2. Incident Response

Incident Terminology

Vocab 1

Breach: Loss of control, compromise, disclosure, acquisition, occurrence

• Unauth user accesses PII; for other purpose NIST SP 800-53 Rev. 5

Event: An observable occurrence in a network/sys NIST SP 800-61 Rev 2

Intrusion: Intruder gains access without auth IETF RFC 4949 Ver 2

Threat: Any event with potential to impact op NIST SP 800-30 Rev 1

Vocab 2

Exploit: Particular attack that goes after weaknesses

Incident: An event that jeopardizes CIA of system, processes

Vulnerability: Weakness exploited by a threat NIST SP 800-30 Rev 1

Zero Day: Previously unknown vulnerability

Goal of Incident Response

Reducing impact of incidents so orgs can resume operations as soon as possible Components of an Incident Response Plan

Preparation

ID critical data, systems, points of failure, approved by mgmt

1. Train staff and implement IR team

2. Practice First Response: Incident ID and ID roles/responsibilities

3. Plan coordination of communication between stakeholders

4. Consider primary method of contact may not be available

Detection/Analysis

Monitor all possible attack vectors, analyze incidents

Use known data/threat intel, prioritize IR and standardize documentation

Containment

Gather evidence, identify attackers, isolate attacks

Choose an appropriate strategy

Post-Incident

ID evidence that may need to be retained and document

Incident Response Team

SOC

Security Operations Center

A typical IR team is a cross-functional:

• Representative(s) of senior management

• Infosec professionals

• Legal representatives

• Public affairs

• Engineering

• CIRT: Computer IR Teams: CSIRTs (Security)

When an Incident Occurs

The team has 4 main responsibilities:

1. Determine scope of damage caused

2. Determine if confidential info was compromised

3. Implement recovery procedures from incident-related damage

4. Supervise implementation of measures to improve/prevent recurrence

Business Continuity & Data Recovery

Continuity

Intent: Sustain operations while recovering from disruption Continuity Plan: Procedures to restore business after disaster

Common business continuity plans:

• Immediate response procedures/checklists (sec/safety, fire, ER, etc.)

• Notification systems/call trees for alerting personnel

• Guidance for mgmt, designation of authority for specific managers

• How/when to enact plans

• Contact numbers for supply chain (vendors, customers, emergency)

• BIA: Business Impact Analysis

Recovery

When disaster strikes, the DRP guides actions of response DRP: Data Recovery Plan: Restoring services needed

Components of a Disaster Recovery Plan:

• Executive summary providing overview, department-specific plans

• Guides for IT responsible for maintaining backups

• Full copies of plan for members

Checklists for certain individuals:

• Critical DRT members have checklists to guide actions in disaster

  • IT have tech guides to help get alternate sites up; running

  • Managers/public relations have docs to communicate issue