Module 2 - Incident Handling and Response Process

Incident Handling and Response (IH&R) Process

Provides a focused and structured approach for restoring normal business operations as quickly as possible with minimal impact after an incident.

Who initiates the IH&R processes?

The IH&R development project team, executive manager, head of the infosec department or any other person designated by management.

Purpose of IH&R process?

・Protect networks and systems
・Ensure timely incidents handling
・Ensure the gathering of appropriate information
・Identify false positives
・Efficiently use resources
・Address legal issues
・Comply with local, national, and international guidelines
・Train and protect personnel
・Develop comprehensive documentation

What is the process flow of IH&R?

1) Preparation
2) Incident Recording and Assignment
3) Incident Triage
4) Notification
5) Containment
6) Evidence Gathering and Forensic Analysis
7) Eradication
8) Recovery
9) Post-Incident Activities

What tasks occur under Post-Incident Activities?

・Incident Documentation
・Incident Impact Assessment
・Policy review and Revision
・Closing the Investigation
・Incident Disclosure

Who authorizes the execution of the IH&R process?

Management, stakeholders, and other authorized personnel.

Components of IH&R that incur cost?

・IH&R team staffing
・IH&R toolkits including software and hardware
・Communication systems
・Space requirements
・Transportation
・Fees for third-party assistance
・Power and environmental controls
・Forensic investigation

IH&R Plan

Refers to a set of instructions the IR team needs to follow to minimize the damage caused by an incident, efficiently use resources, and reduce its response duration.

Considerations for IH&R Policies?

・Statement of management commitment to IH&R plan
・Policy purpose and objectives
・Policy scope
・Definition of security incidents and their consequences within the context of the organization.
・Organizational structure and delineation of roles, responsibilities, and levels of authority.
・・Guidelines for prioritizing incidents or assigned severity levels.
・Performance measures and proper project management and time management details.
・Reporting guidelines.
・Guidelines for communication within and outside of the organization.

IH&R Procedures

Also referred to as standard operating procedures (SOPs), provide detailed step-by-step processes for implementing an IH&R plan and policy. Defines roles and responsibilities of the incident handling team in the event of an attack to avoid confusion, minimize damages, and reduce response time.

CAT 0

Exercise / Network Defense Testing

CAT 1

Unauthorized access.

Reporting Timeframe: Within one (1) hour of disovery/detection

CAT 2

Denial of service (DoS)

Reporting Timeframe: Within two (2) hours of disovery/detection if attack is ongoing.

CAT 3

Malicious code

Reporting Timeframe: Within one (1) hour of discovery/detection.

CAT 4

Inappropriate usage

Reporting Timeframe: Weekly

CAT 5

Scans/Probes/Attempted Access

Reporting Timeframe: If system is classified, report within (1) one hour of discovery.

CAT 6

Investigation

Depends on agency's classification and categorization.

Steps for building an IH&R Team

1) Design IH&R Team Development Plan
2) Set Expectation
3) Define IH&R Team Vision
4) Communicate the IH&R Team Vision
5) Start Building IH&R Team
6) Announce the IH&R Team
7) Evaluate IH&R Team Effectiveness

IH&R Team Models

・Centralized IR Team
・Distributed IR Teams
・Coordination Teams

IH&R Team Staffing

・Employees
・Partially Outsourced
・Fully Outsourced

IH&R Team Selection Factors

・Needed availability
・Resource availability
・Full-time vs. part-time team members
・Employee morale
・Cost/budget
・Staff expertise
・Organizational structure

What should be included in an IH&R toolkit?

・Computers with appropriate software tools
・Up-to-date operating systems and patches
・Basic networking equipment and cables
・Application media
・Blank media to store evidences or extract images from victim devices
・Write-protected backup devices

IH&R Software Requirements

・OS such as Windows 10, Windows Server 2016, Linux/ Unix / Mac OS X
・Installed drivers for all the hardware
・Forensics software such as EnCase
・Imaging tools such as R-drive image
・Programming language applications
・Graphics tools
・Specialized viewers
・Hashing tools
・File Recovery Programs
・Encryption Decoding Software
・Password Cracking Software
・Miscellaneous Software

Considerations for setting up a Computer Forensics Lab (CFL)

・Planning and budgeting
・Physical location and structural design considerations
・Work area considerations
・Human resource considerations
・Physical security recommendations
・Forensics lab licensing

What organizational resources should be audited before implementing IH&R capabilities?

・Security auditing
・Vulnerability assessment
・Threat analysis
・Risk managment
・Cyber trend/analysis/threat intelligence

Security policy

Depicts the basic architecture of the computer's security environment.

Security procedures

SOPs for dealing with various types of attacks. Should be detailed to assist with minimizing error, cost and damage to assets.

Security awareness

Training and awareness for IH&R team.

Access Controls

Ensure that only selected or eligible employees have access to sensitive data, critical devices, and other necessary resources required to accomplish the assigned tasks.

Real-Time Offsite Backup

A real-time offsite back up indicates data stored in a place away from the original site for safekeeping in the event of disaster.

Scheduled Backup

Scheduled backups consistently save data based on a user's requirements.

Unlimited space

The strategy should ensure that unlimited space is available to backup large amounts of data.

Data Availability

The strategy must make data available at any time to ensure the retrieval and recovery of lost data.

Incident handlers should consider what requirements for offsite backup?

・In real time and created far offsite
・Must fit the user's requirements
・Should provide alerts, daily status updates and other ・useful notifications
・Unlimited space for storing large amounts of data
・High availability so data can be retrieved at any time
・Should encrypt data in transit
・Data provider must guarantee data safety

Factors to consider when choosing cyberinsurance:

・Risks faced by the organization
・Policy requirement
・What type of coverage and extent the policy offers
・What does the policy include and exclude

GPMC

Group Policy Management console. In Windows OS, it is a scriptable interface for viewing and editing the settings of all Group Policy Objects (GPOs), domains, and sites related to an organization.

Important considerations for the Incident Escalation Procedures for Employees?

・Allow victims, customers, clients, and other people to easily report an incident.
・Enable the incident handler to assign tasks to team members, verify process followed, obtain reports about progress, and suggest methods.
・Allow the incident responders to discuss the steps, communicate the response results, and provide result data with proper evidence.
・Communicate the result and report it to management and stakeholders.

What are the advantages of using a ticketing system?

・Automatically generates tickets upon discovering suspicious patterns from a firewall, IDS, and/or SIEM
・Systematically collects details about an incident
・Helps in assigning priority to incidents based on the compromised system, type of incident, and so on
・Alerts the responsible persons and automatically distributes tasks
・Stores details of the incidents, solutions, and results
・Helps to create a chain of custody and documents for reports
・Ensures proper and timely IR
・Stores details of costs incurred in the IR process

What are the three main steps of Incident Triage?

1) Incident Analysis and Validation
2) Incident Classification (type of incident)
3) Incident Prioritization (high, medium, or low)

What are some of the steps used in Incident Analysis?

・Log Analysis (IPDS, firewall, application, router logs)
・Event Correlation
・Network and System Profiling (changes in baseline or integrity of files)

What factors are used in Incident Classification?

・Nature of the incident
・Criticality of the systems impacted
・Number of systems impacted
・Legal and regulatory requirements
・Severity
・Affected resources
・Attack methodology

What factors are used in Incident Prioritization?

・Potential technical impact
・Critical nature of the affected resources
・Potential business impact

What are the 3 prioritization levels and their response time frames?

1) Low-level. Least harmful, nominal threat. It is essential to address these incidents as they can escalate to a higher level incident.
2) Middle-level. More severe incidents that pose severe threats to the organization. Incidents should be addressed within a few hours of occurrence.
3) High-level. Most severe incidents that can threaten the business operations. Require immediate attention.

What factors should be considered in prioritizing incidents?

・Impact on business functionality
・Sensitivity of the affected information
・Ability to manage and recover

Best practices for incident classification and prioritization?

・Focus on high-priority security concerns first.
・Prioritize recommendations for mitigating risks to applications.
・Develop strategies to achieve short-term and long-term security postures.
・Decide on the required resources which must be available to maintain a consistent level of information security.

What is the Notification Process?

1) Notify management
2) Notify the required stakeholders.
3) Contact external agencies.
4) Plan for Incident Handling.

What factors affect the resources required to investigate an incident?

・Forensic duplication of related computer systems.
・Criminal referral
・Civil litigation

Who are important contacts to have recorded in the event of notification?

・CEO
・CTO
・CIO
・CISO
・Other IT teams in the org
・Owners of the victim systems and administrators
・Public affairs
・Legal departments

Internal communications methods used during IH&R

・Secure Communication Channels
・Out-of-Band Communication Channels

Common techniques used in the containment phase

・Disabling of Specific System Services
・Changing of Passwords and Disabling of Accounts
・Complete Backups of the Infected System
・Temporary Shutdown of the Compromised System
・System Restoration
・Maintaining a Low Profile

What are the steps of Evidence Gathering and Forensic Analysis?

1) Collect Evidence
2) Create a Chain of Custody Document
3) Analyze the Evidence
4) Create a Forensic Investigation Report
5) Management Receives Investigation Report
6) Law enforcement or 3rd Party Investigators
7) Close the Investigation

What is the process of collecting evidence?

・Identification of target resources, networks, and connected resources.
・Securing and documenting the crime scene.
・Extracting fragile and volatile evidence.
・Secure handling, packaging, and transportation of the evidence devices.
・Extracting static evidence stored as media and other resources.

What are some of the considerations in Evidence Handling?

・Backing up all affected systems for further investigation and recovery
・Store all backups in a physically secure location, protect the collected evidence from physical or logical damage
・Ensure only authorized individuals have access to backup
・Maintain a well-documented Chain of Custody

What are the steps in Eradication?

1) Determine the Cause of the Incident
2) Eliminate the Cause
3) Verify if the Issues exists in similar systems
4) Resolve and Patch the Issue
5) Start Recovery Processes

What are the countermeasures to include in removing the root cause of the incident?

・Update AV software
・Install latest patches
・Policy compliance Checks
・Independent Security Audits
・Disable unnecessary services
・Update security policies and procedures
・Change passwords of compromised systems
・Reinstall compromised systems

What are the steps for the Recovery Process?

・Eliminate the Cause of the Incident
・Is Data Lost? (if yes)
・Recovery Data from Backup
・Restart Services and Processes

What is the process for Post-Incident Activities?

・Incident Documentation
・Incident Impact Assessment
・Review and Revise Policies
・Close the Investigation
・Incident Disclosure

What are some important considerations for Incident Documentation?

・Concise and Clear
・Written in a Standard Format
・Reviewed by Editors
・Should capture a full description of the breach: who handled the incident, when the incident was handled, reasons behind the occurrence, etc.

What items should the impact assessment address?

・Financial losses
・Legal costs
・Costs pertaining to the incident
・Losses and costs related to system downtime
・Implementation costs
・Costs related to repairing and replacing damaged systems
・Costs related to the damage of goodwill, customer trust and reputation

After the incident, what should be reviewed and revised?

Policies, procedures, preparation and protection.

Discussion on the incident, what can be learned, how it can be avoided, etc.

Disclosure should be made to which possible interested parties?

・Law enforcement
・Regional Judiciary
・Regulatory authorities
・Media
・Stakeholders
・Stockholders
・Breach victims
・Vendors
・Customers
・General Public
・Third parties
・Other CERTs/CSIRTs

What sensitive information about an incident should not be disclosed?

・Sensitive information
・Unpatched vulnerabilities
・Nation-state sponsored incident
・Chaos creating information
・Business impact information