Understand Incident Response

Breach - The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose.

Event - Any observable occurrence in a network or system.

Exploit - A particular attack. It is named this way because these attacks exploit system vulnerabilities.

Incident - An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.

Intrusion - A security event, or combination of events, that constitutes a deliberate security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization

Threat - Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Vulnerability - Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

Zero Day - A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.

The priority of any incident response is to protect life, health and safety.

The primary goal of incident management is to be prepared

The incident response process is aimed at reducing the impact of an incident

Preparation requires:

1. having a policy

2. having a a response plan

An event is any measurable occurrence but If the event has the potential to disrupt the business’s mission, then it is called an incident.

The organization’s vision, strategy and mission should shape the incident response process. 

Preparation

• Develop a policy approved by management.

• Identify critical data and systems, single points of failure.

• Train staff on incident response.

• Implement an incident response team.

• Practice Incident Identification. (First Response)

• Identify Roles and Responsibilities.

• Plan the coordination of communication between stakeholders.

  • Consider the possibility that a primary method of communication may not be available.

Detection and Analysis

• Monitor all possible attack vectors.

• Analyze incident using known data and threat intelligence.

• Prioritize incident response.

• Standardize incident documentation.

Containment

• Gather evidence.

• Choose an appropriate containment strategy.

• Identify the attacker.

• Isolate the attack.

Post-Incident Activity

• Identify evidence that may need to be retained.

• Document lessons learned.

Retrospective

• Preparation

• Detection and Analysis

• Containment, Eradication and Recovery

• Post-incident Activity

When an incident occurs, the CSIRT response team has four primary responsibilities:

• Determine the amount and scope of damage caused by the incident.

• Determine whether any confidential information was compromised during the incident.

• Implement any necessary recovery procedures to restore security and recover from incident-related damage.

• Supervise the implementation of any additional security measures necessary to improve security and prevent recurrence of the incident.