4.8 - Incident Response

Incident Response (IR) Process

The formal 7-step "playbook" for what to do when (not if) you get breached.

Prepare, Detect, Analyze, Contain, Eradicate, Recover, Lessons Learned.

(A good way to remember: Please Don't Anger Cats, Even Rabid Lions)

Step 1: Preparation

When: Before any attack.

Action: Getting your tools (SIEM, EDR), team (call list), and training (tabletop exercises) ready.

Step 2 and 3: Detection and Analysis

• When: The moment the attack begins.

• Action: An alarm fires (e.g., a SIEM alert) (Detection). You investigate to see if it's a real attack or a false positive (Analysis).

Step 4: Containment

• When: As soon as you confirm a real attack.

• Action: Stop the bleeding! You isolate the infected systems from the network (e.g., unplug the network cable).

• Goal: This does not fix the problem, but it stops the attack from spreading. This is the most urgent step during an attack.

Step 5: Eradication

• When: After the attack is contained.

• Action: Find the root cause of the breach (e.g., an unpatched server) and remove the attacker/malware. (e.g., Patch the server, delete the malware).

Step 6: Recovery

• When: After the threat is gone.

• Action: Return to normal business. (e.g., Reconnect the now-clean server to the network, restore data from backups).

Step 7: Lessons Learned

• When: After the incident is over.

• Action: A formal meeting to ask, "What went wrong? How do we prevent this exact attack from ever happening again?"

• Goal: To improve your Preparation for the next incident.

Threat Hunting

• What it is: Proactively searching for attackers, assuming they are already inside your network and have avoided your automated alerts.

• Analogy: You're not waiting for the alarm; you're actively patrolling the halls looking for an intruder.

Digital Forensics

• What it is: The process of collecting and preserving evidence in a way that is admissible in a court of law.

• Goal: To prosecute a crime. This is slow and methodical. (IR is fast and "stops the bleeding").

Legal Hold

• What it is: An order from the legal department to PRESERVE ALL DATA related to a case.

• Action: You must stop all automatic deletion (like log rotation or email deletion policies). Do not delete anything.

Chain of Custody

• What it is: A formal document (a logbook) that tracks evidence.

• Purpose: It shows who had the evidence (e.g., a hard drive), when they had it, and why they had it. This proves the evidence was not tampered with.

Acquisition (Forensic

• What it is: The process of making a copy of the evidence.

• Action: You create a bit-for-bit (forensic) image of the hard drive. You NEVER work on the original evidence; you work on the copy.

E-Discovery

• What it is: The process of searching through massive amounts of electronic data (emails, documents, databases) to find specific evidence for a legal case.

• Analogy: Finding the "smoking gun" email in a 10-million-email archive.

Simulation

• What it is: A "live-fire" drill.

• Scenario: A "Red Team" (attackers) actually tries to breach the network, and the "Blue Team" (defenders) tries to stop them.

• Goal: To test your real tools and team skills.

Tabletop Exercise

• What it is: A "talk-through" drill.

• Scenario: The IR team sits in a conference room. Someone presents a scenario ("A new ransomware is on our file server. What do we do?").

• Goal: To test your processes and communication, not your tech.