Incident Response

by
Sharing is caring
This entry is part 12 of 2 in the series Digital Forensics and Incident Response

Views: 1

Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimizing impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical personnel.

Event vs Incident

  • Event: This is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.
  • Incident: This is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services.

Incident Response: NIST vs SANS framework

NIST views the process of containment, eradication, and recovery as a singular step with multiple components. SANS views them as their own independent steps.

Incident Response Process

  • Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
  • Identification: Operational deviations must be noted and determined to cause adverse effects.
  • Analysis or Scoping: The organisation determines the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.
  • Containment: Damage limitation is paramount, therefore, isolating affected systems and preserving forensic evidence is required.
  • Eradication: Adversarial artefacts and techniques will be removed, restoring affected systems.
  • Recovery & Lessons Learned: Business operations are to resume fully after removing all threats and restoring systems to full function. Additionally, the organisation considers the experience, updates its response capabilities, and conducts updated training based on the incident.

Incident Response Plan

An incident response plan (IRP) is a document that outlines the steps an organisation will take to respond to an incident. The IRP should be the organisation’s Swiss Army knife, comprehensively covering all aspects of the incident response process, roles and responsibilities, communication channels between stakeholders, and metrics to capture the effectiveness of the IR process.

Preparation

Series Navigation<< Concepts of Forensic Imaging