By: Adnan Khan
November 27, 2020
Incident Response Lifecycle
By: Adnan Khan
November 27, 2020
Incident Response is a process of responding to cyber-attacks and threats to IT infrastructure. It establishes a framework to minimize service downtime and accelerate the recovery process. This course focuses on collaboration and efficient communication between the stakeholders. It explains the technical preparation processes to detect, respond, and recover from a cyber incident.
Practicality for this course:
This fascinating course provides a good understanding of the Incident Response (IR) processes. It will enable enthusiastic Cyber Security professionals to progress through their careers. This course gives
This course appeals to (but is not limited to):
- Incident Responder
- Anyone who is not a security practitioner
- Cyber Security -Enthusiast, beginner
- SOC Analyst Level 1
- Legal or HR professionals
2.1 Why Organizations should have an IR plan and questions executives can ask during an incident
When briefing senior leadership about a cybersecurity incident, preparation needs to be made to answer questions such as what the attacker stole, how they got access, and what could have prevented the breach.
2.2 The Typical Parts of an Enterprise IR Plan
This section discusses Maturity roadmaps for the IR team as a strategic part of an IR plan. It also gives recommendations on defining a cyber “incident” and how to differentiate between the different activities within IR. Additionally, it highlights the key strategic and tactical components of an IR plan, IR frameworks, and the mechanism of writing an IR plan.
2.3 Stakeholders Governance and Executive Buy-in
The importance of executive-level sponsorship and strong policy & executive engagement for the IR team is discussed in this section.
2.4 Regulatory and Legal Considerations
This part mentions that a Chief Executive, in consultation with Legal, should decide to contact Law enforcement during a cyber incident. It talks about possible options when deciding to disconnect or “Watch and learn,” during a cyber incident and considerations to be made when contacting law enforcement. Common regulatory and legal considerations for IR and the importance of chain of custody in investigations are discussed here.
2.5 Building the IR Team and Options for Team Composition
- CIRT – on-premises or virtual, may be a joint effort between the SOC and IR teams, with in-house resources and contracts (Managed Security Service Provider).
- Typical Skills sets and positions on an IR team are: Digital Forensics, Malware Reverse Engineering, Threat Intelligence, Network Forensics, Threat Hunting, and Coding.
- RACI - which stands for Role, Accountable, Consulted, Informed - concept, which works well for IR, is introduced.
__2.6 Working with MSSPs __
This section mentions some different operating models of an IR team, including:
- Hybrid CIRT is due to the increased complexities in cyber incidents.
- IT retainer with an outside company
- Cyber Insurance is becoming popular
- Managed Security Service Providers (MSSP) – responsible for Digital forensic, IR manager want to use RACI for MSSP contracts.
3.1 Enterprise Risk Management (ERM) and Business Decisions that Organizations Must Make
The executive leadership team and board of directors decide the appropriate level of risk for an organization. This section emphasizes:
- How CIRT impact risk tolerance
- Higher risk posed due to lower costs for building defenses, while Lower risk can be obtained with higher cost
- IR aligns and interconnects with the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
- Recovery Time Objective (RTO) and Recovery Point Objectives (RPO)
3.2 We can not protect what we do not know about
This part reviews identifying High-Value Assets (HVA) to better handle vulnerability management, risk assessments, and incident response activities. It also stresses the importance of adding intelligence into the decision making process.
3.3 Risk Assessments and Commercial Threat Intelligence
An organization’s risk appetite and how IT security fits into the overall risk picture is covered. This section also discusses the risk assessment process and how IR teams can leverage threat intelligence.
3.4 Supply Chain Risk Management (SCRM) Consideration
Discusses how to identify threats, risks, and vulnerabilities associated with the supply chain. Insertion of malware and counterfeit devices are two of the threats associated with SCRM.
3.5 Incidents Involving Insider Threats
Negligent Insider Threats are the most prevalent threat. Section 3.5 gives examples of installing unauthorized software and excessive uploads/downloads as an insider threat activity.
4.1 Before the incidents: Good Cyber Hygiene and Vulnerability Management
Threats, Vulnerabilities, and Exposures make up cyber risk when considering vulnerability management.
Effective Cyber Defense requires an organization to backup:
- Updated network diagram
- Ports and protocols documentation
- Baseline/ Gold images
- Configuration files
Risk-Based Approach to Vulnerability Management
- Risk - Threat/ Vulnerability/ Exposure
4.2 Resources to Protect an organization This portion mentions the NIST 800-53 standards targeted toward the U.S. Federal Government and how they are used during security assessments and implementations.
4.3 Relationship between IT and Security
4.4. Service Level Agreements and Metrics to Monitor Protection Abilities
4.5 Zero Trust Network (ZTN), Edge Computing and Other Considerations
5.1 Prevention is Ideal, but Detection is a Must
5.2 SIEM, SOAR and Security Analytics
__5.3 IR Taxonomy and Triage __
5.4 Information Security Continuous Monitoring (ISCM)
Incident Response: 5.5
- Detection Metrics (Mean time to detection, False Positive rate, Ratio of events to alerts, Vulnerability scanning coverage, Average time to triage, cost per alert, Malware detection rate)
- Difference between above the line and below the line metrics & Incident detection metrics. These metrics can be used to measure the health and effectiveness of an IR team.
6.1 Responding to a Cyber Incident
- Exercise your plan- Train by practicing a lot so, when the incident occurs, you can respond to the threats. Practice together as a team, trying to make it as realistic a scenario as possible.
- The OODA Loop – Observe, Orient, Decide, Act - is a great framework to use.
- Checklist for different team roles- IT team lead, Communications, Offsite response, CIRT manager, IT (sysadmins)
- Order of Volatility- Memory Collection (Memory – System Information- Network Data- Process & Drivers)
- Determining Scope
- Response Steps to Consider
- Role in considering staffing
- Summary: Different IR framework available
- Who decides about notifications - Law enforcement, CIO, CISO, General Counsel, Off-duty CIRT members
- Declare an incident and notifications (e.g., if there is an insider threat involved, instead of notifying the newspaper, you may want to report it to the CISO)
- Developing and Deploying IOCs
- IP Address, Domain names, process name
- Sources of IOCs – Threat Intelligence, SIEM, compromised host, packet captures, Threat Hunting team
- Alternate Communications – should you use your network if it is compromised, you can switch to text messages. Think about what you would do.
- Strategic Communications to Users (Homepage of intranet page, Service Desk greetings, Emails, Posting messages in Common areas)
- Questions Executives Ask During an Incident (“Now what? What are we required to disclose, How much it will cost, What did the attacker take?, How did they get in?”)
- Have a Plan to Deal with the Media (when was the attack discovered, who was responsible)
- Containment Strategy (the potential for additional damage or exfiltration of data, the need to preserve data)
- Decision matrix
- Network Isolation (it may be as simple as removing a single host from a network or as complex as disconnecting the entire enterprise from the internet)
- Maintaining evidence and chain of custody
- Notifying Law Enforcement (LE)
- Know who to call before there is an actual incident, and there may be legal or regulatory requirements for notifications
- Recovering from a Cyber Incident
- Attempt to Determine the Entry Point
- Restoring Systems
- Conducting the Debriefing/ Lesson learned
- After action report (AAR)- Opportunity for improvement
- Communication with the Board and Executives (be cautious about what is written down, anticipate questions, focus on the future, not the past, be careful with the number of technical details included)
- Plan of Action and Milestones (POA&MS)
This course shines a light on the complete life cycle of an incident, from response to recovery, and discusses how to write a detailed Incident Response plan for an organization. The knowledge gained from this course could assist an organization and its employees in overcoming challenges after a security breach. The requirement for people, processes, and technology to detect, deter, respond, and recover from Cyberattacks has been discussed. The course also helps the viewer understand the significance of collaborative communication between internal and external stakeholders.