- Terminologies
- Indicator of Compromise
- Goal of Incident Response
- Incident Response Lifecycle
- Incident Response Plan
- Incident Response Models
- Incident Response Team
- Incident Response Exercises
- SOAR
Understanding incident response begins with knowing the terms for various cyberattacks.
| Terminology | Description |
|---|---|
| Breach | The loss of control or unauthorized access to personally identifiable information. (NIST SP 800-53 Rev. 5) |
| Event | Any observable occurrence in a network or system. (NIST SP 800-61 Rev. 2) |
| Exploit | A specific attack that targets a system vulnerability. |
| Incident | An unplanned event impacting the confidentiality, integrity, or availability of information, requiring a response. |
| Intrusion | An event where an intruder gains or attempts to gain unauthorized system access. (IETF RFC 4949 Ver. 2) |
| Threat | A circumstance or event with the potential to harm organizational operations, assets, or individuals through unauthorized access or data destruction. (NIST SP 800-30 Rev. 1) |
| Vulnerability | A weakness in a system or security process that could be exploited by a threat source. (NIST SP 800-30 Rev. 1) |
| Attacks | Deliberate actions or activities carried out by threat actors with the intent to exploit vulnerabilities. |
| Zero Day | An unknown system vulnerability that could be exploited without typical detection or prevention. |
| Impact | The expected harm from unauthorized data disclosure, modification, or loss. |
Indicators of Compromise (IOCs) are evidence or clues that suggest a computer system or network has been breached or compromised by malicious actors. These indicators can take various forms and are used by cybersecurity professionals to detect, investigate, and respond to security incidents.
- Malware Signatures
- Anomalous Network Traffic
- Unauthorized Access Attempts
- Unusual File or System Modifications
- Abnormal User Behavior
- Phishing or Social Engineering Indicators
- Security Alerts or Warnings
- Unusual System Performance
- Suspicious File Attachments or Downloads
- IoT Device Anomalies
To learn more, see Indicators of Compromise.
The objectives of Incident Response:
- Organizations must prepare for incidents despite preventive measures.
- Incident response prioritizes safety and aims to minimize impact.
- Crisis management is sometimes used interchangeably with incident management.
- Events disrupting the business mission are termed incidents.
- An incident response plan ensures business viability.
- The incident response process aims to minimize impact and resume operations swiftly.
- It's a subset of the broader business continuity management (BCM).
The incident response policy aligns with the plan, outlining procedures and standards. Shaped by the organization's vision, the process defines technical processes and tools used in incident response.
The phases of incident response:
Preparation involves strengthening systems and networks to resist attacks.
- All about getting ready for future incidents.
- Develop a management-approved policy and communication plan,
- Identify roles and responsibilities.
- Identify critical data, systems, and single points of failure.
- Implement an incident response team.
- Train and test your personnel with simulated incidents.
The detection phase identifies the security incidents.
- Monitor all potential attack vectors.
- Analyze incidents using known data and threat intelligence.
- Categorize, assess, and prioritize incident response efforts.
- Standardize incident documentation.
Analysis involves a thorough examination and evaluation of the incident.
- Involves meticulous data collection and handling.
- Understand the scope and impact of an incident.
- In addition, provide insight and potential consequences.
- Ensure the admissibility of evidence in court.
- Notify the relevant stakeholders.
Digital forensics
Digital forensics plays a critical role in the analysis phase of incident response, where investigators examine collected evidence to determine what happened during a security incident and how to respond.
To learn more, please see Digital forensics.
After informing the relevant stakeholders, containment begins, and initial response actions are taken.
- Limits the scope and magnitude of incident.
- Taking immediate actions to isolate and contain the incident.
- Gather evidence.
- Choose an appropriate containment strategy.
- Disconnecting infected clients from the network, etc.
Eradication begins once the incident is contained. It is focused on removing the malicious activity from a system.
- After isolating the infected resource, remove the malware.
- Reinstall a known good image to the client.
Recover is focused on restoring affected systems to their normal state after the incident.
- Identify evidence that may need to be retained.
- Restore the resource from a known good backup.
- Install security patches.
- Implement configuration updates.
- Business resumes regular activities with increased resilience.
Recovery is all about ensuring that any exploited vulnerabilities before the incident have been fully and appropriately remediated.
This is the last phase and only happens after containment, eradication, and a full system recovery.
-
Root Cause Analysis (RCA)
- Main purpose is not to assign blame.
- Instead, figure out what caused the incident.
- Process: a. Define/scope the incident. b. Determine causal relationship that led to the incident. c. Identify an effective solution. d. Implement and track solutions
-
Lessons Learned
- Document experiences during the incident.
- Identifying areas for improvement.
- What went right, what went wrong, and what can we do better.
-
After-action Report
- Collect formalized information about what occured.
- Report contains RCA and recommendations for improvement.
- Outsourcing incident response capabilities to external experts.
- Leverages third-party services or partnerships for specialized support.
- Allows organizations to benefit from external expertise and resources.
- Establishes an in-house incident response team.
- Team members are dedicated solely to handling and mitigating incidents.
- Enables a rapid and focused response to security events.
- Combines internal and external resources for incident response.
- Utilizes both in-house teams and external support as needed.
- Offers flexibility and scalability in managing incidents effectively.
Establishing a Security Operations Center (SOC) necessitates the creation of an efficient incident response team.
The roles:
-
First Responder Role
- IT professionals often serve as the first responders.
- They distinguish security incidents from routine IT problems.
-
Training Requirement
- Specific trainingis essential to identify and report security incidents.
-
Team Composition
-
An incident response team is typically comprised by cross-functional members representing various areas impacted by security incidents.
- Leader/Management
- Subject Matter Experts
- IT Support Staff
- Legal Counsel
- Public Relations
- Human Resource
-
-
Training Requirement
- Team members should undergo training on the orrganization's incident response plan.
-
Investigation and Assessment
- Assist in investigating the incident.
- Assess the extent of the damage.
-
Evidence Collection and Reporting
- Collect evidence related to the incident.
- Report the incident to relevant stakeholders.
-
Recovery Procedures:
- Initiate and participate in recovery procedures.
-
Remediation and Analysis
- Participate in remediation efforts.
- Contribute to the lessons learned stage.
- Assist with root cause analysis.
Dedicated Incident Response Teams (CIRTs/CSIRTs):
- Primary Responsibilities:
- Determine the extent and scope of damage.
- Assess the compromise of confidential information.
- Implement recovery procedures.
- Supervise additional security measures for prevention.
Incident response drills and exercises are conducted to simulate real-world scenarios and test the organization's incident response capabilities.
- Vulnerabilities and weaknesses in the security posture can be identified and addressed.
- The organization can then improve its overall resilience against potential cyber threats.
Training ensures staff grasp processes and priorities for incident response.
- Integrate past lessons-learned into training.
- Tailored training for diverse employee needs.
- As an example, a first responder and a manager may have different training requirements.
Varying Training per roles
-
First responders
- Procedures
- Machine re-image
- Removing malware
- Change configuration settings
-
Managers
- Risk vs. Rewards
- Decision-making and Communication
- Law enforcement and media
-
End Users
- Report suspected incident occuring
- Remedial Training
This is the practical exercise of incident response procedures.
- Training teaches what to do, testing make sure you know how to do it.
- Simulating an incident, can cost time and money
To learn more, please see Security Awareness.
SOAR stands for Security Orchestration, Automation, and Response. It refers to a set of practices, processes, and technologies used by cybersecurity teams to streamline and enhance their incident response capabilities.
- Typically integrate with a variety of security tools and technologies, such as SIEM
- Provide centralized dashboards and workflows for managing security incidents
- Built-in capabilities for automation and orchestration
Here's a breakdown of each component:
-
Security Orchestration
- Coordinating and managing security processes and tools.
- Defining workflows and assigning tasks across teams.
-
Automation
- Using technology to automate repetitive tasks.
- Improving response times and reducing human error.
- Use playbooks to automate:
- Firewall rules, content filters
- Application Allow/Deny Lists
- Revoke certificates
-
Response
- Taking actions to investigate, contain, and mitigate security incidents.
- Blocking malicious activities and implementing remediation measures.