adam's notes

Triage and Incident Response Concepts

Triage Event

Triage is determining the scope of a security incident.

  • workers should have specialized training and experience in:
    • live system and digital forensics
    • memory and malware analysis
  • often performed
    • on endpoints
    • within executable and binary files
    • and using enterprise security infrastructure tools such as SIEM
  • focused on determining a timeline of what, where, how, and when events occurred

Playbook

A playbook is a checklist of actions to perform to detect and respond to a specific type of incident.

  • define the steps they need to take to respond to a security incident
    • e.g., the specific roles, processes, and procedures that security staff must follow
  • guide communication with stakeholders and the public
  • guide how to gather evidence and determine the incident’s root cause
  • Using a physical book ensures its availability during a wide-scale incident
  • should:
    • be tailored to an organization’s specific security needs
    • provide detailed guidance on responding to various security incidents
  • ensure they have the right level of detail and that all necessary stakeholders are involved
  • update playbooks as new threats and technologies emerge

Communication Plan

  • need a secure method of communication between IR team members
  • may require out-of-band channels that cannot be intercepted
  • messaging system should support:
    • end-to-end encryption
    • digital signatures
    • encryption keys supplied by a system independent of the IAM systems
  • have a set process for escalating communication
  • have a single point of contact to handle requests and questions from stakeholders outside the incident response team
    • including execs internal and contacts external
  • take steps to prevent the inadvertent release of information beyond the team authorized to handle the incident
    • Status and event details should be circulated on a need-to-know basis and only to trusted parties identified on a call list
    • not all IR team members may need to know all details
  • imperative that adversaries not be alerted to detection and remediation measures
  • harmful to publicize an incident in the press or through social media outside of planned communications
    • ensure parties with privileged information do not release it to untrusted parties

Graph View

Backlinks