Incident Response Process

(OBJ 4.8)

Incident

• An act violating a security policy
• Either explicit or implied
• Example:
  • Stealing your passwords is an incident

Phases of Incident Response

• NIST (National Institute for Standards and Technology) "Computer Security Incident Handling Guide" defines a four-phase incident response process:
  • Preparation
  • Detection and Analysis
  • Containment, Eradication and Recovery
  • Post-Incident Activity
• In the CompTIA model, "Detection and Analysis" is divided into two phases, and "Containment, Eradication, and Recovery" is divided into three, creating a seven-phase model
• Incident Response Procedures
  • Guidelines for handling security incidents
  • Should occur in the event of a security incident
• Incident response and recovery are crucial in organizations due to frequent major data breaches in the news

Seven Phases of Incident Response

• Preparation
  • Gets an organization ready for future incidents
  • Focuses on making systems resilient to attacks by hardening systems and networks
  • Involves creating policies, procedures, and a communication plan
  • You will also conduct training, testing, and exercising of your staff with simulated incidents
• Detection
  • Determines if a security incident has occurred
  • Identifies a security incident
  • Cybersecurity and triage analysts play a vital role in assessing incident severity
• Analysis
  • Thoroughly examines and evaluates the incident
  • Provides insights into the incident's scope and impact
  • Notifies stakeholders and initiates containment
• Containment
  • Limits the incident's scope by securing data and minimizing business impact
  • Prevents the spread of malicious activity
  • Example:
    • Piece of malware detected on a given system in the detection and analysis phase
    • Containment's goal is to prevent that piece of malware from spreading to other systems on our network.
    • In this case we might isolate the affected client from the network and lock out the user from using the workstation until cleaning happens
• Eradication
  • Starts after containment
  • Focuses on removing malicious activity from systems or networks
  • May involve reimaging affected systems
• Recovery
  • Restores affected systems and services to their secure state
  • Includes restoring from backups, patching, and updating configurations
  • Ensures resilience against future threats
  • Recovery procedures can involve monitoring for lingering threats to ensure a smooth return to normal operations
  • Goal: Minimize impact of the incident
• Post-Incident Activity
  • Occurs after containment, eradication, and recovery
  • Identifies the initial incident source and improvements to prevent future
  • Involves
    • Root cause analysis
      • Identifies the incident’s source and how to prevent it in the future
      • Steps
        1. Define/scope the incident
        2. Determine the causal relationships that led to the incident
        3. Identify an effective solution
        4. Implement and track the solutions
    • Lessons learned
      • Documents experiences during incidents in a formalized way
      • Recorded in our internal organization, processes should be improved, so that the same issue does not occur again in our next incident.
      • Example:
        • Maybe our management board was too slow to approve the security fix we needed to implement to fully secure the network
        • One lessons learned that might be captured is the need to decrease the approved times for emergent change requests during an incident.
      • We don't have to redevelop and change processes during the lessons learned, we just need to identify what could be improved.
    • After-action report
      • Collects formalized information about what occurred
      • In this report you should have the Root cause analysis and the recommendations for improvements from your lessons learned
      • Depending on org. the report may be very detailed and technical or it may be written as an executive summary

Incident Response Team

• The core team includes cybersecurity professionals with incident response experience
  • Temporary members may be added as needed (e.g., database administrators)
• Large organizations have full-time incident response teams
  • Smaller organizations form temporary teams for specific incidents
  • Brought together for a specific incident, may include system administrator and data base manager, etc.
• Team Roles
  • Leader
  • Subject Matter Experts
  • IT Support
  • Legal Counsel
  • HR
  • Public Relations
• Leadership and management ensure the incident response team has necessary funding, resources ,and expertise
• Management makes crucial decisions and communicates them during the incident response

Outsourcing Incident Response

• Some organizations outsource incident response to specialized teams
• Effective but expensive; external teams may not be familiar with the organization's network
  • Effective but unfamiliar.