As per preparation phase - communication)
Containment, Eradication, & Recovery
Isolation/Segmentation
- Shut down a system, disconnect it from a network, disable certain functions.
- Recommend to Isolation/Contain - to learn the behaviour and keeping the evidence intact.
- Sinkhole and redirecting malicious network traffic to sandbox segment.
Removal
- Scan/Manually delete malware/completely removed/disable accounts
Sanitization/Reconstruction/Backup
- Rebuild - know-good state
- Patching
- Permission reviews
- Restoration of services and verification of logging
Documentation
- Confirmation all the infected hosts are in know-good state
Post-Incident Activity
Lesson Learned
- Recommendations
- Improving security measures/incident handling process
- Using Collected Incident Data
- Risk Assessment
- Controls/implementations
- Actual Root Cause
- Rewrite policies and procedures
- Damage
Evidence Retention/Incident Data
- NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, for additional information on preserving evidence.
Checklist
- List for Verification /Review /Confirmation (Table format)
Report
- Summary Report
Information Sharing
- Co-ordination /level on information (technical/non-technical)
References
[1] Comptia CySA+ Study Guide (CS0-002)
[2] NIST - Computer Security Incident Handling Guide - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
