INCIDENTRESPONSE.

COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
  

Automate Response Did you know?

Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook
guide. This guide has been created especially for you for use in within your security response team. We In 2014, incidents increased by
hope you find it valuable and ask that you share it with the rest of your organization so you can collectively 78% since 2013.1
be successful in managing incidents and reducing risk throughout the business.

1,023,108,627 records were

breached in 2014.1
Your playbook overview - “Unauthorized Access”
54% of the breaches consisted
of Identity Theft.1

Prepare Detect Analyze Contain Eradicate Recover Post-Incident

$3.5 million is the average
cost of a breach for a
company.2
Incident Response: A Top Priority in Security Management Programs
Companies experience an
In the April 2014, U.S. Government Accountability Office reported (GAO-14-354) it’s noted that “major average of 10 unauthorized
federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a access incidents per month.2
security breach of a computerized system and information).” The GAO projects that these agencies did not
Malicious insiders and
completely document actions taken in response to detected incidents. While the agencies identified the
criminal attacks are the top
scope of an incident, they frequently did not demonstrate that they had determined the impact of an
causes for breaches.2
incident, nor did they consistently demonstrate how they had handled other key activities, such as whether
preventive actions to prevent the reoccurrence of an incident were taken. The GAO notes, “without com-
plete policies, plans, and procedures, along with appropriate oversight of response activities, agencies
1. Source: Gemalto - Breach Level Index
face reduced assurance that they can effectively respond to cyber incidents.” 3 2. Source: Ponemon 2014 Cost of a Data Breach
3. Source: GAO-14-354, p.2

-1-

PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
  

What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation,
detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below:

Prepare Detect & Analyze Contain, Eradicate Post-Incident Handling

The initial phase where organizations
will perform preparatory measures to
ensure that they can responsd
effectively to incidents if and when
they are uncovered.
The second phased where
organizations should strive to detect
and validate incidents
rapidly because infections can
spread through an organization
within a matter of minutes. Early
detection can help an organization
minimize the number of infected
systems, which will lessen the
magnitude of the recovery effort and
the amount of damage the
organization sustains as a result of
the incident.
& Recover
Because the handling of malware
The third phase, containment, has incidents can be extremely
two major components: stopping the expensive, it is particularly important
spread of the attack and preventing for organizations to conduct a robust
further damage to systems. It is assessment of lessons learned after
important for an organization to major malware incidents to prevent
decide which methods of similar incidents from occurring.
containment to employ early in the
response. Organizations should have
strategies and procedures in place
for making containment-related
decisions that reflect the level of risk
acceptable to the organization.

Unauthorized Access
You’ve selected the “Unauthorized Access” playbook. On the pages that follow, you will find your incident
response playbook details broken down by the NIST incident handling categories.

To view your playbook online, visit https://incidentresponse.com/playbooks/unauthorized-access

-2-

PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
P R E PA R E - U N A U T H O R I Z E D A C C E S S

Determine
Core Ops Team Vulnerability Threat Risk
Manager Manager Manager
& Define Roles

Review &
Maintain
Timeline

Physical Key
Interviews User Manager
Security Stakeholders

Document Internal Path External Path Document

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
DETECT - UNAUTHORIZED ACCESS

Access to systems
outside of normal Multiple login failures Increased logins to a
computer system Prev
business hours to a computer system
Step

Logins to multiple Access to a computer

system through Exfiltration of data off of
systems with same a computer system
abnormal ports or
user credentials protocols

Unexplained browsing
Define Custom Indicators Custom Indicators
User is unable to log
into account to unauthorized web Standard Threat Indicators
sites

Unexplained use of Unexplained escalation Two-factor or

Unexplained system
disabled or dormant of privileges of user
failures or restarts
multi-factor
user accounts accounts)

Unexplained Unexplained Categorize

Unexplained emails
modifications to system modifications or
from user accounts Incident
settings destruction of user files

Notification from
Unauthorized creation Alerting from Firewall outside organizations
and Intrusion Detection Request Packet Capture
of new user accounts (ISP, business partners,
systems 3rd Party)

Conduct Scans

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
A N A LY Z E - U N A U T H O R I Z E D A C C E S S

Prev
Step

Public or personnel Products/goods

Customers are affected
safety affected /services are affected by
by this incident
this attack

Ability to control/
record/measure/track
This act is being
any significant amounts
of inventory/products/
launched by known Standard Define Risk Custom Indicators Custom Factors
entities
cash/revenue has been Factors
lost

There is internal There is external Worst-case business

knowledge of this knowledge of this impact if unable to
incident incident mitigate this attack
Determine Patch
Methods

Identify vulnerable
systems with critical Identify business
information that may be Identify business
operations that will be Log Collection
targeted and prioritize implications
affected
by level of severity

Identify additional Identify what system/

business risk due to the accounts can be Evidence Collection
Identify additional restricted or taken off
severity of the technical risks
Unauthorized Access -line to protect critical
information

Data Capture

Analysis

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
C O N TA I N - U N A U T H O R I Z E D A C C E S S

Prev Identify the system(s) LDAP

Step that have been affected Servers
Servers Desktop Laptop Mobile VM RADIUS
Directory

Identify user credentials

compromised
or at risk

Identify the IT services

being impacted

Identify critical &

additional system(s)
that are at risk of being
compromised

Identify types of
network protocols being
utilized

Incident Threat
Identify unauthorized Database Database
tools utilized to gain
access to systems or
user accounts

Identify any source Vulnerability System

Select Database Query Database Generate Report
attribution collected Logs Logs

identify lateral
movement of
compromised users View Report View Record Details Select Records Copy Record Details
throughout enterprise

Identify the tools used Access Control

to detect the attack SIEM IDS Firewall Scanners Antivirus Systems

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
E R A D I C AT E - U N A U T H O R I Z E D A C C E S S

Prev
Step

Triage & Confirm Request

Test Code Contain malicious
System Patch
Incident Report Code Sample

Direct Conference
Phone Call Call

In-Person Intranet
Meeting Meeting
Communications

Mobile Internet
Messaging Meeting

Deploy network
Add/Change/
Eradicate Malware Remove Affected Perform data
forensics
collection sensors to
capture traffic for
System/Site/Network
further analysis

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
RECOVER - UNAUTHORIZED ACCESS

Prev
Step

IDS/IPS & Identify ways

Recover Systems Reimage
Firewall Updates to mitigate further
movement

Incident Wipe & Baseline

Scan host with Scan File Share Remove
Vulnerabilities &
Update access
control system
updated with updated
Remediation System
Signature Signature Update Routers policies

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
POST-INCIDENT - UNAUTHORIZED ACCESS

Prev
Step

Electronic Personal Sensitive Government

Incident Review Health Information
(ePHI) Compromised?
Information
Compromised?

Discovery Policy Updates Process Updates Configuration

Lessons Uncovered Meeting Defined Defined Updates Defined

Policies Process Changes Configurations

Lessons Applied Implemented Implemented Applied

Response Workflow
Updated

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
  

Proactive Response Security Management Benefits

An automated playbook helps security teams optimize for efficiency and productivity. Your security team has the
• Be prepared to handle any incident your
ability to analyze, detect and prioritize when all pertinent data and multiple security tools are integrated into one
team faces
system. With one-screen visibility you can identify anomalies, assign tasks, access reporting and communicate
• Control the situation, minimizing the
across multiple departments effectively for quick responses.
impact to the business
• Efficiently manage your response across
Quick Containment multiple departments
Time and speed are crucial in assessing the environment and risk in the context of your business. Playbooks give a
complete view of the necessary tasks to capture the data needed to support proper recovery and forensics. The
Useful Links:
efficiency a playbook brings to a security team allows for quick responses to finding the source of the attack,
NIST Incident Handling Guide
following lateral movement across the organization and taking the proper steps mitigate damage.
SANS Incident Handler’s Handbook

Effective Remediation
Organization and automation are key benefits that result in effective remediation. Automated playbooks help to Risk Management Benefits
organize security processes, mitigation plans and smooth communication between multiple departments. By • Communicate effectively to ensure risk
optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery mitigation methods are applied
with integrity and forensic-quality reporting. • Prioritize resources and activities where
they matter most
• Report and tune based on response
Action Plan learning, reducing risk moving forward

Having a view into what is possible is the first step in taking action. The next step is to bring your team together to
drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. Useful Links:
NIST Risk Management Framework Guide
With this playbook, you will be better prepared to handle the response. To help with the management and automation
Sample Policies and Plans
of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what
they do.

For additional incident response workflow examples, visit https://www.incidentresponse.com/playbooks

- 10 -

PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com