Professional Documents
Culture Documents
COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
-1-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation,
detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below:
Unauthorized Access
You’ve selected the “Unauthorized Access” playbook. On the pages that follow, you will find your incident
response playbook details broken down by the NIST incident handling categories.
-2-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
P R E PA R E - U N A U T H O R I Z E D A C C E S S
Determine
Core Ops Team Vulnerability Threat Risk
Manager Manager Manager
& Define Roles
Review &
Maintain
Timeline
Physical Key
Interviews User Manager
Security Stakeholders
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
DETECT - UNAUTHORIZED ACCESS
Access to systems
outside of normal Multiple login failures Increased logins to a
computer system Prev
business hours to a computer system
Step
Unexplained browsing
Define Custom Indicators Custom Indicators
User is unable to log
into account to unauthorized web Standard Threat Indicators
sites
Notification from
Unauthorized creation Alerting from Firewall outside organizations
and Intrusion Detection Request Packet Capture
of new user accounts (ISP, business partners,
systems 3rd Party)
Conduct Scans
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
A N A LY Z E - U N A U T H O R I Z E D A C C E S S
Prev
Step
Ability to control/
record/measure/track
This act is being
any significant amounts
of inventory/products/
launched by known Standard Define Risk Custom Indicators Custom Factors
entities
cash/revenue has been Factors
lost
Identify vulnerable
systems with critical Identify business
information that may be Identify business
operations that will be Log Collection
targeted and prioritize implications
affected
by level of severity
Data Capture
Analysis
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
C O N TA I N - U N A U T H O R I Z E D A C C E S S
Identify types of
network protocols being
utilized
Incident Threat
Identify unauthorized Database Database
tools utilized to gain
access to systems or
user accounts
identify lateral
movement of
compromised users View Report View Record Details Select Records Copy Record Details
throughout enterprise
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
E R A D I C AT E - U N A U T H O R I Z E D A C C E S S
Prev
Step
Direct Conference
Phone Call Call
In-Person Intranet
Meeting Meeting
Communications
Mobile Internet
Messaging Meeting
Deploy network
Add/Change/
Eradicate Malware Remove Affected Perform data
forensics
collection sensors to
capture traffic for
System/Site/Network
further analysis
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
RECOVER - UNAUTHORIZED ACCESS
Prev
Step
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
POST-INCIDENT - UNAUTHORIZED ACCESS
Prev
Step
Response Workflow
Updated
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
Effective Remediation
Organization and automation are key benefits that result in effective remediation. Automated playbooks help to Risk Management Benefits
organize security processes, mitigation plans and smooth communication between multiple departments. By • Communicate effectively to ensure risk
optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery mitigation methods are applied
with integrity and forensic-quality reporting. • Prioritize resources and activities where
they matter most
• Report and tune based on response
Action Plan learning, reducing risk moving forward
Having a view into what is possible is the first step in taking action. The next step is to bring your team together to
drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. Useful Links:
NIST Risk Management Framework Guide
With this playbook, you will be better prepared to handle the response. To help with the management and automation
Sample Policies and Plans
of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what
they do.
- 10 -
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com