adam's notes

CompTIA Incident Response Lifecycle

CompTIA’s incident response lifecycle is the procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents.

  1. Preparation
  2. Detection
  3. Analysis
  4. Containment
  5. Eradication
  6. Recovery
  7. Lessons Learned

Preparation

The preparation phase consists of all the activities you can perform ahead of time to better handle an incident.

  • makes the system resilient to attack in the first place
  • involves:
    • hardening systems
    • creating policies and procedures that govern incident response and handling
    • creating a response team
    • conducting training and education for both incident handlers and those expected to report incidents
    • developing and maintaining documentation
    • creating confidential lines of communication
      • prevent the unintentional release of information beyond the team authorized to handle the incident
      • adversaries must not be alerted to containment and remediation measures
      • Status and event details should be circulated on a need-to-know basis identified on a call list
        • A document listing authorized contacts for notification and collaboration during a security incident
      • requires an out-of-band communication method
  • outcome of preparation is incident response plan (IRP)
    • lists the procedures, contacts, and resources available to responders for various incident categories

Cybersecurity Infrastructure

Cybersecurity infrastructure is hardware and software tools that facilitate incident detection, digital forensics, and case management:

  • Incident detection tools
    • provide visibility into the environment by automating the collection and analysis of network traffic, system state monitoring, and log data
  • Digital forensics tools
    • facilitate acquiring and validating data from system memory and file systems
    • can be performed to:
      • assist incident response
      • or prosecute a threat actor
  • Case management tools
    • provide a database for
      • logging incident details
      • and coordinating response activities across a team of responders
  • often implemented in a single product suite
    • security information and event management (SIEM)
    • & security orchestration automation and response (SOAR)
    • provision alerting and monitoring dashboards to fully manage the steps in incident response

Cyber Incident Response Team

  • can be called:
    • computer incident response team (CIRT)
    • computer security incident response team (CSIRT)
    • computer emergency response team (CERT)
  • may involve or be located wholly in a security operations center (SOC)
  • team must be led by a senior executive decision-maker
    • can authorize actions following the most serious incidents
  • Managers
    • ensure the day-to-day operation
    • coordinate response activity with other business departments
  • Analysts and technicians
    • prioritize cases
    • mitigate minor incidents on their own initiative
  • leverages cross-functional collaboration:
    • legal
    • human resources (HR)
    • Public relations
  • can outsource CIRT to third-party agencies
    • more effective at dealing with insider threat

Detection

Detection correlates event data to determine indicators of threat actor activity, or indicators of compromise (IoC).

  • will usually detect an issue with a security tool or service:
    • intrusion detection system (IDS)
    • antivirus (AV) software
    • firewall logs
    • proxy logs
    • alerts from security information and event monitoring (SIEM) tool
    • alerts from a managed security service provider (MSSP)
    • deviations from baseline system metrics
  • can be manually detected by:
    • threat hunting operations
    • reported by employees, customers, or law enforcement
    • public reporting of new vulnerabilities
  • alert CIRT when a suspicious event is detected

Analysis

During analysis indicators are assessed to determine validity, impact, and category.

  • decide whether an issue actually an incident
  • is often a combination of automation from a tool (SIEM) and human judgement
  • Often use thresholding that outlines:
    • whether a certain number of events in a given amount of time is normal
    • whether a certain sequence of events is normal

Impact

  • factors of impact:
    • data integrity
      • value of data that is at risk
    • downtime
      • degree to which an incident disrupts business processes
      • can either
        • degrade (reduce performance)
        • or interrupt (completely stop) availability
    • economic/publicity
    • scope
      • broadly the number of systems affected
    • detection time
    • recovery time

Category

  • have a shared understanding of terms, concepts, and descriptions
  • Effective incident analysis depends on threat intelligence
    • provides insight into adversary tactics, techniques, and procedures (TTPs)
    • used to develop specific tools and playbooks to deal with event scenarios
  • A key tool for threat research is the framework used to describe the stages of an attack

Playbook

playbook is a data-driven standard operating procedure (SOP) to assist analysts in detecting and responding to specific cyber threat incidents.

  • CIRT should develop profiles or scenarios of typical incidents
    • guides investigators in determining priorities and remediation plans
  • how it works
    • starts with a report from an alert dashboard
    • then leads the analyst through the analysis, containment, eradication, recovery, and lessons learned steps to take

Containment

Containment involves limiting the scope and magnitude of an incident to prevent further harm.

  • principle aim of IR:
    • secure data while limiting the immediate impact on customers and business partners
  • typically 2 phases:
    • short-term containment: immediate action to prevent further damage
    • long-term containment: more thorough measures to ensure that the threat has been completely eradicated
  • necessary to notify stakeholders and identify other reporting requirements
  • 2 containment techniques:
    • isolation-based containment
      • involves removing an affected component from the environment
      • removes any interface between the affected system and the production network or Internet
      • e.g.,
        • disabling user account or application service
        • removing a server from the network
        • disabling a router interface
    • segmentation-based containment
      • isolation of a host or group of hosts using network technologies and architecture
      • uses VLANs, routing/subnets, and firewall ACLs
      • As opposed to completely isolating the hosts,
        • might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered output
        • to deceive them into thinking the attack is progressing successfully
      •  facilitates analysis of the threat actor’s TTPs
  • chosen isolation method can potentially violate established policies or SLAs
    • Selecting the right approach to containment depends upon balancing these requirements with the risks associated with inaction
    • carefully document and timestamp all actions to support post-incident investigations
  • Containment action depends on several factors:
    • Ensure the safety and security of all personnel
    • Prevent further damage
    • Identify whether the intrusion is a primary or a secondary attack
    • Avoid alerting the attacker that they have been discovered
    • Preserve forensic evidence of the intrusion

Eradication

Eradication applies mitigation techniques and controls to remove the intrusion tools and unauthorized configuration changes from systems.

  • restoring the system to a secure state by:
    • apply secure configuration settings
    • installing patches
  • steps:
    1. reconstitution of affected system
      • removing the malicious files or tools
      • restoring the systems from secure backups/images
    2. Re-audit security controls
      • ensure they are not vulnerable to another attack
    3. Notify affected parties and provide means to remediate systems

Recovery

Recovery reintegrates the system into the business process it supports with a secure baseline configuration.

  • involves:
    • restoring devices or data from backup media
    • rebuilding systems
    • reloading applications
    • monitoring systems for reoccurrence of attack
  • essential part of recovery is ensuring that the system cannot be compromised through the same attack vector
  • may need multiple iterations of identificationrecovery

Lessons Learned

Lessons learned analyzes the incident and responses to identify whether procedures or systems could be improved.

  • also called post-mortem (after death)
  • attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again
  • imperative to document the incident
  • update risk management and incident response plans
  • updates preparation phase
  • conduct a lessons learned report (LLR) or after action report (AAR)
    • invoke a root cause analysis
    • use Five Whys model
      • but can branch into different directions of inquiry
    • who, what, where, when, why, how
  • conduct testing
    • tabletop exercise
      • facilitator presents a scenario
      • team explain and discuss actions
      • does not use computer systems
    • walkthroughs
      • aka read-throughs
      • facilitator presents a scenario
      • team demonstrates response actions
      • use computers
    • simulations
      • team-based exercise with red team, blue team, and white team
      • simulate responding to a real life scenario

Graph View

Backlinks