INCIDENT RESPONSE

Incident response, also known as an IT incident, computer incident or security incident,

is a coordinated approach to handling and managing the aftermath of a security breach or
cyberattack. The aim is to deal with the situation in a manner that limits harm and decreases
recovery time and costs.

Ideally, incident response operations are handled by the Computer Security Incident
Response Team (CSIRT) of a company, a category that has previously been chosen to
include information security and general IT personnel as well as members of the C-suite
level Representatives from the legal, human resources and public relations divisions can
also be included in the team. The incident response team follows the Incident Response
Plan (IRP) of the company, which is a series of written guidelines that detail the response of
the organization to network events, security incidents and verified violations.

Incident response is about making and having a flight plan. Instead of being an IT-
centric process, it is an overall business function that helps ensure that an organization with
reliable information can make quick decisions. Technical personnel from the IT and security
departments are not only involved, but also representatives from other core aspects of the
company.

IMPORTANCE OF INCIDENT RESPONSE

Any incident activity that is not properly contained and handled can, and will usually,
escalate into a greater issue that can ultimately lead to a damaging breach of data, a large
cost or a collapse of the system. Rapidly responding to an incident will help an organization
minimize losses, mitigate vulnerabilities exploited, restore services and procedures, and
reduce the risks posed by future incidents(techtarget.com).

FIVE MEASURES IN INCIDENT RESPONSE

The response to incidents is a process, not an isolated event. Teams should take a
coordinated and organized approach to any incident in order for incident response to be
successful. In order to effectively address the wide range of security incidents that a
company might experience, there are five important steps that every response program
should cover:

1.Preparation

2.Detection And Reporting

3.Triage And Analysis

4.bContainment And Neutralization

5. Post-Incident Activity

1.PREPARATION

The secret to efficient incident response is planning. Without predetermined protocols, even
the best incident management team cannot handle an incident effectively. To support the
team, a strong strategy must be in place. These features should be included in an incident
response plan in order to resolve security incidents successfully:
 a. Development of incident response policies and documentation

Develop protocols,procedures,and agreements on incident response management.

b. definition of Guidelines on Communication Guidelines

Create standards and guidelines for communication to allow for seamless communication
during and after an incident.

c. Threat Intelligence Feeds Incorporation

Continuously capture,, evaluate, and synchronize the feeds for threat intelligence.

d. Conduct of Cyber Hunting Exercises

To identify incidents occurring, within your community, perform organizational hazard

hunting exercises. This encourages more proactive reaction to incidents.

e. Threat Identification Capability Evaluation

Review the existing capacity for threat identification and upgrade systems for risk
management and development.

2.DETECTION AND REPORTING

In order to identify, warn and report possible security incidents, the aim of this process is to
track security events.

a. Monitor

Using firewalls, intrusion prevention systems, and prevention of data Ioss, track security
events in your network.

b. Detect

Detect, possible security, events in a SIEM (Security, Information and Event

Management)solution by correlating warnings.

SIEM is an acronym for Security Information and Event Management. It’s a piece, of software
that gathers log and event data from an organization’s applications, security equipment, and
host systems and consolidates it into a single unified platform. (http://www.fireeye.com/).

It’s a term coined by Gartner in 2005 to describe software that tracks and helps manage user
and service privileges, directory resources, and other improvements in device con figuration,
as well as log auditing and review and incident response (www.netsurion.com).

c. Alert

Analysts create a ticket for an incident, record initial observations and allocate an initial
classification of an incident.

d. Report

For regulatory reporting escalations, the reporting process should include

accommodations.
3.TRIAGE AND ANALYSIS

During this point, the bulk of the effort is made to correctly scope and interpret the security
incident. To collect data from instruments and systems for further study and to recognize
signs of compromise, resources should be used. In-depth expertise and a comprehensive
understanding of live device responses, digital forensics, memory analysis, and malware
analysis should be accessible to individuals.

Analysts should concentrate on THREE KEY AREAS as information is gathered:

1.Endpoint Analysis

a. Determine what traces the actor of the threat may have left behind.

b.Gather the appropriate objects for creating a timeline of events.

c. To decide what happened on a computer, examine a bit-for-bit copy of systems from a

forensic perspective and capture RAM to parse through and identify key objects.

RAM stands for Random Access Memory [www.backblaze.com).RAM is the short-tern data
storage for your system; it stores the data that your computer is currently using so that it can
be accessed easily. The more programs you run on your machine, the more memory you use
(www.crucial.in).

2.Binary Analysis

Examine malicious binaries or devices leveraged by the attacker and record the features of
such programs. This analysis is performed in two ways:

· Behavioral Analysis: Execute the malicious program in a VM to monitor its behavior.

VM stands for a Virtual Machine. It is a programming tool that uses software to run programs
and execute applications instead of a physical computer (www.vmware.com). VMs are
primarily intended to run several operating systems from the same piece of hardware at the
same time (www.ânsstuff. com).

· static Analysis: To check out the entire functionality, reverse engineer the malicious
software.

3.Enterprise Hunting

To assess the scope of compromise, evaluate the current structures and event log
technologies. All compromised accounts, computers, etc. are also registered so that
efficient containment and neutralization can be carried out.

4.CONTAINMENT AND NEUTRALIZATION

This is one of the most important incident response levels. The containment and
neutralization strategy is based on the intelligence gathered during the review process and
the compromise indicators. Normal operations will resume after the system is restored and
security is checked.
 • Coordinated Shutdown

After all systems inside the setting that have been compromised by a threat actor have been
detected, execute a coordinated shutdown of these devices. To ensure proper timing, a
message must be sent to all IR (Incident Response) team members.

• Wipe and Rebuild

Wipe the infected computers from the ground up, and, restore the operating system. Change
all compromised accounts’ passwords.

• Threat Mitigation Requests

If you have established domains or IP addresses known to be leveraged for command and
control by threat actors, issue requests for threat mitigation to block contact from all egress
channels linked to these domains.

IP stands for Internet Protocol address; it is an identification number connected with a

particular network of machines or computers. The IP address allows the machines to send
and receive data while connected to the internet (www.investopedia.com).

5.ACTIVITY FOR POST-INCIDENTS

After the incident is settled, there is more work to be done. Make sure that any details that
can be used to avoid similar events from occurring again in the future is properly recorded.

a. Complete a report on incidents

Documenting the incident would help strengthen the response plan for the incident and
increase additional security measures too deter potential security incidents of this nature.

b. Monitor Post-Incident

Strong monitoring of post-incident activities as threat actors can re-appear again. For any
indications of triggering indicators that may have been associated with the prior incident, we
suggest a security log hawk analyzing SIEM data.

c. Threat Intelligence Update

Update feeds of threat information for the organization.

d. Identify Protective Acts

Establish new technology measures to avoid accidents in the future.

e. Gain Cross-functional Buy-in

For the proper implementation of new security policies, communicating around the
organization is important.

CRITERION FOR AN APPROPRIATE INCIDENT RESPONSE PLAN

1.BE SIMPLE BUT ACCURATE

To make a rapid and thorough determination of Who,what,how,when,and why, the IR plan

should be straightforward, easy and direct the incident response team. The strategy should
also provide detailed instructions so that the organization can identify the under attack
structure and data and take steps to protect vital assets.

a. HAVE COMPREHENSIVE ROLES AND RESPONSIBILITIES

The functions and duties of all the stakeholders are clearly set out. Businesses, and each
individual employee in particular, must have A clear understanding of their tasks to be
performed in the event of an incident, and adequate steps must be taken to minimize: the
effect and protect the loss of confidential data.

b. BRINGING PROFESSIONAL AND NON- TECHNICAL STAFF TOGETHER

The IR plan should not be confined only to the department of IT or security departrnent. Only
if both the technical and non-technical Teams, such as Legal,Compliance,Human
Resources, Public Relations,etc.,are dedicated and participate in the implementation of the
.IR plan is the IR plan successful. Take the time to establish internal and external staff
relationships.

c. PROVIDE A SYSTEM CLASSIFICATION

Establish a system for incident classification so that you can prioritize the tasks of incident
response properly. For future remediation purposes, classification will also assist you to
extract meaningful metrics such as form, intensity, attack vector,effects,and root cause.

2.UNDERSTAND THE PRIORITY OF THE ORGANIZATION

Finally, the IR strategy should be compatible with the organizational goals. Identify what
matters most to the organization and weave those priorities into the IR activities.
Forinstance,ensuringthe safety of patients is your first priority if critical medical devices are
under attack during your search. If you are a producer and your phase of production is
interrupted, then resuming operations is your top priority.

THE DO’S AND DON’TS ANSWER OF INCIDENTS

5 Things Not to Do During an Incident

When there is an incident in your organization, in is easy to get stressed out, and this
can lead to making rash decisions out of haste. This is the worst thing during a security
incident that you can do.

Manytimes,individuals make these rash decisions and do not know of their adverse
effect until the issue they were initially attempting to control worsens.

Here are the things NOT to do during an incident:

1.Not to Panic

It is the hardest thing during an event that you can do. You want to keep calm and it will help
to do just that to have an IŔ strategy. An IR plan will give you a pre-planned direction that
explains the best course of action to take during an incident. To ensure that the protocols are
thorough and specific, it is extremely necessary to establish a strong plan before an incident
occurs.

2.Do Not Shut Down the Infected Systems.

You could lose volatile data containing significant forensic information by shutting it down.
In evaluating the timeline of what occurred, this knowledge can be vital. It will also inform
you what data is actually stolen after this timeline, so that you can select the best way to
treat the stolen data.

3.Unless otherwise instructed, do not discuss the incident with anyone.

Being selective about the audiences you want to interact with about an event that has just
begun to unfold is critical. It is best to share only with those who really need to know
information about the breach, otherwise the situation could get worse.

4.When accessing a device environment, do not use domain administrative credentials.

Threat actors are eagerly waiting to log in to a user with enterprise-wide access so that they
can catch the password to obtain maximum environmental power. Using login admin
credentials may potentially provide a hacker with an easier way to access your confidential
information.

5.Do Not Execute Any Non-Forensic Software On the Infected Systems.

This will overwrite the timelines associated with the attack in the Master File Table. Again, it
is imperative to not tamper with the timeline so that you can follow exactly what occurred
during the incident.

THINGS TO DO DURING AN INCIDENT

Instead of making hasty decisions, during an incident, individuals, should take several
action to mitigate the incident and repair it. It is incredibly helpful to collect as much data
about the incident as possible while containing an incidents.

To correctly fix an incident, here are the things to do:

1.Use forensic tools to extract volatile data and other essential objects from the device.

Forensic tools are capable of connecting to the system without altering any timestamps on
the computer.

2.Gather external intelligence based on known Compromise Indicators (IOC).

Check the web for details you found during, your initial incident report about specific
MD5’s,IP addresses, and domains. You are trying to find what the likely infection is or what
kind of malware in the system might be.

MD5 stands for Message Digest 5. Ronald

Rivets has created a common cryptographic hash function that is used to construct a digital
signature message digest (www.pcmag.com).

3.Safeguard Systems and Other Media For Forensic Collection.

4.Collect Suitable Logs.

Windows Events, Proxy, Netflow, Anti-Virus, firewall, etc. may include this. At both the
network and at the endpoint stage, it is vital to display the story.