Prepare for Battle:

Let’s Build an Incident Response Plan

Eric Sun, CISSP

Sr. Solutions Mgr, Detection & Response
@exalted
Today’s Topics

Draft the Plan Review the Plan Test the Plan

Let’s start with two poll questions…

Poll Question #1
Do your organization have an incident response
plan in place today?
• Yes, it is in a good state.
• Yes, but it needs heavy updates.
• No plan in place.
Poll Question #2
When was the last time you put your IR plan to
the test?
• Within the last 6 months
• Within the last 12 months
• We have not tested the plan
• No IR plan in place today
Why are we here?

Am I Am I Am I
Vulnerable? Compromised? Optimized?

Measure & Manage Organizational Risk

 Metasploit Vulnerability
Framework Heisenberg Disclosure, Threat
Project Project Sonar
& Community Intel, & Attacker
Modeling

The most used Global Honeypot Network Internet-wide scans Team of security
penetration testing researchers
tool
Drafting the Plan
Get in the IR Plan Mindset
1. Get the right people
involved.
2. Assess current state &
current visibility.
3. Be realistic to talent &
expected range of
attacks.
Key Items in an Incident Response Plan
1.Key Contacts (+ external)
2.Roles & Responsibilities
Key Items in an Incident Response Plan
1. Key Contacts (+ external)
2. Roles & Responsibilities
3. Incident & Event Response Flows
• Plan from Alert -> Response
• Remember After Action Review!
Incident Response Plan Flow
Key Items in an Incident Response Plan
1. Key Contacts (+ external)
2. Roles & Responsibilities
3. Incident & Event Response Flows
• Plan from Alert -> Response
• Remember After Action Review!
4. Communications Plan
5. Legal, Compliance, Chain of
Custody Considerations
Reviewing the Plan
Review: Things to Consider
Existing Security
1. Evaluate your tech stack Solutions, Alerts, and
Events

and what is being

monitored today. Network
Events

Remote
Endpoints

Applications

Enterprise Cloud
Apps
Review: Things to Consider
1. Evaluate your tech stack
and what is being
monitored today.
2. How does this translate to
detection across an attack
chain?
 Steps in an Internal Attack Chain

Infiltration and Explore Network Lateral Mission Target Maintain

Persistence Movement Presence
Review: Things to Consider
1. Evaluate your tech stack and
what is being monitored today.
2. How does this translate to
detection across an attack
chain?
3. What are the three main ways
attackers breach companies?
Testing the Plan
Ways to Test Your Plan
1. Tabletop Exercises
2. Penetration Tests
3. Purple Team Exercises
What kind of Pen Tests?
68% of the time, pen testers remained
undetected.
Purple Team
 Under Fire:
Escalated Incident
Breathe. Deep Breaths.
• Do not wait to call.
• Careful touching things!
• Provide ALL the details.
• Follow your IR Plan.
• Follow chain of custody.
• Set proper expectations.
• Lawyers are important.
Correlating it together.
1. Build an IR plan for the
threats you face, with the
people you trust.
2. If you have a plan, test it!
3. Foundation of reliable
detection = Data Collection
4. One alert ≠ the full story.
Context is everything!
Questions?

Eric Sun, eric_sun@rapid7.com, @exalted

www.rapid7.com/solutions/incident-detection
@rapid7
Thanks!

Eric Sun, eric_sun@rapid7.com, @exalted

www.rapid7.com/solutions/incident-detection
@rapid7