Professional Documents
Culture Documents
Ideally, incident response operations are handled by the Computer Security Incident
Response Team (CSIRT) of a company, a category that has previously been chosen to
include information security and general IT personnel as well as members of the C-suite
level Representatives from the legal, human resources and public relations divisions can
also be included in the team. The incident response team follows the Incident Response
Plan (IRP) of the company, which is a series of written guidelines that detail the response of
the organization to network events, security incidents and verified violations.
Incident response is about making and having a flight plan. Instead of being an IT-
centric process, it is an overall business function that helps ensure that an organization with
reliable information can make quick decisions. Technical personnel from the IT and security
departments are not only involved, but also representatives from other core aspects of the
company.
Any incident activity that is not properly contained and handled can, and will usually,
escalate into a greater issue that can ultimately lead to a damaging breach of data, a large
cost or a collapse of the system. Rapidly responding to an incident will help an organization
minimize losses, mitigate vulnerabilities exploited, restore services and procedures, and
reduce the risks posed by future incidents(techtarget.com).
The response to incidents is a process, not an isolated event. Teams should take a
coordinated and organized approach to any incident in order for incident response to be
successful. In order to effectively address the wide range of security incidents that a
company might experience, there are five important steps that every response program
should cover:
1.Preparation
5. Post-Incident Activity
1.PREPARATION
The secret to efficient incident response is planning. Without predetermined protocols, even
the best incident management team cannot handle an incident effectively. To support the
team, a strong strategy must be in place. These features should be included in an incident
response plan in order to resolve security incidents successfully:
a. Development of incident response policies and documentation
Create standards and guidelines for communication to allow for seamless communication
during and after an incident.
Continuously capture,, evaluate, and synchronize the feeds for threat intelligence.
Review the existing capacity for threat identification and upgrade systems for risk
management and development.
In order to identify, warn and report possible security incidents, the aim of this process is to
track security events.
a. Monitor
Using firewalls, intrusion prevention systems, and prevention of data Ioss, track security
events in your network.
b. Detect
SIEM is an acronym for Security Information and Event Management. It’s a piece, of software
that gathers log and event data from an organization’s applications, security equipment, and
host systems and consolidates it into a single unified platform. (http://www.fireeye.com/).
It’s a term coined by Gartner in 2005 to describe software that tracks and helps manage user
and service privileges, directory resources, and other improvements in device con figuration,
as well as log auditing and review and incident response (www.netsurion.com).
c. Alert
Analysts create a ticket for an incident, record initial observations and allocate an initial
classification of an incident.
d. Report
During this point, the bulk of the effort is made to correctly scope and interpret the security
incident. To collect data from instruments and systems for further study and to recognize
signs of compromise, resources should be used. In-depth expertise and a comprehensive
understanding of live device responses, digital forensics, memory analysis, and malware
analysis should be accessible to individuals.
1.Endpoint Analysis
a. Determine what traces the actor of the threat may have left behind.
RAM stands for Random Access Memory [www.backblaze.com).RAM is the short-tern data
storage for your system; it stores the data that your computer is currently using so that it can
be accessed easily. The more programs you run on your machine, the more memory you use
(www.crucial.in).
2.Binary Analysis
Examine malicious binaries or devices leveraged by the attacker and record the features of
such programs. This analysis is performed in two ways:
VM stands for a Virtual Machine. It is a programming tool that uses software to run programs
and execute applications instead of a physical computer (www.vmware.com). VMs are
primarily intended to run several operating systems from the same piece of hardware at the
same time (www.ânsstuff. com).
· static Analysis: To check out the entire functionality, reverse engineer the malicious
software.
3.Enterprise Hunting
To assess the scope of compromise, evaluate the current structures and event log
technologies. All compromised accounts, computers, etc. are also registered so that
efficient containment and neutralization can be carried out.
This is one of the most important incident response levels. The containment and
neutralization strategy is based on the intelligence gathered during the review process and
the compromise indicators. Normal operations will resume after the system is restored and
security is checked.
• Coordinated Shutdown
After all systems inside the setting that have been compromised by a threat actor have been
detected, execute a coordinated shutdown of these devices. To ensure proper timing, a
message must be sent to all IR (Incident Response) team members.
Wipe the infected computers from the ground up, and, restore the operating system. Change
all compromised accounts’ passwords.
If you have established domains or IP addresses known to be leveraged for command and
control by threat actors, issue requests for threat mitigation to block contact from all egress
channels linked to these domains.
After the incident is settled, there is more work to be done. Make sure that any details that
can be used to avoid similar events from occurring again in the future is properly recorded.
Documenting the incident would help strengthen the response plan for the incident and
increase additional security measures too deter potential security incidents of this nature.
b. Monitor Post-Incident
Strong monitoring of post-incident activities as threat actors can re-appear again. For any
indications of triggering indicators that may have been associated with the prior incident, we
suggest a security log hawk analyzing SIEM data.
For the proper implementation of new security policies, communicating around the
organization is important.
The functions and duties of all the stakeholders are clearly set out. Businesses, and each
individual employee in particular, must have A clear understanding of their tasks to be
performed in the event of an incident, and adequate steps must be taken to minimize: the
effect and protect the loss of confidential data.
The IR plan should not be confined only to the department of IT or security departrnent. Only
if both the technical and non-technical Teams, such as Legal,Compliance,Human
Resources, Public Relations,etc.,are dedicated and participate in the implementation of the
.IR plan is the IR plan successful. Take the time to establish internal and external staff
relationships.
Establish a system for incident classification so that you can prioritize the tasks of incident
response properly. For future remediation purposes, classification will also assist you to
extract meaningful metrics such as form, intensity, attack vector,effects,and root cause.
Finally, the IR strategy should be compatible with the organizational goals. Identify what
matters most to the organization and weave those priorities into the IR activities.
Forinstance,ensuringthe safety of patients is your first priority if critical medical devices are
under attack during your search. If you are a producer and your phase of production is
interrupted, then resuming operations is your top priority.
When there is an incident in your organization, in is easy to get stressed out, and this
can lead to making rash decisions out of haste. This is the worst thing during a security
incident that you can do.
Manytimes,individuals make these rash decisions and do not know of their adverse
effect until the issue they were initially attempting to control worsens.
1.Not to Panic
It is the hardest thing during an event that you can do. You want to keep calm and it will help
to do just that to have an IŔ strategy. An IR plan will give you a pre-planned direction that
explains the best course of action to take during an incident. To ensure that the protocols are
thorough and specific, it is extremely necessary to establish a strong plan before an incident
occurs.
You could lose volatile data containing significant forensic information by shutting it down.
In evaluating the timeline of what occurred, this knowledge can be vital. It will also inform
you what data is actually stolen after this timeline, so that you can select the best way to
treat the stolen data.
Being selective about the audiences you want to interact with about an event that has just
begun to unfold is critical. It is best to share only with those who really need to know
information about the breach, otherwise the situation could get worse.
Threat actors are eagerly waiting to log in to a user with enterprise-wide access so that they
can catch the password to obtain maximum environmental power. Using login admin
credentials may potentially provide a hacker with an easier way to access your confidential
information.
This will overwrite the timelines associated with the attack in the Master File Table. Again, it
is imperative to not tamper with the timeline so that you can follow exactly what occurred
during the incident.
Instead of making hasty decisions, during an incident, individuals, should take several
action to mitigate the incident and repair it. It is incredibly helpful to collect as much data
about the incident as possible while containing an incidents.
1.Use forensic tools to extract volatile data and other essential objects from the device.
Forensic tools are capable of connecting to the system without altering any timestamps on
the computer.
Check the web for details you found during, your initial incident report about specific
MD5’s,IP addresses, and domains. You are trying to find what the likely infection is or what
kind of malware in the system might be.
Rivets has created a common cryptographic hash function that is used to construct a digital
signature message digest (www.pcmag.com).
Windows Events, Proxy, Netflow, Anti-Virus, firewall, etc. may include this. At both the
network and at the endpoint stage, it is vital to display the story.