University of Guyana

CSE 3100 : Information

Assurance and Security
Session 11 – November 25, 2022

Lecturer : Jerome Allicock

 University of Guyana
Jerome Allicock

Session Outline
Incident Response – SANS & NIST
 Stage 1: Preparation
 Stage 2: Identification
 Stage 3: Containment
 Stage 4: Investigation
Incident  Stage 5: Eradication
Management &  Stage 6: Recovery
Brief Re-cap IR Importance Response  Stage 7: Follow-Up IRP Usually Includes…

1 2 3 4 5 6 7 8 9 10

What Is Incident Types Of Security Incident Response Incident Response IR Plan Management
Response? Incidents Plan

2
 University of Guyana
Jerome Allicock

3
 University of Guyana

Brief Re-cap
Jerome Allicock

⬡ What is meant by the term Information Security Policy?

⬡ Give three (3) reasons why organizations create ISPs.
⬡ State two (2) importance of ISPs and two (2) ways how an ISP can be effective.
⬡ With the use of examples, explain the terms standard, procedure, guideline and policy.
⬡ Describe two (2) types of Policy and state the 5 steps of the ISP lifecycle.
⬡ Explain the policy development process and describe the elements of a generic ISP framework.
⬡ What are three (2) best practices for successful ISPs?
⬡ Explain the difference between IS Policy and IS Program.
⬡ State any two (2) drivers of policy development and describe the various trust models.
⬡ What are two (2) key players and two (2) considerations of policy development?
⬡ Describe the Policy Deployment and Evaluation process.
⬡ State three (3) policy requirements.
4
 University of Guyana
Jerome Allicock

Incident Management
& Response
 University of Guyana
Jerome Allicock

Learning Objectives
⬡ Become aware of the need for an effective plan for incident management and response

⬡ Have knowledge of the seven stages of incident response

⬡ Know how to prepare an incident plan

6
 University of Guyana

What Is Incident Response? Jerome Allicock

⬡ Incident response (IR) is an organized approach to addressing and managing the aftermath of a
security breach or attack (also known as an incident)
 The goal is to handle the situation in a way that limits damage and reduces recovery time and
costs

⬡ IR activities are conducted by an organization's computer security incident response team (CSIRT)
 Group that has been previously selected to include information security and general IT staff as
well as executive level members, representatives from the legal, human resources and public
relations departments
 IR team follows the organization's incident response plan (IRP)
 A set of written instructions that outline the organization's response to network events,
security incidents and confirmed breaches

⬡ Rather than being an IT-centric process, it is an overall business function that helps ensure an
organization can make quick decisions with reliable information

7
 University of Guyana
Jerome Allicock

IR Importance
⬡ Incidents left unchecked, can escalate into a bigger problem that can ultimately lead to a damaging
data breach, large expense or system collapse as such, responding to an incident quickly will help
an organization minimize losses, mitigate exploited vulnerabilities, restore services and processes
and reduce the risks that future incidents pose

⬡ Enables an organization to be prepared for both the known and unknown and is a reliable method for
identifying a security incident immediately when it occurs - also allows an organization to establish a
series of best practices to stop an intrusion before it causes damage

⬡ Crucial component of running a business, as most organizations rely on sensitive information that
would be detrimental if comprised and impact the success of the entire organization

⬡ Incidents can be expensive as businesses could face regulatory fines, legal fees and data recovery
costs
 Affect future profits as untreated incidents are correlated with lower brand reputation, customer
loyalty and customer satisfaction

8
 University of Guyana

Types Of Security Incidents Jerome Allicock

⬡ A few examples of common incidents that can have a negative impact:

 DDoS attack against critical cloud services
 Malware or ransomware infection that has encrypted critical business files across the network
 Successful phishing attempt that has led to the exposure of PII of customers
 Unencrypted laptop known to have sensitive customer records that has gone missing

Incident Management & Response

⬡ The predefined activities that are played out when a
security incident occurs
⬡ Security incident – technical, social or socio-technical
 Company’s website defaced by threat agent
 An employee is suspected of selling trade secrets
 Suspect of corporate espionage
 A computer virus spreading on the network/email
9
 University of Guyana

Incident Response Jerome Allicock

⬡ Characteristics of good incident response: ⬡ Key Players

 Cost effective  CSO
 Business-like  Legal Counsel (company’s lawyer)
 A business unit in the  Human Resources
organization
 Physical Security
 Efficient
 IT Department
 Repeatable
 Public Relations
 Predictable
 CEO/Board of directors
⬡ Scenario: It 8PM on a Saturday night and
your systems have been compromised?
 Other business units of the organization
(MMG, Online Store, etc…) – How do you
respond?

10
Incident Response – SANS & NIST
University of Guyana
Jerome Allicock

11
 University of Guyana

Stage 1: Preparation Jerome Allicock

⬡ “By failing to prepare, you are preparing to fail.” - Benjamin Franklin

⬡ Involves identifying
 The start of an incident
 How to recover
 How to get everything back to normal
 And creating established security policies including
⬡ Established incident notification processes
⬡ The development of an incident containment policy
⬡ Creation of incident handling checklists
⬡ Ensuring the corporate disaster recovery plan is up to date
⬡ Making sure the security risk assessment process is functioning and active
⬡ Training and pre-deployed incident handling assets

12
 University of Guyana

Stage 2: Identification Jerome Allicock

⬡ Is the event an unusual activity or more?

⬡ If unusual then: what to check for?
⬡ 6 Levels of incident classification:
 Level 1 – Unauthorized Access
 Level 2 – Denial of Services
 Level 3 – Malicious Code
 Level 4 – Improper Usage
 Level 5 – Scans/Probes/Attempted Access
 Level 6 – Investigation Incident

13
 University of Guyana

Stage 3: Containment Jerome Allicock

⬡ The key here is to limit the scope and magnitude of the incident.
 Protecting and keeping available critical computing resources where possible
 Determining the operational status of the infected computer, system or network
 Disconnect system from the network and allow it to continue stand-alone operations
 Shut down everything immediately
 Continue to allow the system to run on the network and monitor the activities

14
 University of Guyana

Stage 4: Investigation Jerome Allicock

⬡ Determining what actually happened to your system, computer or network… what data was
accessed? who did it? and what do the log reviews reveal?
⬡ Systematic review
 Bit-stream copies of the drives
 External storage
 Real-time memory
 Network devices logs
 System logs
 Application logs
 And other supporting data

15
 University of Guyana

Stage 5: Eradication Jerome Allicock

⬡ … the process of actually getting rid of the issue on your computer, system or network
⬡ This step should only take place after all external and internal actions are completed
⬡ There are two important aspects of eradication:
 The first is cleanup
 The second step is notification

Stage 6: Recovery
⬡ This is when your company or organization returns to normalcy
 Service restoration, which is based on implementing corporate contingency plans
 System and/or network validation, testing, and certifying the system as operational
⬡ Any component that was compromised must become re-certified as both operational and
secure…

16
Stage 7: Follow-Up University of Guyana
Jerome Allicock

⬡ Few follow-up questions that should be answered to ensure the process is sufficient and effective
 Was there sufficient prep?
 Did detection occur in a timely manner?
 Were communications conducted clearly?
 What was the cost of the incident?
 Did you have a Business Continuity Plan in place?
 How can we prevent it from happening again?
⬡ Once these questions are answered and improvements are made where necessary, the company
and incident response team should be ready to repeat the process

Incident Response Plan

⬡ Policy (document) that outlines the essential elements that constitute all that is necessary to meet
the requirements of effective incident management and response
⬡ See IRP templates: https://www.cynet.com/incident-response/
17
IRP Usually Includes…
University of Guyana
Jerome Allicock

⬡ The roles and responsibilities of each member of the CSIRT

⬡ The security solutions - software, hardware and other technologies - to be installed across the
enterprise
⬡ A BCP outlining procedures for restoring critical affected systems and data as quickly as possible
in the event of an outage
⬡ A detailed incident response methodology that lays out the specific steps to be taken at each
phase of the incident response process and by whom
⬡ A communications plan for informing company leaders, employees, customers, and even law
enforcement about incidents
⬡ Instructions for documenting for collecting information and documenting incidents for post-incident
review and (if necessary) legal proceedings

⬡ Some IR technologies include: SIEM, SOAR, EDR, XDR, UEBA, ASM

 Read up on the above
18
 University of Guyana

IR Plan Management Jerome Allicock

⬡ Requires thoughtful planning, ongoing oversight and clear metrics so that efforts can be properly
measured
⬡ Ongoing management initiatives include setting and overseeing incident response goals, periodically
testing the IRP to ensure its effectiveness and training all the necessary parties on applicable IR
procedures
⬡ Specific metrics used for effectiveness of incident response initiatives might include:
 # of incidents detected, # of incidents missed, # of incidents requiring action, # of repeat
incidents, remediation timeframe, # of incidents that led to breaches

⬡ Incident response goals might include areas involving:

 Reviews and updates to the routine IRP
 The planning and execution of IR test scenarios
 Integration issues with related security initiatives, such as security awareness, technical detection
systems, employee training and vulnerability and penetration testing
 Reporting of security events to executive leadership or outside parties
 Procurement of additional technologies to provide enhanced network visibility and control
19
 University of Guyana
Jerome Allicock

Thanks!
Any questions?

20