Professional Documents
Culture Documents
Session Outline
Incident Response – SANS & NIST
Stage 1: Preparation
Stage 2: Identification
Stage 3: Containment
Stage 4: Investigation
Incident Stage 5: Eradication
Management & Stage 6: Recovery
Brief Re-cap IR Importance Response Stage 7: Follow-Up IRP Usually Includes…
1 2 3 4 5 6 7 8 9 10
What Is Incident Types Of Security Incident Response Incident Response IR Plan Management
Response? Incidents Plan
2
University of Guyana
Jerome Allicock
3
University of Guyana
Brief Re-cap
Jerome Allicock
Incident Management
& Response
University of Guyana
Jerome Allicock
Learning Objectives
⬡ Become aware of the need for an effective plan for incident management and response
6
University of Guyana
⬡ Incident response (IR) is an organized approach to addressing and managing the aftermath of a
security breach or attack (also known as an incident)
The goal is to handle the situation in a way that limits damage and reduces recovery time and
costs
⬡ IR activities are conducted by an organization's computer security incident response team (CSIRT)
Group that has been previously selected to include information security and general IT staff as
well as executive level members, representatives from the legal, human resources and public
relations departments
IR team follows the organization's incident response plan (IRP)
A set of written instructions that outline the organization's response to network events,
security incidents and confirmed breaches
⬡ Rather than being an IT-centric process, it is an overall business function that helps ensure an
organization can make quick decisions with reliable information
7
University of Guyana
Jerome Allicock
IR Importance
⬡ Incidents left unchecked, can escalate into a bigger problem that can ultimately lead to a damaging
data breach, large expense or system collapse as such, responding to an incident quickly will help
an organization minimize losses, mitigate exploited vulnerabilities, restore services and processes
and reduce the risks that future incidents pose
⬡ Enables an organization to be prepared for both the known and unknown and is a reliable method for
identifying a security incident immediately when it occurs - also allows an organization to establish a
series of best practices to stop an intrusion before it causes damage
⬡ Crucial component of running a business, as most organizations rely on sensitive information that
would be detrimental if comprised and impact the success of the entire organization
⬡ Incidents can be expensive as businesses could face regulatory fines, legal fees and data recovery
costs
Affect future profits as untreated incidents are correlated with lower brand reputation, customer
loyalty and customer satisfaction
8
University of Guyana
10
Incident Response – SANS & NIST
University of Guyana
Jerome Allicock
11
University of Guyana
12
University of Guyana
13
University of Guyana
⬡ The key here is to limit the scope and magnitude of the incident.
Protecting and keeping available critical computing resources where possible
Determining the operational status of the infected computer, system or network
Disconnect system from the network and allow it to continue stand-alone operations
Shut down everything immediately
Continue to allow the system to run on the network and monitor the activities
14
University of Guyana
⬡ Determining what actually happened to your system, computer or network… what data was
accessed? who did it? and what do the log reviews reveal?
⬡ Systematic review
Bit-stream copies of the drives
External storage
Real-time memory
Network devices logs
System logs
Application logs
And other supporting data
15
University of Guyana
⬡ … the process of actually getting rid of the issue on your computer, system or network
⬡ This step should only take place after all external and internal actions are completed
⬡ There are two important aspects of eradication:
The first is cleanup
The second step is notification
Stage 6: Recovery
⬡ This is when your company or organization returns to normalcy
Service restoration, which is based on implementing corporate contingency plans
System and/or network validation, testing, and certifying the system as operational
⬡ Any component that was compromised must become re-certified as both operational and
secure…
16
Stage 7: Follow-Up University of Guyana
Jerome Allicock
⬡ Few follow-up questions that should be answered to ensure the process is sufficient and effective
Was there sufficient prep?
Did detection occur in a timely manner?
Were communications conducted clearly?
What was the cost of the incident?
Did you have a Business Continuity Plan in place?
How can we prevent it from happening again?
⬡ Once these questions are answered and improvements are made where necessary, the company
and incident response team should be ready to repeat the process
⬡ Requires thoughtful planning, ongoing oversight and clear metrics so that efforts can be properly
measured
⬡ Ongoing management initiatives include setting and overseeing incident response goals, periodically
testing the IRP to ensure its effectiveness and training all the necessary parties on applicable IR
procedures
⬡ Specific metrics used for effectiveness of incident response initiatives might include:
# of incidents detected, # of incidents missed, # of incidents requiring action, # of repeat
incidents, remediation timeframe, # of incidents that led to breaches
Thanks!
Any questions?
20