Pertemuan 8

Incident Response & Forensik

The core duty of Cyber Security is to
identify, mitigate and manage cyber-risk to
an organization’s digital assets.
ATTRIBUTES OF RISK
HIGH LEVEL OF RISK MANAGEMENT PROCESS

Source: ISO 31000:2009

INPUTS FOR BUILDING RISK SCENARIOS

Source: COBIT 5 for Risk

 EVALUATING SECURITY CONTROLS

§ Once risk is identified and prioritized, existing controls should be

analyzed to determine their effectiveness in mitigating the risk.

§ This analysis will result in a final risk ranking based on risk that has
adequate controls, inadequate controls and no controls.

§ A very important criterion in control selection and evaluation is that

the cost of the control (including its operation) should not exceed
value of the asset it is protecting.
RISK RESPONSE

Source: COBIT 5 for Risk

RISK RESPONSE

Source: COBIT 5 for Risk

COUNTING A RISK
 EVENT V.S. INCIDENT

§ The National Institute of Standards and Technology (NIST) defines an

event as “any observable occurrence in a system or network.”

§ NIST defines an incident as “a violation or imminent threat of

violation of computer security policies, acceptable use policies, or
standard security practices.”
 WHY INCIDENT RESPONSE?

§ Ensure that incidents occur or not

§ Collecting accurate information
§ Taking and handling incident evidence
§ Keep activities within the legal framework (i.e., privacy)
§ Minimize disruption to business and network operations
§ Make accurate reports and recommendations
 TYPE OF INCIDENT

§ A cybersecurity incident is an adverse event that negatively impacts

the confidentiality, integrity and availability of data.
§ Cybersecurity incidents may be unintentional, such as someone
forgetting to activate an access list in a router, or intentional, such as
a targeted attack by a hacker.
§ There are many types of cybersecurity-related incidents, and new
types of incidents emerge frequently. US-CERT provides categories of
security incidents and reporting time frames used by federal agencies,
shown in exhibit 5.1
SECURITY INCIDENTS AND REPORTING TIME FRAMES

Source: Cyber Security Nexus Fundamental

INCIDENT RESPONSE LIFECYCLE

Source: NIST SP 800-61r2

 INCIDENT RESPONSE LIFECYCLE

1.Preparation to establish roles, responsibilities and plans for

how an incident will be handled
2.Detection and Analysis capabilities to identify incidents as
early as possible and effectively assess the nature of the
incident
3.Investigation capability if identifying an adversary is required
4.Mitigation and Recovery procedures to contain the incident,
reduce losses and return operations to normal
5.Post-Incident Analysis to determine corrective actions to
prevent similar incidents in the future
 INCIDENT RESPONSE LIFECYCLE – PREPARATION

§ Preparation—This phase prepares an organization to

develop an incident response plan prior to an incident.
Sufficient preparation facilitates smooth execution. Activities
in this phase include:
§ Establishing an approach to handle incidents
§ Establishing policy and warning banners in information systems to
deter intruders and allow information collection
§ Establishing a communication plan to stakeholders
§ Developing criteria on when to report an incident to authorities
§ Developing a process to activate the incident management team
§ Establishing a secure location to execute the incident response plan
§ Ensuring equipment needed is available
 INCIDENT RESPONSE LIFECYCLE – DETECTION & ANALYSIS

§ Identification—This phase aims to verify if an incident has

happened and find out more details about the incident.

§ Reports on possible incidents may come from information

systems, end users or other organizations. Not all reports are
valid incidents, as they may be false alarms or may not qualify as
an incident.

§ Activities in this phase include:

§ Assigning ownership of an incident or potential incident to an incident
handler
§ Verifying that reports or events qualify as an incident
§ Establishing chain of custody during identification when handling
potential evidence
§ Determining the severity of an incident and escalating it as necessary
 INCIDENT RESPONSE LIFECYCLE – CONTAINMENT

§ Containment—After an incident has been identified and confirmed,

the team will conduct a detailed assessment and contact the system
owner or business manager of the affected information systems/assets
to coordinate further action.

§ The action taken in this phase is to limit the exposure. Activities in this
phase include:
§ Activating the incident management/response team to contain the incident
§ Notifying appropriate stakeholders affected by the incident
§ Obtaining agreement on actions taken that may affect availability of a service or
risk of the containment process
§ Getting the IT representative and relevant virtual team members involved to
implement containment procedures
§ Obtaining and preserving evidence
§ Documenting and taking backups of actions from this phase onward
§ Controlling and managing communication to the public by the public relations
team
 INCIDENT RESPONSE LIFECYCLE – ERADICATION

§ Eradication—When containment measures have been

deployed, it is time to determine the root cause of the
incident and eradicate it.

§ Eradication can be done in a number of ways: restoring

backups to achieve a clean state of the system, removing the
root cause, improving defenses and performing vulnerability
analysis to find further potential damage from the same root
cause.
 INCIDENT RESPONSE LIFECYCLE – RECOVERY

§ Recovery—This phase ensures that affected systems or

services are restored to a condition specified in the service
delivery objectives (SDO) or business continuity plan (BCP).

§ The time constraint up to this phase is documented in the

RTO. Activities in this phase include:
§ Restoring operations to normal
§ Validating that actions taken on restored systems were successful
§ Getting involvement of system owners to test the system
§ Facilitating system owners to declare normal operation
 INCIDENT RESPONSE LIFECYCLE – POST-INCIDENT

§ Lessons learned—At the end of the incident response process, a

report should always be developed to share what occurred, what
measures were taken and the results after the plan was executed.

§ Part of the report should contain lessons learned that provide the
valuable learning points of what could have been done better.

§ These lessons should be developed into a plan to enhance the

incident management capability and the documentation of the
incident response plan. Activities in this phase include:
§ Writing the incident report
§ Analyzing issues encountered during incident response efforts
§ Proposing improvement based on issues encountered
§ Presenting the report to relevant stakeholders
 ALL WRAPPED UP!

• Preparation (Before Incident)

ü Establishing policy and warning banners
ü Identify which business are important
ü Backup Server
ü Security awareness to all parties in Organization
ü Rules fine tuning
ü Up to date
ü Using strong passphrase
ü P&P (Patch & Pray)
ü …
 ALL WRAPPED UP!

• Incident / Disaster Strikes

ü Isolation
ü Using 2nd server with the most recent version of backups
ü Monitor all activities
ü Block all incoming suspicious requests
ü …
 ALL WRAPPED UP!

• Post Incident
ü Lesson learned
ü Restoring operations to normal
ü Better wipe out all files, change with a new fresh apps
ü Ensuring that no vulnerabilities remain
ü Improving defences
ü Performing vulnerability analysis
ü Standardized
ü …
 COMPUTER FORENSIC

• Computer Forensic
o https://lms.onnocenter.or.id/wiki/index.php/Forensik