Incident Response (IR) Guidelines

"IR planning is the key element on taking necessary actions when an incident is triggered for security breach. This can assist in faster remediation and recovering from a security threat."

Incident Response Cycle


Preparation

Policy Creation

    • Policy should contain statements that provide authority for incident response, assign responsibility to the IR team, and describe the role of individual users and state organizational priorities.

Building PPP (Plan/Process/Procedures)

    • The Plan is needed to organized things, meet requirements and improve coordination.
    • Process will streamline the incident handling and escalations to correct the team/department.
    • Develop a procedure (playbook) that describe the steps that individuals will follow in the event of a specific type of cybersecurity incident.

Communication

  • List on correct individuals to be reach out during the incident (can be also based on severity)
    • Internal: within the organization
    • External
      • Customers
      • Public Relations/Media
      • ISP/Vendors
      • Law Enforcement/Regulatory requirements

Technical

    • Building strong cybersecurity defenses to reduce the likelihood and impact of future incidents. 
      • Backup running
      • Network Equipment (FW)
      • AV Installed
      • Logs collection/retention
      • Packet capture
      • Permissions
      • NTP
      • SIEM

Testing/Training

    • Security Awareness and security programs to non-technical staff
    • Technical Certification /Courses /learning provided to IT professionals.
    • Practice makes perfect (testing). Simulates live conditions.

Documentation

    • Everything needs to be recorded so that it can be referenced.

      Detection & Analysis

      24x7 Monitoring and Alerting

        • SIEM - Logs (Physical & Cloud)
        • Network Traffic (IDS/IPS)
        • Antivirus

      Vulnerabilities

        • Internal/External Scans

      People

        • Insider Threat

      Incident Investigation 

       “Analysis is often more art than science and is very difficult work.”

        • Finding odd behaviour/anomalies and documenting all the related information.
        • Reverse Engineering
        • Note all the actions taken on the incident findings.
        • Determine Severity Level Classification.
        • Next steps base on the incident severity/impact and investigation outcomes.
        • Notification (As per preparation phase - communication)

      Containment, Eradication, & Recovery

      Isolation/Segmentation

        • Shut down a system, disconnect it from a network, disable certain functions.
          • Recommend to Isolation/Contain - to learn the behaviour and keeping the evidence intact.
        • Sinkhole and redirecting malicious network traffic to sandbox segment.

      Please Note: Plan on Evidence gathering after Isolation/Containment - it can be necessary for various purposes depending on impact/severity (For example: snapshots of the system)

      Removal

        • Scan/Manually delete malware/completely removed/disable accounts

      Sanitization/Reconstruction/Backup

        • Rebuild - know-good state
        • Patching
        • Permission reviews
        • Restoration of services and verification of logging

      Documentation

        • Confirmation all the infected hosts are in know-good state

              Post-Incident Activity

              Lesson Learned

                • Recommendations
                • Improving security measures/incident handling process
                • Using Collected Incident Data
                  • Risk Assessment
                  • Controls/implementations
                  • Actual Root Cause
                • Rewrite policies and procedures
                • Damage

              Evidence Retention/Incident Data

                • NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, for additional information on preserving evidence. 

              Checklist

                • List for Verification /Review /Confirmation (Table format)

              Report

                • Summary Report

              Information Sharing

                • Co-ordination /level on information (technical/non-technical)


              References

              [1] Comptia CySA+ Study Guide (CS0-002)
              [2] NIST - Computer Security Incident Handling Guide - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

              No comments:

              Post a Comment