Professional Documents
Culture Documents
Response Capabilities
Event and incidents
• Online
• Phone
• Face to face
• Any other means
Countermeasures
Goal:
The goal of preparation phase is to get your team
ready to handle incidents
§ Establishing an incident response team
§ Incident handler communications and facilities
§ Incident analysis software and hardware
Preparation cont…
• Establishing an incident response team
§ Team models
o Central incident response team
A single incident response team handles incidents throughout the
organization
o Distributed incident response team
The organization has multiple incident response teams, each
responsible for a particular logical or physical segment of the
organization
o Coordinating team
An incident response team provide advice to other teams without
having authority over them (Sri Lanka CERT|CC, FinCSIRT former
Bank CSIRT)
Preparation cont…
§ Team model selection
o The need for 24/7 availability
o Full-time vs part-time team members
o Employee morale
o Cost
o Staff expertise
Preparation cont…
Goal:
The goal of this phase is to analyze the event and
deciding whether it is an incident or not.
Detection and Analysis cont…
• Signs of an incident
§ Web server log entries that show the usage of a
vulnerability scanner
§ A threat from a group stating that the group will attack the
organization
§ Antivirus software alerts when it detects that a host is
infected with malware
§ A system administrator sees a filename with unusual
characters
Detection and Analysis cont…
Goal:
The goal of the containment phase is to prevent the
attacker from getting any deeper into the impacted
system or spreading to other systems.
Containment cont…
Goal:
The goal of the eradication phase is to get rid of the
attacker’s artifacts on the system.
It may include;
§ Restoring systems from clean backups
§ Rebuilding systems from scratch
§ Replacing infected files with clean versions
§ Installing patches
§ Changing passwords
§ Strengthening network perimeter security
Post-incident activity
Post-incident activity
• Lessons learned
Goal:
The goal of the lessons learned phase is to
document what happened and improve the
incident handling capabilities.
Post-incident activity cont…
• Lessons learned
§ One of the most important yet most often omitted part of
incident response is learning and improving
§ Include holding a “lessons learned” meeting with all
involved parties after an incident
§ This could be extremely helpful in improving security
measures and incident handling process
Post-incident activity cont…
• The meeting should be held within several days of the
end of the incident. Questions to be answered in the
meeting include;
§ Exactly what happened, and at what times?
§ How well did staff and management perform in dealing
with the incident? Were the documented procedures
followed? Were they adequate?
§ What information was needed sooner?
§ Were any steps or actions taken that might have inhibited
the recovery?
Post-incident activity cont…
§ What would the staff and management do differently the
next time a similar incident occurs?
§ How could information sharing with other organizations
have been improved?
§ What corrective actions can prevent similar incidents in the
future?
§ What precursors or indicators should be watched for in the
future to detect similar incidents?
§ What additional tools or resources are needed to detect,
analyze, and mitigate future incidents?
Recommendations
§ Acquire tools and resources that may be of value during
incident handling
§ Prevent incidents from occurring by ensuring that
networks, systems, and applications are sufficiently secure
§ Identify precursors and indicators through alerts generated
by several types of security software
§ Establish mechanisms for outside parties to report
incidents
§ Require a baseline level of logging and auditing on all
systems, and a higher baseline level on all critical systems
§ Profile networks and systems
§ Understand the normal behaviors of networks, systems,
and applications
Recommendations cont…
§ Create a log retention policy
§ Perform event correlation
§ Keep all host clocks synchronized
§ Maintain and use a knowledge base of information
§ Start recording all information as soon as the team
suspects that an incident has occurred
§ Safeguard incident data
§ Prioritize handling of the incidents based on the relevant
factors
§ Include provisions regarding incident reporting in the
organization’s incident response policy
§ Establish strategies and procedures for containing incidents
§ Follow established procedures for evidence gathering and
handling
Recommendations cont…
§ Capture volatile data from systems as evidence
§ Obtain system snapshots through full forensic disk images,
not file system backups
§ Hold lessons learned meetings after major incidents
Thank You!