🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  • Events vs Incidents
  • NIST I.R Lifecycle
  • CSIRTS and CERTS
  1. Incident Response

Introduction

Incident response is the methodology an organization uses to respond to and manage a cyber attack.

  • Benefits wider business by reducing the impact of successful attacks and allowing business operations to remain as uninterrupted as possible.

  • Companies can suffer due to data breaches so it is important to have a good incident response strategy

  • Uber was fined £385000, Equifax £500000, Marriott £99 Million and British Airways £183 Million.

  • Smaller companies may close or change how they operate due to this.

  • Incident response is not just about data breaches but any IT or data incident which could pose a risk to the company.

Events vs Incidents

  • all security incidents are security events, but not all events become incidents.

  • A security event is anything that could have security implications.

  • These could include: Spam, vulnerability scans, reconnaissance scans, an explained anomaly, a user downloading software or a brute force attack.

  • A security incident is an event which has resulted in damage to the organization.

  • Spam email - if it contains malware which is used this would be a security incident

  • If a actor exploits a vulnerability after a scan this is a incident

  • An unexplained anomaly is classed as an incident until is has been properly scoped

  • A user downloads software, this turns out to be malware, this will then be an incident

  • A successful brute force attack is also an incident, an unsuccessful one is an event.

NIST I.R Lifecycle

  • Procedure of handling incidents.

  • Split into: preparation, detection and analysis, containment eradication and recovery and post incident activity.

Preparation

Activities for preparing for incidents:

  • Contact information for stakeholders

  • War room for central communication and coordination

  • Documentation

  • Baselines on running systems

  • Equipment which can be used (forensics toolkit)

Activities for preventing incidents

  • Having current risk assessments

  • Utilizing client and server security

  • Having a user awareness and training program

Detection and Analysis

  • Set up SIEM, IDS IPS log monitoring, ect to automatically notify people of anomalies

  • Record baseline information to identify anomalies

  • Responders need to effectively document findings when analyzing the network, as well as prioritize the next steps

  • A plan also needs to be created to outline who needs contacting in the case of an event.

Containment, Eradication and Recovery

  • Contains two sub-phases: containment, eradication & recovery

Containment

  • Should include:

  • Potential damage to and theft of resources

  • Need for evidence preservation

  • Service availability

  • Time and resources needed

  • Effectiveness

  • Duration of the solution

Also important to keep a detailed log of all evidence you find regarding the attack. This could be information used to prevent further tactics or next steps in the attack.

Eradication & recovery

  • Act of returning systems back to normal

  • Rebuilding machines from good backups, deleting malware or resetting credentials.

  • Restoring systems to pre-attack state

  • Eliminating vulnerabilities which were exploited

Meeting

After hold a meeting to address these questions:

  • Exactly what happened and when did it happen?

  • How well did staff and management perform in dealing with the incident?

  • What information was needed sooner?

  • Were any steps or actions taken that might have inhibited the recovery?

  • What would staff and management do differently the next time a similar incident occurs?

  • How could information sharing with other organisations have been improved?

  • What corrective actions can be taken?

  • What indicators should be watched for in the future?

  • What additional tools or resources are needed to mitigate future incidents?

CSIRTS and CERTS

  • Team of specialised people who can respond to incidents.

  • CERT - Cyber Emergency Response Team

  • CSIRT - Cyber Security Incident Response Team

  • Responsible for coordination and responding to IT security incidents.

  • CSIRTs often contain key stakeholders.

  • Have a central communication point for incident information

  • Promote security awareness and training

  • Act as emergency contact for cyber security

  • Investigate new security vulnerabilities

  • Determine MTTR and MDT for company assets

  • Provide useful information to the cybersec community

Public vs Private

  • Cert is usually for teams in countries and csirt is associated with businesses

PreviousCorrelationNextPreperation

Last updated 1 year ago