Incident Response, Procedures, Forensics (Hands-on training)

An introduction to incident response procedures and forensics

Digital forensics and incident response play a vital role in business policy and law enforcement operations to remediate attacks and reduce risk.

Summary: Enterprises depend on incident response and digital forensics to ensure that their mission-critical technology is sufficiently secure. These processes often incorporate red and blue teaming to test an organization’s existing capabilities while also conducting forensic analysis of past incidents to ensure they do not happen again.

Any robust cybersecurity strategy is founded on the belief that it is only a matter of time before an incident occurs. No matter how well-protected an organization might be, the rapidly evolving nature of the cyberthreat landscape means that there will never be such a thing as a perfectly protected environment.

The performance of a security operations center (SOC) is not judged by the number of attacks against it or the severity of those attacks. Instead, SOC effectiveness is primarily judged by its abilities to identify, mitigate, and report on incidents in progress. Incident response and digital forensics are an essential part of that broader process.

Understanding the goals of incident response

When building an incident response program, security professionals need to align operations with legitimate business concerns, such as protecting customer data and intellectual property. This coordinated approach prevents a disjointed response and minimizes the harm caused by an incident when it is detected. Here are some of the main goals of such a program:

• Confirm whether or not an incident occurred
• Gather accurate information about the incident
• Establish controls for the handling of evidence
• Contain and report on incidents in progress
• Conduct forensic analysis to learn what happened
• Recover any operations and data affected
• Release a full report of the incident and recovery

Incident response procedures and forensics broadly follow six steps that align with the above goals. While there are countless variables at play and many possible methods for taking these steps, below is a relatively simple picture of what incident response professionals do in their day-to-day operations.

Step #1: Building the team and preparing policies

This initial planning stage incorporates creating a formal incident response policy based on the specific environment and the risks against it. Risks must be quantified and qualified to prioritize remediation and recovery and assign the right people to the right roles. SOCs include incident responders and security analysts, investigators, engineers, and architects. Many security operations also incorporate red-teaming, in which security professionals such as ethical hackers and penetration testers take an adversarial stance to test the organization’s defenses.

Step #2: Identifying potential security incidents

Every SOC depends on its ability to detect potential security incidents. Detection is one of the most important aspects since analysts cannot respond to incidents they do not know about. There are countless ways to detect incidents, all of which should align with the company’s policies. For example, an end-user may report some incidents manually, while others might be detected automatically by intrusion detection and prevention (IDS/IPS) systems.

Step #3: Containing incidents in progress

The first stage of any investigation is collecting enough information to determine an appropriate response. This stage requires qualifying and quantifying the threat level, which, in turn, will be based on the importance of the systems and the sensitivity of the data affected. For example, severe incidents may require immediate containment by isolating the affected systems from the rest of the network. However, the SOC team must verify that the incident actually happened and that it does indeed present a threat to avoid any unnecessary downtime.

Step #4: Remediating with forensic analysis

Once initial containment has been taken care of, the next step is taking corrective action. At this point, SOC teams will conduct a forensic analysis to identify what went wrong and which data and systems, if any, were compromised. For example, a DDoS attack might be remediated by reconfiguring network routers to minimize flooding, while an unauthorized access attempt may warrant the implementation of additional access controls. Detailed forensic analysis helps identify the most appropriate long-term corrective action to ensure the same incident does not happen again.

Step #5: Recovering operations and data

Effective incident responders will focus on recovering operations and data once they have resolved the incident. Putting affected systems back into operation prematurely can make the problem much worse. Avoiding premature deployment is especially important during advanced persistent threat (APT) attacks due to their sustained and sophisticated nature. In such situations, SOC teams often need to take certain operations offline until they can be sure it is safe to resume them. This will inevitably disrupt the business, hence the need for an optimal balance in such situations. The danger of disruption is precisely why there must be alignment between security and business.

Step #6: Reporting on the investigation

Finally, the SOC team must compile a comprehensive report once an incident has been identified, contained, remediated, and recovered. Reporting is also one of the key responsibilities of penetration testers and ethical hackers, who create detailed reports for communicating their findings with stakeholders and end-users. Reports must accurately describe the details of the incident and which systems or data were affected. In the case of real-world attacks, as opposed to those carried out by penetration testers, these reports also need to hold up to legal scrutiny and assist in further developing the organization’s security operations.

Cybrary for Teams is an all-in-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress.