Incident Response Fundamentals

  Computer Incident Response is a phase in which an organization has identified a potential intrusion into their system using security products or during threat hunting. The IR team involves the in-house IT team, consultants, business partners, law enforcement, public relations, etc.

  Incident Response is where both the business and technical teams must agree on what set of actions they are going to take. Some risks to consider include the need to shut down a specific server where malware has been identified in order to prevent further infection and damage to the organization. This action requires both technical and business risk agreement because it will hurt the business too much if the action is not properly planned and if the action goes south and backfires on both involved individuals.

  An incident in the organization is inevitable. That is why it must be a best practice to plan whether or not the incident will happen. There is a powerful quote that states:

It’s better to be a warrior in the garden than a gardener in war.” 

  In a way, there are tools that help to arm the organization during this event. This is through Incident Response playbooks, where they contain a set of guided actions that answer the question “What to do?” when an incident is happens.

 NIST Cybersecurity Framework

This phase fosters an understanding within the organization of how to manage cybersecurity risk to systems, people, assets, data, and capabilities.

This in a form of the identifying the following: 

      • Critical Assets
      • Business Workflow
      • Hardware/Software assets monitoring

One way of protecting the organization is by having a clear understanding and a bird’s-eye view of the business infrastructure itself.

This phase develops and implements appropriate safeguards to ensure the delivery of critical services.

This in a form of the following:

      • Security Products
      • User Awareness Training
      • Identity Management and User Access Controls
      • Policies and Procedures

Identifying the business infrastructure alone will not ensure security, but combining it with a birds-eye view of everything in the organization and proper security controls can help reduce the likelihood of an intrusion. This phase can take time depending on the budget, cost, and people’s skill to implement proper controls.

One way to protect the organization is through layered defense, or Defense-In-Depth. It is a combination of tools ranging from security products, to targeted user awareness training, to policies and procedures, etc.

This phase develops and implements appropriate activities to identify the occurrence of a cybersecurity event.

This in a form of the following: 

      • Baseline gives clear understanding of what normal looks like.
      • SIEM log management and retention
      • Security Products like IDS/IPS, DLP, WAF, Firewall and etc.

In this phase, we rely on the proper tuning of tools and the skills of the people who are tasked with doing this job. There are some known barriers to implementing this phase properly, such as budget and the skills of the people who are currently monitoring and have the ability to detect anomalies. In short, lack of training.

This phase develops and implements activities to take action regarding a detected cybersecurity incident.

This in a form of the following:

      • Communication for both technical and business needs.
      • Policies and Procedures and Incident Response Playbooks.
      • Gathering the right people for investigation.

During this stage, people on both sides should communicate clearly about how to handle the incident and what risks the organization is willing to take to resolve the problem.

  There are some barriers that prevent the organization from performing well on this stage; for example, lack of asset monitoring; not having a clear definition of what normal looks like; technical skills of the people operating on the security side; lack of communication; and having no policies, procedures, or IR playbook to be used during this phase.  

This phase develops and implements appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity incident.

This in a form of the following:

      • Recovery Planning
      • Continuous Improvement 
      • Lesson learned
      • Communication

In this phase, the organization is able to mitigate the threat and is now on its way to learning from that incident and improving the posture of the organization based on what they learned from that event.

 Incident Response Framework

This phase involves establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. 

This in a form of the following: 

      • Baseline to detect anomalies
      • Policies and Procedures like user access and security controls
      • Asset Management and Monitoring
      • Security Tools Deployment
      • Event and Network baseline and retention
      • Open/Close Ports on Critical Asset
      • Documentation of Organization’s Infrastructure
      • Incident Response Playbooks
      • Vulnerability Assessment Reports

In this phase, preparation plays a fundamental role in the success of incident response programs.

 Preparation is a crucial part of the Incident Response framework, making sure that you have enough resources that can be used when it comes to an incident and that there is a bird’s eye view on your endpoint, patching blind spots on your network, and having full coverage on important logs on the endpoint, specially on the critical systems.

 Performing such a baseline on the assets might be a good start to prepare the organization when it comes to future incidents. Preparation is also a continuous action that needs improvement from time to time because what is working now might not work later.

For many organizations, the most challenging part of the incident response process is accurately detecting and assessing possible incidents. In this phase, it determines whether an incident has occurred and, if so, the type, extent, and magnitude of the problem.

Sources for detecting an anomaly is in a form of the following:

      • Baseline gives clear understanding of what normal looks like
      • SIEM log management and retention
      • Security Products like IDS/IPS, DLP, WAF, Firewall and etc.
      • Anti-Virus Scanner logs
      • File integrity checker tools
      • Black/White listing logs
      • Network Packet logs such as Netflow and etc
      • Threat Intelligence Reports both commercial and public release
      •  User awareness for possible phishing emails
This phase is a continuous monitoring phase because intrusion can happen at anytime. There are some known barriers to implementing this phase properly, such as budget and the skills of the people who are currently monitoring and have the ability to detect anomalies. In short, lack of training.

In this phase, containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. 

An essential part of containment are the following:

      • Shut-down a system
      • Network Segmentation
      • Close Malicious Ports

Such decisions are much easier to make if there are predetermined strategies and procedures ready at hand, such as Incident Response Playbooks, for example, an organization’s custom IR playbook for Malware, Phishing, and DDos. Organizations should create a separate containment strategy for each major incident type, with criteria documented clearly to facilitate decision making. 

Eradication and Recovery should be done in a phased approach so that remediation steps are prioritized. For large-scale businesses, recovery may take months; the intent of the early phases should be to increase the overall security with relatively quick high-value changes to prevent future incidents.

In this phase, it is one of the most important parts of incident response where learning and improvements are omitted. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lesson learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself.

  Multiple incidents can be covered in a single lesson learned meetings. This meeting provides a change to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be help within several days of the end of the incident.

Questions to be answered in the meeting include:

      • What exactly happened? and What time?
      • How well the staff performed during the incident? is the documented procedure are followed? Are they effective?
      • What information was needed sooner? 
      • Were any steps or actions taken that might inhibited the recovery?
      • What would the staff and management do differently the next time a similar incident occurs?
      • How could information sharing with other organization have improved?
      • What corrective actions can prevent similar incidents in the future?
      • What indicators should be watched for in the future to detect similar incidents?
      • What additional tools or resources are needed to detect, analyze and mitigate future incidents?

This phase ensures that the organization has learned from the previous incident and ensures that the lesson learned from the incident will improve the posture of both management leadership and the organization’s structure.