So we understand the need for incident response. We understand the roles and responsibilities. Now we're gonna go ahead and get into incident management and the way the process is flow. Now, this next section is gonna come to us from CMU in S e I.
And from a document called Defining the Incident Management
This is referenced in I Sack, a study guide for Schism Year 2015. It's also referenced in 2016 as well.
And the page number I have matches to the 2015 edition, but the bottom line with incident Management incident response is they're different frameworks. They're different approaches. So this is the 1st 1 we're gonna look at,
and so again, with incident management, all those elements that are necessary to properly respond to an incident and minimize the impact on the business.
So based on this strategy, we have five steps prepare, protect, detect triage and respond. All right, so if we look at these steps when we look at preparation and we know how very important preparation is, this is the coordination of the design that planning in the design phase.
So we start out with planning, just getting a feel for things. What are our requirements and what is the scope of our plan?
We've got to get funding from senior management and develop the implement. That implementation plan, basically we're defining is
what should the plan do? What should the Plan B. How are we going to ensure that the plan is gonna work right, where? In the planning stage, senior management has to have the final sign off because they're ultimately responsible. And here where it says get funding and sponsorship
again, that has to come from senior mention.
All right, now, we're also going to document how we're gonna coordinate implementation of the plan.
So we're gonna have our policies and procedures in place.
We're also going to determine what's the criteria for labeling something an incident? At what point in time do we implement the incident response plan? Or what point in time do we simply respond with risk mitigation strategies? Right, because an incident really is a step up from just to realise risk
Okay. Ah, well, define the criticality. We mentioned a document called the B I A. The business impact assessment
and the B I s job is to define elements based on criticality so that we know when we have to restore processes. We know the order in which to focus our efforts. Right.
What are our lessons learned? Gonna look at And we accomplish that. That process of collecting lessons learned in a post mortem,
making sure that that happens and then ultimately making sure that there's a process and procedure for change management.
Because in the event of an incident
after recovery, we need to make some changes so that we're not compromised again.
Now, from preparation, we go to protection.
Protection is where we're going to secure critical data. So ultimately, the protection piece is Let's be proactive. We're going to secure our information. We're gonna put mechanisms in place. And again, this goes hand in hand with risk management and ultimately, what we're going to do,
Um, we're gonna put deterrent strategies in place like,
well, get banners. We are going to train our employees.
We are going to review what we have in place and consider for improvement on a regular basis. All those things that are necessary, preemptively proactively to protect our environment,
to review and ensure that the mechanisms we put in place last year are still effective today
and, you know, vulnerability assessments, pen tests. We're gonna go back and look at portion postmortems from other incidents, and we're going to fix the problems that we found
that is gonna lead into making sure that we're prepared to detect incidents. And like I said, we need clearly defined criteria of what is an incident.
Violation Analysis is always an important step where we step back and say, Is this really an incident or was it an accident that isn't nearly as larger scale is? We would think it is. Is it malicious? Is it not malicious? Um,
how do I even know if a kn incident is gonna happen or has happened? Well, we have tools like honey pots, intrusion detection, intrusion prevention systems. We look at network traffic, we look at our logs and we look at our lot logs on a regular basis, as opposed to just waiting until an incident has happened.
Right? We want to be proactive with our logs, but we also in the event of a compromise when I have reactive mechanisms in place, eh? So that we can detect the intrusion on. Then we move right in to our next step, which is tree Hotch. We've detected an incident. Let's get our grip.
Let's get our bearing.
And with triage, we're looking to categorize, correlate, prioritize and a sign.
Triage is about prioritization.
If you've ever been to a hospital in the e. R. Um, the nurse, there's a nurse that comes out, and it's not just first come, first serve. They want to treat the most critically injured patients. So that's triage. So with incident response, we're going to categorize events like,
Is this a denial of service? Is it a malicious user?
Is it some other disruption?
Then we're gonna try to correlate that with other relevant information.
Can we do we have logs that indicate
that perhaps this was a potential event that was coming? Do we have a previous incident response report? Whatever
in the larger picture, what other information supports us in evaluating the situation?
Then, like we said, prioritize. So we direct our efforts to the most critical aspects first,
that gets assigned to individuals on the incident Response team could be the entire team to could be a specific branch, but the official assignment and I'm always gonna call it the Incident Response Team. That's how you know I've been trained. That's the term that we've used. You'll see incident management team throughout a swell
and then the last piece. We gotta respond,
right? We got to take those steps to mitigate the incident.
So we have technical response is that we're gonna put in place. We may segment the impacted system,
put patches in place, run anti malware, those things that we do. From a technical perspective,
management has responses and obligations they're gonna bring in their intervention. They're gonna be responsible for how we notify stakeholders. Business and senior managers may be involved from important decision making aspects.
We're also gonna have our legal response because, like we said many times, an incident could compromise our ability to maintain legal compliance. So we're gonna have a legal response. It's gonna help with that. But then they're also gonna be able to evolve, advise us if we're gonna move into an investigation to perhaps collect evidence
to report to law enforcement
and then ultimately thes stages come together to provide us with a comprehensive plan for mitigating response incidents.