adam's notes

Common Incident Response Components

  • IRPs should be tailored to an organization
  • but all IRPs have common components

Incident Response Policies

Incident Response Policies are statements of the organization’s expectations and procedures for responding to security incidents.

  • describe which incident types must be reported
  • should provide detailed descriptions of the:
    • steps to be taken in the event of an incident
    • roles and responsibilities of those involved
    • communication protocols to be followed
  • should develop a timeline for:
    • reporting and responding to incidents
    • determining the cause of the incident
    • recovery process
    • steps to prevent similar incidents in the future

Incident Response Procedures

Incident Response Procedures describe organizations’ actions during incident response.

  • include
    • protocols for how different parts of the organization work together to mitigate incidents
    • procedures for how individuals should respond

Example Playbooks

A ransomware playbook describes the people, processes, and tools to be employed during such an event.

  • should include:
    • considerations for determining which systems were impacted
    • methods by which impacted systems can be immediately isolated
    • identification and engagement with the people needed in the response
  • should include disconnecting and isolating networks as quickly as possible
    • preferable to disconnect systems as opposed to powering off in order to:
      • maintain forensic integrity
      • potentially being able to extract cryptographic keys from system memory which can be used for remediation

A data exfiltration playbook is used in response to an adversary that has targeted, copied, and transferred sensitive data.

  • include the necessary tasks needed in response to data exfiltration
    • include:
      • notification requirements
      • system and network forensic analysis to determine exactly what was accessed

A social engineering playbook often involves responses in relation to an identified, phishing email.

  • As soon as a suspicious email is identified official notice should be broadcast to:
    • advise of the attack
    • encourage others who may have responded to the email to step forward
  • the phishing email should be searched for within the entire email system to identify any other instances
  • any elements within the email should be analyzed within a sandbox to fully understand what the message is designed to do
    • Information extracted from sandbox analysis can be used to feed security infrastructure
      • e.g., blocking access to IP addresses and URLs, updating rules in IDS, AV, etc.
  • impacted individuals should have their passwords reset
    • possibly desktop systems replaced

Incident Response Tools and Resources

  • IR requires
    • phone numbers to support teams
    • software to manage incident response process
    • specialized tools for analysis
  • Common tools:
    • SIEM
    • IDS
    • Vulnerability Scanners
    • Netflow Analyzers
      • Provide high-level visibility into the volumes of traffic and protocols in use in the environment
    • Infrastructure Monitoring
      • Tools used to monitor availability, latency, capacity, and other elements
      • Typically associated with engineering teams and used to ensure the health and uptime of infrastructure components
    • Proxies and Gateways
      • Firewalls, routers, and forward proxies (Internet traffic)
      • provide valuable insight into traffic leaving and entering the network
      • used to alert on specific traffic or analyzed to locate historical events

Identification of Potential Threats and Incidents

  • Threat modeling, risk analysis, and other threat identification activities can help organizations identify potential threats and incidents
  • Threat modeling tools can help organizations create threat models and analyze identified threats and incidents comprehensively

Assessment of Potential Impacts

  • use risk analysis and impact assessments to measure the scope of identified incidents on the organization
  • Risk analysis tools include guided questionnaires and templates designed to help individuals collect information and produce detailed reports on their findings

Creation of Response Plans

  • create response plans to handle incidents based on the threats and incidents identified during risk assessment activities
  • response plans should
    • be concise and direct
    • have detailed steps and clear expectations
  • Flowcharts are a popular tool in the incident response arsenal

Testing Response Plans

  • test response procedures to ensure that personnel know how to respond to specific incidents and that the responses are effective
  • Test activities:
    • Tabletop exercise
      • organizations bring together the personnel who would respond to an incident, often in a simulated setting, to test the effectiveness of their communication and response plans
    • Mock incidents
      • Scenario-based simulations that organizations create to test how the incident response plan actually works in practice
      • can include simulations of different types of incidents that might occur
    • Full incident simulations
      • Mock incidents that include the full set of people and organizations involved in responding to an incident, to test the entire response process, including communication protocols and the effectiveness of the different response teams

Graph View

Backlinks