4.8 Incident Response

Security Incidents

Dealing with security incidents is a critical responsibility for any security administrator.

• These incidents can take many forms and strike any organization unexpectedly

• A user might unknowingly install malware by clicking on a malicious email attachment.

• Your network could suffer a distributed denial-of-service (DDoS) attack launched by global botnets, disrupting WAN connectivity.

• Sensitive data might be stolen and held for ransom under threats of public exposure.

• In some cases, a user might install unauthorized software that creates a backdoor, allowing external access to internal systems.

Security teams must be ready to handle any of these scenarios.

NIST SP800-61

Revision 2, titled the Computer Security Incident Handling Guide, outlines how organizations should handle security incidents.

• Preparation, Detection and Analysis, Containment, Eradication, and Recovery, and Post-Incident Activity.

• An easy way to remember the order is the phrase: Pizza Delivery Apps Create Easy Routes Logistically.

This lifecycle helps organizations respond systematically and effectively to security issues by preparing ahead of time,

Preparing for an Incident

Crucial before a security incident even occurs.

• Organizations should maintain an updated communication list to quickly notify the right people.

• A dedicated incident go bag should be ready, containing laptops with specialized tools, removable media, forensic software, digital imaging, and equipment for capturing photos and videos of the attack.

• Supporting materials like network diagrams, server documentation, security baselines, and file hashes of critical files help speed up analysis.

• Most importantly, clear policies and procedures must be in place so everyone knows exactly what to do during an incident.

The Challenge of Detection

Detecting a security incident isn’t always straightforward.

• Multiple systems might be targeted

• It’s not always obvious from the file system alone if an incident has occurred.

• Internet-connected systems face constant attacks, it can be hard to tell whether activity is just background noise or an actual threat.

• Even something common like a malware infection can be complex to identify.

• Essential to have clear policies and procedures in place to guide detection and response efforts.

Analysis

Logs often show attempted attacks on your network and can reveal where attacks originate and what methods are used.

• Web server logs, for instance, are especially used during vulnerability scans.

• Keeping track of patch release schedules—like Microsoft’s—helps identify unpatched systems and spot related attack attempts.

• Attackers may even reach out directly, which, while uncommon, is not unheard of in hacking circles.

Know When an Attack Occurs

Your network monitoring tools can alert you to signs of an active attack.

• An intrusion prevention system might detect a buffer overflow attempt,

• Or antivirus software could flag malware on a workstation.

• If an attacker gains access and alters security settings, proper monitoring should alert you to those changes.

• A sudden spike in network traffic might also indicate data exfiltration in progress.

Isolation & Containment

When an attack is detected, it's crucial to act immediately—waiting could allow the incident to spread further.

• Sandboxes, which are isolated environments, are useful for safely running suspicious files like malware to observe their behavior.

• Some malware can detect sandbox environments or virtual machines and may self-delete or alter behavior to avoid detection.

Recovery After An Incident

After an incident is contained, focus on removing malicious software and restoring systems to a clean, secure state.

• May involve reimaging machines, disabling compromised or unauthorized accounts, and fixing exploited vulnerabilities.

• Known-good backups or original installation media can be used to restore systems.

• Main goal is to eliminate any attacker presence and secure the environment against future access.

Lessons Learned

After an incident, it's important to hold a post-incident meeting to reflect on what happened and how to improve future responses.

• Meeting should happen soon after the incident while details are still fresh.

• Allows everyone involved to share their experiences, identify gaps, and develop better strategies for handling similar events in the future.

Answer The Tough Questions

During the post-incident review, it's important to ask hard questions

• What exactly happened? What was the full timeline? Did our response plan work effectively?

• Reviewing the documentation helps determine if the chosen actions were appropriate.

• Allows us to identify improvements for future responses and update our incident-handling procedures

• Should also assess whether any warning signs were missed and adjust monitoring to better detect similar threats in the future.

Training For An Incident

Effective incident response requires thorough planning and training before any incident occurs.

• On-the-job training during a live incident is not practical.

• Comprehensive documentation must be created and regularly tested so everyone understands their roles and actions during an incident.

• Includes knowing how to respond initially, conduct investigations, and report on the incident.

• This training can be costly—especially in large organizations with multiple response teams—the investment often saves significant resources and reduces damage when a major incident happens.