Incident Response
NIST - 'An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.'
Cybrary - 'An incident is an unplanned disruption or degradation of a network or system service and needs to be resolved immediately.'
The documentation of a predetermined set of instructions or procedures to to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s). [NIST]
NIST Computer Security Incident Handling Guide (SP 800-61) provides guidance on exact elements to include:
Mission, strategies, and goals of incident response.
Senior management approval.
Approach to incident response.
Metrics for measuring response capabilities and effectiveness.
Roadmap for maturing response capability.
How the incident response program fits into the organization.
Documented incident types/category definitions.
Natural
Mechanical
Accidental / Human Error
Malicious / Compromise C-I-A
Policy Violation
Roles and responsibilities.
Granting clear authority for actions to be taken during an incident.
Who can/does perform IRP activities:
Incident Alerting
Identification / Triage
Decisions Making - Must be an organizational executive.
Equipment Collection / Confiscation
Forensics - Independence / Segregation of Duties
Repair / Recovery
Reporting
Communicating - Talking outside the organization.
Cyber-incident response teams.
Computer Emergency Response Team (CERT)
Cyber Incident Response Team (CIRT)
Computer Security Incident Response Team (CSIRT)
Formalized, standing, or ad-hoc.
Internal or external.
Central, distributed, or coordinating.
Includes:
Systems, network, database admins.
Legal
HR
Management
Reporting requirements/escalation.
Document.
Included in many help desk systems.
Collecting evidence (physical, virtual, etc.)
Reporting / Disclosing To:
Internal Management (Legal, HR, CEO, CFO)
Legal Authorities / Law Enforcement (Local, FBI)
Affected Organizations / Clients / Customers
CERT (www.cert.org)
Internet Crime Compliance Center (IC3) - www.ic3.org​
Insurance (Cyber)
Also needs to report what outside agencies (if any) should be notified.
Escalation guidelines would indicate under what circumstances you need to ask for additional assistance.
Testing, Exercises, and Training.
Be prepared.
Prepare each role with training.
Practice using real world scenarios.
Test systems and processes to find issues.
Tabletop and functional exercises.
Create an "Incident Response Plan" or IRP.
Hardware/Software/Communications
'Jump Kit'
Testing & Exercises
Creating Checklists
Technical
Procedures
Contacts
Alerting
Logs - IDS, SIEM, AV
Humans
Incident triage / validation.
Determine incident scope.
What and who is affected.
Number of systems affected.
Identification type:
system
data
personnel
etc
Analysis - Impact and Recoverability Effort
Escalation
Documentation & Notification
Ensuring incident doesn't continue or spread.
Securing the scene / limiting access / isolating systems (quarantine)
Physical
Network
Logical
Gathering Evidence
Find and eliminate the root cause.
Removing elements of the incident, such as malware.
Actions:
AV Clean-Up
Patching / Updating Software
Re-Imaging Systems
Restoring from Backup
The process of restoring and returning affected systems and devices back into your business environment.
Repair
Restoring from backup
Patching
Hardening systems (using known baseline)
Access control (network or systems)
Authentication (change passwords)
Procedural Changes
Documentation
Lessons Learned
After-action meeting with all Incident Response Team members.
Capture actions such as the cause, the cost, and recommendations for preventing future incidents.
Discuss what you've learned from the data breach.
Regulatory or legal requirements.
Update IRP
​
​
