Incident Response Process

What is Information Security?

Jason Andress , in The Nuts of Data Security (2d Edition), 2014

Incident response

In the issue that our risk management efforts fail, incident response exists to react to such events. Incident response should be primarily oriented to the items that we feel are likely to cause us pain as an organization, which we should now know based on our risk management efforts. Reaction to such incidents should exist based, as much as is possible or practical, on documented incident response plans, which are regularly reviewed, tested, and expert by those who will be expected to enact them in the case of an actual incident. The actual occurrence of such an emergency is not the time to (endeavor to) follow documentation that has been languishing on a shelf, is outdated, and refers to processes or systems that accept changed heavily or no longer exists.

The incident response process, at a high level, consists of:

Training

Detection and analysis

Containment

Eradication

Recovery

Post incident activity

Preparation

The grooming phase of incident response consists of all of the activities that nosotros can perform, in advance of the incident itself, in order to better enable us to handle it. This typically involves having the policies and procedures that govern incident response and treatment in place, conducting grooming and education for both incident handlers and those who are expected to report incidents, conducting incident response exercises, developing and maintaining documentation, and numerous other such activities.

The importance of this phase of incident response should not be underestimated. Without adequate preparation, information technology is extremely unlikely that response to an incident will become well and/or in the direction that nosotros expect it to go. The time determines what needs to be done, who needs to exercise it, and how to do it, is not when we are faced with a burning emergency.

Detection and analysis

The detection and analysis stage is where the activeness begins to happen in our incident response process. In this phase, we will notice the occurrence of an issue and make up one's mind whether or not information technology is actually an incident so that nosotros tin respond to information technology appropriately.

The detection portion of this phase volition ofttimes exist the result of monitoring of or alerting based on the output of a security tool or service. This may be output from an Intrusion Detection System (IDS), Anti Virus (AV) software, firewall logs, proxy logs, alerting from a Security Data and Event Monitoring (SIEM) tool if program is internal or Managed Security Service Provider (MSSP) if programme is external, or whatsoever of a number of like sources.

The analysis portion of this stage is oft a combination of automation from a tool or service, commonly an SIEM, and human judgment. While we can often use some sort of thresholding to say that X number of events in a given amount of time is normal or that a certain combination of events is non normal (2 failed logins followed by a success, followed past a password change, followed by the creation of a new business relationship, for instance), we will frequently want human intervention at a certain point when discussing incident response. Such human intervention will often involve review of logs output past various security, network, and infrastructure devices, contact with the political party that reported the incident, and general evaluation of the state of affairs. This can exist expensive if y'all're running a team of analysts 24×7 so automation of as many functions as possible is key.

When the incident handler evaluates the state of affairs, they volition make a determination regarding whether the issue constitutes an incident or not, an initial evaluation as to the criticality of the incident (if any), and contact any additional resource needed to proceed to the next stage.

Containment, eradication, and recovery

The containment, eradication, and recovery phase is where the majority of the work takes identify to actually solve the incident, at least in the curt term.

Containment involves taking steps to ensure that the situation does not cause any more than damage than it already has, or to at least lessen any ongoing harm. If the problem involves a malware infected server actively existence controlled by a remote attacker, this might hateful disconnecting the server from the network, putting firewall rules in place to block the attacker, and updating signatures or rules on an Intrusion Prevention System (IPS) in order to halt the traffic from the malware.

During eradication, we volition attempt to remove the effects of the event from our environment. In the case of our malware infected server, nosotros have already isolated the arrangement and cut it off from its command and control network. Now nosotros will need to remove the malware from the server and ensure that information technology does non exist elsewhere in our environs. This might involve boosted scanning of other hosts in the surround to ensure that the malware is non nowadays, and examination of logs on the server and activities from the attacking devices on the network in society to determine what other systems the infected server had been in communication with. With malware, peculiarly very new malware or variants, this can be a catchy task to ensure that we have properly completed. The adversary is constantly developing countermeasures to the most current security tools and methodologies. Whenever doubtfulness exists as to whether malware or attackers have been truly evicted from our surround, we should err to the side of caution while balancing the impact to operations. Each upshot requires a take chances assessment.

Lastly, we demand to recover to a better land that were in which we were prior to the incident, or peradventure prior to the outcome started if we did not detect the problem immediately. This would potentially involve restoring devices or data from backup media, rebuilding systems, reloading applications, or any of a number of like activities. Additionally we need to mitigate the attack vector that was used. Once more, this can be a more than painful task than it initially sounds to be, based on potentially incomplete or unclear cognition of the state of affairs surrounding the incident and what exactly did have identify. Nosotros may find that nosotros are unable to verify that backup media is actually clean and free or infection, backup media may be bad entirely, awarding install $.25 may be missing, configuration files may not be available, and whatever of a number of similar issues.

Post incident activeness

Post incident activity, as with preparation, is a phase nosotros tin can hands overlook, simply should ensure that we exercise not. In the postal service incident activity phase, often referred to as a postmortem (latin for afterward expiry), we effort to make up one's mind specifically what happened, why information technology happened, and what we can do to continue it from happening once more. This is not but a technical review equally policies or infrastructure may demand to exist changed. The purpose of this phase is not to point fingers or identify blame (although this does sometimes happen), but to ultimately prevent or lessen the bear on of future such incidents.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128007440000014

Security component fundamentals for cess

Leighton Johnson , in Security Controls Evaluation, Testing, and Assessment Handbook (Second Edition), 2020

Incident handling

"The incident response procedure has several phases. The initial phase involves establishing and training an incident response squad, and acquiring the necessary tools and resources. During preparation, the organisation as well attempts to limit the number of incidents that volition occur past selecting and implementing a set of controls based on the results of risk assessments. Nevertheless, remainder chance will inevitably persist later on controls are implemented. Detection of security breaches is thus necessary to warning the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the touch of the incident by containing information technology and ultimately recovering from it. During this phase, activeness often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the arrangement issues a study that details the crusade and cost of the incident and the steps the arrangement should accept to prevent future incidents." 13

Preparation

Incident response methodologies typically emphasize preparation—not only establishing an incident response capability so that the organization is ready to answer to incidents but also preventing incidents past ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs.

Every bit an assessor of incident response chapters and incident handling activities, information technology is important to empathise the process itself is often cluttered and can announced haphazard when the response is agile. One of the disquisitional areas to focus on during the review is the documented and defined training for the responders, as well as the organizational policies and procedures for incident response. Each of these areas helps determine the success or failure of the response team, their interactions with the remainder of the organization, and ultimately the minimization of the touch of the incident on the organization, its people and its mission.

Detection and analysis

"For many organizations, the near challenging part of the incident response process is accurately detecting and assessing possible incidents—determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem. What makes this so challenging is a combination of three factors:

Incidents may exist detected through many different means, with varying levels of detail and allegiance. Automated detection capabilities include network-based and host-based IDPSs, antivirus software, and log analyzers. Incidents may besides be detected through manual ways, such every bit bug reported by users. Some incidents have overt signs that can be easily detected, whereas others are almost impossible to detect.

The book of potential signs of incidents is typically high—for example, it is non uncommon for an organisation to receive thousands or even millions of intrusion detection sensor alerts per day.

Deep, specialized technical knowledge and extensive feel are necessary for proper and efficient analysis of incident-related information.

Signs of an incident fall into ane of ii categories: precursors and indicators. A forerunner is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may exist occurring now.

Incident detection and assay would exist easy if every forerunner or indicator were guaranteed to be accurate; unfortunately, this is non the case. For case, user-provided indicators such as a complaint of a server being unavailable are frequently incorrect. Intrusion detection systems may produce false positives—incorrect indicators. These examples demonstrate what makes incident detection and analysis so difficult: each indicator ideally should be evaluated to determine if information technology is legitimate. Making matters worse, the total number of indicators may exist thousands or millions a solar day. Finding the real security incidents that occurred out of all the indicators tin can be a daunting task.

Fifty-fifty if an indicator is accurate, information technology does not necessarily mean that an incident has occurred. Some indicators, such as a server crash or modification of critical files, could happen for several reasons other than a security incident, including man fault. Given the occurrence of indicators, however, it is reasonable to suspect that an incident might be occurring and to act appropriately. Determining whether a detail event is actually an incident is sometimes a affair of judgment. It may be necessary to interact with other technical and data security personnel to make a decision. In many instances, a situation should be handled the same way regardless of whether it is security related. For instance, if an organisation is losing Internet connectivity every 12 hours and no one knows the crusade, the staff would want to resolve the problem just as quickly and would use the same resources to diagnose the trouble, regardless of its cause." 14

Containment, eradication, and recovery

"Containment is important earlier an incident overwhelms resources or increases damage. Most incidents require containment, and so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential role of containment is determination-making (due east.g., shut downward a system, disconnect it from a network, or disable sure functions). Such decisions are much easier to brand if at that place are predetermined strategies and procedures for containing the incident. Organizations should ascertain acceptable risks in dealing with incidents and develop strategies appropriately.

Containment strategies vary based on the type of incident. For case, the strategy for containing an email-borne malware infection is quite dissimilar from that of a network-based DDoS set on. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate controlling." 15

"After an incident has been contained, eradication may be necessary to eliminate components of the incident, such equally deleting malware and disabling breached user accounts, every bit well as identifying and mitigating all vulnerabilities that were exploited. During eradication, information technology is of import to identify all affected hosts within the organization then that they can exist remediated. For some incidents, eradication is either not necessary or is performed during recovery.

In recovery, administrators restore systems to normal operation, confirm that the systems are functioning unremarkably, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions every bit restoring systems from make clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (e.g., firewall rulesets, purlieus router access command lists). College levels of system logging or network monitoring are frequently part of the recovery process. Once a resource is successfully attacked, it is often attacked again, or other resources inside the organization are attacked in a similar manner.

Eradication and recovery should be done in a phased arroyo so that remediation steps are prioritized. For big-scale incidents, recovery may take months; the intent of the early phases should be to increase the overall security with relatively quick (days to weeks) high value changes to preclude future incidents. The subsequently phases should focus on longer-term changes (due east.one thousand., infrastructure changes) and ongoing work to keep the enterprise equally secure equally possible." 16

Postincident activity

"I of the most important parts of incident response is also the most oft omitted: learning and improving. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a "lessons learned" meeting with all involved parties after a major incident, and optionally periodically subsequently lesser incidents as resource permit, can be extremely helpful in improving security measures and the incident handling process itself. Multiple incidents can exist covered in a single lessons learned meeting. This meeting provides a risk to attain closure with respect to an incident past reviewing what occurred, what was done to intervene, and how well intervention worked.

Small incidents need limited mail service-incident assay, with the exception of incidents performed through new assault methods that are of widespread concern and involvement. After serious attacks accept occurred, information technology is usually worthwhile to hold postal service-mortem meetings that cross team and organizational boundaries to provide a mechanism for information sharing. The primary consideration in holding such meetings is ensuring that the right people are involved. Non but is it important to invite people who take been involved in the incident that is being analyzed, but also information technology is wise to consider who should exist invited for the purpose of facilitating futurity cooperation." 17

As an incident response assessor and evaluator, you will be looking for the required preparation and exercise documentation for each responder on the team. The policies for incident response, handling, notification, and board review all need to be identified, reviewed and assessed. The supporting procedures for treatment and response efforts all need review and correlation to the policies, the security controls for IR from SP 800-53 and the bodily incident response Plan for each system as it is reviewed and assessed.

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780128184271000112

Response

Edward Thousand. Amoroso , in Cyber Attacks, 2011

Pre- Versus Postal service-Attack Response

The most critical differentiating factor between incident response processes involves the two primal types of triggers that initiate response. The first type involves tangible, visible effects of a malicious attack or incident. These effects are usually noticed by end users in the form of boring awarding performance, clogged gateway performance, inability to become e-mail, dull or unavailable Internet access, and and then on. Incident response in this case is usually urgent and is affected by the often song complaints of the user base of operations. The second blazon of trigger involves early warning and indications information, usually embedded in some system or network management information. These triggers are usually non visible to stop users simply are decumbent to loftier levels of false positive responses, where the warning really does not connect to a malicious action.

Early warning triggers are generally not visible to stop users and are prone to high levels of false positives.

Incident response processes can thus be categorized into two specific approaches, based on the degree to which these triggers are addressed:

Front-loaded prevention—This includes incident response processes that are designed specifically to collect indications and alert information for the purpose of early prevention of security attacks. The reward is that some attacks might be thwarted by the early on focus, but the disadvantage is that the loftier charge per unit of false positive responses can raise the costs of incident response dramatically.

Back-loaded recovery—This includes incident response processes that are designed to collect data from various sources that can supply tangible, visible information almost attacks that might be under way or completed. This approach reduces the fake positive rates but is not effective in stopping attacks based on early warning information.

Hybrid incident response processes that attempt to do both front-end and back-end processing of available information are certainly possible, but the real conclusion indicate is whether to invest the time, resources, and money necessary for front-loaded prevention. These two types of processes tin be illustrated on the fourth dimension line of information that becomes available to the security squad as an attack gain. For forepart-loaded prevention, the associated response costs and false positive rates are high, simply the associated risk of missing data that could betoken an assail is lower; for a back-loaded response, these respective values are the opposite (see Figure 11.2).

Figure 11.2. Comparing of front-loaded and dorsum-loaded response processes.

Combining front end-loaded prevention with back-loaded recovery creates a comprehensive response picture; still, an emphasis on front end-loaded prevention may be worth the increased price.

Back-loaded incident response might be adequate for smaller, less-critical infrastructure components, merely for the protection of essential national services from cyber attack the only reasonable option is to focus on front-end prevention of issues. By definition, national infrastructure supports essential services; hence, whatsoever process that is designed specifically to dethrone these services misses their essential nature. The first implication is that costs associated with incident response for national infrastructure prevention volition tend to be college than for typical enterprise situations. The second implication is that the familiar false positive metric, found so often in enterprise settings as a cost-cutting measure, must exist removed from the vocabulary of national infrastructure protection managers.

It is worth suffering through a higher number of false positives to ensure protection of essential national assets.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780123849175000111

Incident Response Basics

Jaron Bradley , in Os 10 Incident Response, 2016

Introduction

Scripting is a critical role of the incident response (IR) process. In this chapter nosotros volition bear upon on the dissimilar elements required to start an IR drove script besides its analysis counterpart. When starting off there are a number of decisions that need to be fabricated such as picking which linguistic communication to use, what tools need to exist carried over to the victim system, and what tools need to be ready on our analysis arrangement to kickoff diving into collected artifacts. The collection process is critical to the investigation and depending on the size of your environs, you may only go one user-friendly shot to collect that data. Therefore, yous want to be every bit thorough as possible. To state the obvious, y'all can't clarify data that you didn't collect in the start place. The good news is that there are a massive amount of tools already congenital into OS X. This book aims to use those tools to the best of their abilities then that fewer tools need to be carried over to the victim system.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128044568000029

Domain 7: Security Operations (east.yard., Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Third Edition), 2016

Detection

Ane of the almost important steps in the incident response process is the detection stage. Detection (as well called identification) is the stage in which events are analyzed in order to determine whether these events might comprise a security incident. Without strong detective capabilities congenital into the information systems, the organization has lilliputian promise of being able to effectively answer to information security incidents in a timely manner. Organizations should have a regimented and, preferably, automatic mode for pulling events from systems and bringing those events into the wider organizational context. Often when events on a item organization are analyzed independently and out of context, then an actual incident might easily be overlooked. However, with the benefit of seeing those same system logs in the context of the larger organization, patterns indicative of an incident might exist noticed. An important attribute of this phase of incident response is that during the detection phase it is determined as to whether an incident is actually occurring or has occurred. It is a rather common occurrence for potential incidents to be deemed foreign, merely innocuous after further review.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9780128024379000084

Domain seven

Eric Conrad , ... Joshua Feldman , in Eleventh Hour CISSP® (Third Edition), 2017

Methodology

Different books and organizations may use different terms and phases associated with the incident response procedure; this section will mirror the terms associated with the examination. Many incident-treatment methodologies treat containment, eradication, and recovery every bit three singled-out steps, as we will in this volume. Other names for each pace are sometimes used; the electric current test lists a seven-step lifecycle simply curiously omits the first step in nigh incident handling methodologies: grooming. Maybe training is implied, like the identification portion of AAA systems. We volition therefore cover eight steps, mapped to the electric current examination:

1.

Preparation

2.

Detection (identification)

3.

Response (containment)

four.

Mitigation (eradication)

5.

Reporting

6.

Recovery

7.

Remediation

viii.

Lessons learned (postincident action, postmortem, or reporting)

Preparation

The training phase includes steps taken before an incident occurs. These include preparation, writing incident response policies and procedures, and providing tools such every bit laptops with sniffing software, crossover cables, original Os media, removable drives, etc. Preparation should include annihilation that may exist required to handle an incident or that will brand incident response faster and more effective. One preparation footstep is preparing an incident handling checklist. Fig. vii.1 is an incident treatment checklist from NIST Special Publication 800-61r2.

Fig. 7.1. Incident treatment checklist. 1

Detection (identification)

I of the most important steps in the incident response process is the detection phase. Detection, also chosen identification, is the phase in which events are analyzed in social club to determine whether these events might comprise a security incident. Without strong detective capabilities built into the data systems, the organisation has little hope of beingness able to effectively respond to information security incidents in a timely mode.

Response (containment)

The response phase, or containment, of incident response is the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring every bit a result of the incident. Responses might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the telescopic and severity of the incident. This phase is also typically where a binary (bit-by-fleck) forensic backup is fabricated of systems involved in the incident. An important trend to sympathise is that most organizations will now capture volatile data before pulling the power plug on a system.

Mitigation (eradication)

The mitigation phase, or eradication, involves the process of understanding the cause of the incident so that the system can exist reliably cleaned and ultimately restored to operational condition later in the recovery phase. In social club for an organization to recover from an incident, the cause of the incident must be determined. The cause must be known so that the systems in question tin be returned to a known good land without pregnant risk of the compromise persisting or reoccurring. A common occurrence is for organizations to remove the well-nigh obvious slice of malware affecting a organization and recall that is sufficient; when in reality, the obvious malware may only be a symptom and the cause may however be undiscovered.

Once the cause and symptoms are adamant, the organization needs to be restored to a good state and should not be vulnerable to further impact. This will typically involve either rebuilding the system from scratch or restoring from a known good fill-in.

Reporting

The reporting phase of incident handling occurs throughout the process, beginning with detection. Reporting must begin immediately upon detection of malicious activity. Reporting contains two principal areas of focus: technical and nontechnical reporting. The incident treatment teams must study the technical details of the incident as they begin the incident treatment process, while maintaining sufficient bandwidth to also notify management of serious incidents. A common error is forgoing the latter while focusing on the technical details of the incident itself, but this is a fault. Nontechnical stake holders including business and mission owners must be notified immediately of any serious incident and kept up to engagement as the incident-handing procedure progresses.

Recovery

The recovery phase involves charily restoring the system or systems to operational status. Typically, the business unit of measurement responsible for the system will dictate when the arrangement will go back online. Remember to exist cognizant of the possibility that the infection, attacker, or other threat amanuensis might have persisted through the eradication phase. For this reason, close monitoring of the organization after it returns to production is necessary. Further, to brand the security monitoring of this system easier, strong preference is given to the restoration of operations occurring during off-elevation production hours.

Remediation

Remediation steps occur during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated. Remediation continues later on that phase and becomes broader. For example, if the root-cause assay determines that a password was stolen and reused, local mitigation steps could include changing the compromised password and placing the organisation back online. Broader remediation steps could include requiring dual-factor authentication for all systems accessing sensitive data. Nosotros volition discuss root-cause analysis shortly.

Lessons learned

The goal of this phase is to provide a final report on the incident, which will be delivered to management. Of import considerations for this phase should include detailing means in which the compromise could have been identified sooner, how the response could have been quicker or more effective, which organizational shortcomings might have contributed to the incident, and what other elements might have room for improvement. Feedback from this phase feeds directly into continued grooming, where the lessons learned are practical to improving preparation for the handling of future incidents.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780128112489000073

Preparing the System Security Programme

Laura P. Taylor , in FISMA Compliance Handbook, 2013

Incident response procedures

Your Incident Response Plan should serve as an in-depth clarification of your incident response process. Don't recreate that programme in the System Security Plan. However, yous should provide a brief summary of the Incident Response Plan and be sure to indicate that a detailed Incident Response Programme is available, stating the formal document proper noun, date, and version number. The Incident Response Plan is a type of operational control, which is why you need to mention information technology in the System Security Programme.

In addition to noting the existence of the plan and where to notice it, the SSP should indicate who is responsible for maintaining the programme, the frequency with which it must be reviewed and updated, whether key personnel with duties in implementing the plan are trained on the plan, and what type of incident response testing has been conducted.

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124058712000166

Cyber Forensics and Incidence Response

Cem Gurkok , in Computer and Information Security Handbook (Third Edition), 2017

10 Summary

In this chapter we have seen the importance of having a well-documented incident response plan and process, and having an incident response team that is experienced in cyber forensics analysis. Besides having these important components, an organization needs to have potent policies and procedures that back them. Incident response is not only about countering the incident, only also most learning from it and improving on the weaknesses exposed. We should always proceed in mind that preparedness is paramount since it is a matter of when rather than if an incident volition strike.

Looking into the near future, the amount of data that needs to be gathered and analyzed is increasing speedily and as a event we are seeing the emergence of big-data analytics tools that can process disparate data sources to bargain with big cases. Tomorrow's incident response teams will need to be skilled in statistical analysis as well as forensics to be able to navigate in this increasingly hostile and expanding internet. As y'all can run into, incident response and cyber forensics needs to be a step ahead of the potential causes of threats, risks, and exploits.

Finally, let'due south move on to the real interactive function of this Chapter: review questions/exercises, hands-on projects, case projects, and optional team case project. The answers and/or solutions by affiliate can be plant in Appendix K.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780128038437000417