SlideShare a Scribd company logo

The Six Stages of Incident Response

Download as PPTX, PDF
Darren Pauli
Darren Pauli

Given at AusCERT 2016 by Ashley Deuble, Griffiths University.

Technology
1 of 17
The Six Stages of Incident Response ASHLEY DEUBLE
Why?  Incidents of all sizes happen every day  Preparation could mean the difference between success and failure  You may be subject to legal requirements (due care, regulations – PCI etc.)
Overview Preparation Identification Containment Lessons Learned Recovery Eradication
Stage 1 - Preparation  People / Awareness  Policy & Warning Banners  Response Plan / Strategy  Communication  Documentation  Team  Access  Tools  Space / War room  Training
Stage 1 – Preparation cont..  Jump Bag  Journal (bound with page numbers)  Call tree / Contact list  Bootable USB or Live CD (up to date tools, anti malware, static linked binaries)  Laptop with forensic tools (EnCase/FTK), anti malware utilities, internet access  Computer and network toolkits (components, network cables, network switches, network hubs, network taps, hard drives etc.)  Drive duplicators with write blocking (for forensically sound images)
Stage 2 – Identification Incident Definition  An incident is the act of violating an explicit or implied security policy (NIST SP800-61)  These include but are not limited to:  attempts (either failed or successful) to gain unauthorized access to a system or its data  unwanted disruption or denial of service  the unauthorized use of a system for the processing or storage of data  changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent (https://www.us-cert.gov/government-users/compliance-and-reporting/incident-definition)
Stage 2 – Identification cont..  Determine what is an event vs incident  Has there been significant deviation from normal operations with appropriate scope to be classified as an incident?  May need to review system logs, error messages, firewall alerts, IPS alerts, Antivirus alerts etc.  If it is an incident  Report it as soon as possible so that the incident response team can start collecting evidence and preparing for the following steps  Notify the incident response team members and establish communications between handlers and to Management
Stage 2 – Identification cont..  If it is an incident  Start documenting all activities!  Document “who, what, where, when, how” in case it is needed to be provided to the law enforcement / courts etc.  If possible have at least two incident handlers – one to identify and assess, and another to collect evidence  Establish chain of custody for all evidence collected  Once the full scope of the incident has been determined, the incident team can move on to the containment phase
Stage 3 - Containment  Limit and prevent any further damage from occurring  You may want to allow the incident to continue to gather evidence or to identify the attacker  Influencing factors for the containment strategy  Potential damage to, or theft of the resource  Need/requirements for evidence preservation  Service availability  Time and resources required to implement the containment strategy  How effective the containment strategy will be  Duration of the containment solution
Stage 3 – Containment cont..  Image systems to preserve evidence  Take a forensic image of the systems in question  Use known forensic tools (FTK, EnCase etc.)  Short term containment  Limit the incident  E.g. Isolating network segment, removing servers etc.  Long term containment  Implement temporary fixes to allow their continued use  Rebuild systems, remove accounts, update antivirus, patch etc.
Stage 4 - Eradication  Ensure that proper measures have been taken to remove malicious content from the affected systems (residue may be left in obscure locations that are difficult to locate)  A complete reimage, or restore from a known good/clean backup  Improve the defences of the system to ensure that it will not be compromised again (e.g. patching to remove a vulnerability etc.)
Stage 5 - Recovery  Time to bring the system back in to production  Key decisions (including, but not limited to)  How to test and verify the system is clean and fully functional  What tools to use to test, monitor and validate the system behaviour  How long to monitor for signs of abnormal activities  When to restore the system (system owners to make decision based upon advice of the CIRT team)
Stage 6 – Lessons Learned  The most critical phase of the lifecycle!  Learn from the incident  Complete any documentation that was not done during the incident, as well as any other documentation that may help in future incidents  Create a formal written report that covers the entire incident  Cover the Who, What, Where, When and How of the incident
Stage 6 – Lessons Learned cont…  Hold a lessons learned meeting within 2 weeks of the incident  Have a presentation that covers  Who detected the initial problem and when  What the scope of the incident was  How was it contained and eradicated  What work was performed during the recovery  Where was the CIRT team effective  Where does the CIRT team or processes need to be improved  Team comments/suggestions about the incident  Feed all this info back in to the preparation phase
Resources  SANS Incident Handlers Handbook (https://www.sans.org/reading- room/whitepapers/incident/incident-handlers-handbook-33901)  NIST SP 800-61 rev2 - Computer Security Incident Handling Guide (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 61r2.pdf)  ISO 27002 – Code of Practice for Information Security Controls (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csn umber=54533)  ISO 27035 – Information Security Incident Management (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csn umber=44379)
Resources  Chain of Custody Form (http://www.nist.gov/oles/forensics/upload/Sample-Chain-of-Custody- Form.docx  SANS Forensics Cheat Sheets (http://digital- forensics.sans.org/community/cheat-sheets)  Lenny Zeltser’s Security Incident Survey Cheat Sheet for Server Administrators (https://zeltser.com/security-incident-survey-cheat-sheet/)  The Seven Deadly Sins of Incident Response (http://www.infosectoday.com/Articles/Seven_Deadly_Sins.htm)
Resources  SANS Sample Incident Handling Forms (https://www.sans.org/score/incident-forms)  Example Incident Response Plan (http://www.cio.ca.gov/ois/government/library/documents/incident_respon se_plan_example.doc)  ASD Information Security Manual (http://www.asd.gov.au/infosec/ism/index.htm)  CIRT Sample Policies (http://csirt.org/sample_policies/index.html (http://www.asd.gov.au/infosec/ism/index.htm)

Recommended

Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 

Recommended

Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.pptabhichowdary16
 
Operations SecurityWeek 5Incident Management, Investigatio.docx
Operations SecurityWeek 5Incident Management, Investigatio.docxOperations SecurityWeek 5Incident Management, Investigatio.docx
Operations SecurityWeek 5Incident Management, Investigatio.docxcherishwinsland
 

More Related Content

What's hot

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

What's hot (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Similar to The Six Stages of Incident Response

11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.pptabhichowdary16
 
Operations SecurityWeek 5Incident Management, Investigatio.docx
Operations SecurityWeek 5Incident Management, Investigatio.docxOperations SecurityWeek 5Incident Management, Investigatio.docx
Operations SecurityWeek 5Incident Management, Investigatio.docxcherishwinsland
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]Phil Huggins FBCS CITP
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIMAnton Chuvakin
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist- Mark - Fullbright
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Winchester Aquarium and Pet Center Incident Response Plan
Winchester Aquarium and Pet Center Incident Response PlanWinchester Aquarium and Pet Center Incident Response Plan
Winchester Aquarium and Pet Center Incident Response PlanR. Curtis Roth
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Threat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringThreat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringTalha Riaz
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
IRJET-Ethical Hacking
IRJET-Ethical HackingIRJET-Ethical Hacking
IRJET-Ethical HackingIRJET Journal
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Developmentamiable_indian
 
Safety System Modularity
Safety System ModularitySafety System Modularity
Safety System ModularityFasiul Alam
 

Similar to The Six Stages of Incident Response (20)

11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
 
Operations SecurityWeek 5Incident Management, Investigatio.docx
Operations SecurityWeek 5Incident Management, Investigatio.docxOperations SecurityWeek 5Incident Management, Investigatio.docx
Operations SecurityWeek 5Incident Management, Investigatio.docx
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIM
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Winchester Aquarium and Pet Center Incident Response Plan
Winchester Aquarium and Pet Center Incident Response PlanWinchester Aquarium and Pet Center Incident Response Plan
Winchester Aquarium and Pet Center Incident Response Plan
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Kb2417221726
Kb2417221726Kb2417221726
Kb2417221726
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
 
Threat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringThreat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity Monitoring
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
 
IRJET-Ethical Hacking
IRJET-Ethical HackingIRJET-Ethical Hacking
IRJET-Ethical Hacking
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Development
 
APT Event - New York
APT Event - New YorkAPT Event - New York
APT Event - New York
 
Safety System Modularity
Safety System ModularitySafety System Modularity
Safety System Modularity
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

The Six Stages of Incident Response

  • 1. The Six Stages of Incident Response ASHLEY DEUBLE
  • 2. Why?  Incidents of all sizes happen every day  Preparation could mean the difference between success and failure  You may be subject to legal requirements (due care, regulations – PCI etc.)
  • 4. Stage 1 - Preparation  People / Awareness  Policy & Warning Banners  Response Plan / Strategy  Communication  Documentation  Team  Access  Tools  Space / War room  Training
  • 5. Stage 1 – Preparation cont..  Jump Bag  Journal (bound with page numbers)  Call tree / Contact list  Bootable USB or Live CD (up to date tools, anti malware, static linked binaries)  Laptop with forensic tools (EnCase/FTK), anti malware utilities, internet access  Computer and network toolkits (components, network cables, network switches, network hubs, network taps, hard drives etc.)  Drive duplicators with write blocking (for forensically sound images)
  • 6. Stage 2 – Identification Incident Definition  An incident is the act of violating an explicit or implied security policy (NIST SP800-61)  These include but are not limited to:  attempts (either failed or successful) to gain unauthorized access to a system or its data  unwanted disruption or denial of service  the unauthorized use of a system for the processing or storage of data  changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent (https://www.us-cert.gov/government-users/compliance-and-reporting/incident-definition)
  • 7. Stage 2 – Identification cont..  Determine what is an event vs incident  Has there been significant deviation from normal operations with appropriate scope to be classified as an incident?  May need to review system logs, error messages, firewall alerts, IPS alerts, Antivirus alerts etc.  If it is an incident  Report it as soon as possible so that the incident response team can start collecting evidence and preparing for the following steps  Notify the incident response team members and establish communications between handlers and to Management
  • 8. Stage 2 – Identification cont..  If it is an incident  Start documenting all activities!  Document “who, what, where, when, how” in case it is needed to be provided to the law enforcement / courts etc.  If possible have at least two incident handlers – one to identify and assess, and another to collect evidence  Establish chain of custody for all evidence collected  Once the full scope of the incident has been determined, the incident team can move on to the containment phase
  • 9. Stage 3 - Containment  Limit and prevent any further damage from occurring  You may want to allow the incident to continue to gather evidence or to identify the attacker  Influencing factors for the containment strategy  Potential damage to, or theft of the resource  Need/requirements for evidence preservation  Service availability  Time and resources required to implement the containment strategy  How effective the containment strategy will be  Duration of the containment solution
  • 10. Stage 3 – Containment cont..  Image systems to preserve evidence  Take a forensic image of the systems in question  Use known forensic tools (FTK, EnCase etc.)  Short term containment  Limit the incident  E.g. Isolating network segment, removing servers etc.  Long term containment  Implement temporary fixes to allow their continued use  Rebuild systems, remove accounts, update antivirus, patch etc.
  • 11. Stage 4 - Eradication  Ensure that proper measures have been taken to remove malicious content from the affected systems (residue may be left in obscure locations that are difficult to locate)  A complete reimage, or restore from a known good/clean backup  Improve the defences of the system to ensure that it will not be compromised again (e.g. patching to remove a vulnerability etc.)
  • 12. Stage 5 - Recovery  Time to bring the system back in to production  Key decisions (including, but not limited to)  How to test and verify the system is clean and fully functional  What tools to use to test, monitor and validate the system behaviour  How long to monitor for signs of abnormal activities  When to restore the system (system owners to make decision based upon advice of the CIRT team)
  • 13. Stage 6 – Lessons Learned  The most critical phase of the lifecycle!  Learn from the incident  Complete any documentation that was not done during the incident, as well as any other documentation that may help in future incidents  Create a formal written report that covers the entire incident  Cover the Who, What, Where, When and How of the incident
  • 14. Stage 6 – Lessons Learned cont…  Hold a lessons learned meeting within 2 weeks of the incident  Have a presentation that covers  Who detected the initial problem and when  What the scope of the incident was  How was it contained and eradicated  What work was performed during the recovery  Where was the CIRT team effective  Where does the CIRT team or processes need to be improved  Team comments/suggestions about the incident  Feed all this info back in to the preparation phase
  • 15. Resources  SANS Incident Handlers Handbook (https://www.sans.org/reading- room/whitepapers/incident/incident-handlers-handbook-33901)  NIST SP 800-61 rev2 - Computer Security Incident Handling Guide (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 61r2.pdf)  ISO 27002 – Code of Practice for Information Security Controls (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csn umber=54533)  ISO 27035 – Information Security Incident Management (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csn umber=44379)
  • 16. Resources  Chain of Custody Form (http://www.nist.gov/oles/forensics/upload/Sample-Chain-of-Custody- Form.docx  SANS Forensics Cheat Sheets (http://digital- forensics.sans.org/community/cheat-sheets)  Lenny Zeltser’s Security Incident Survey Cheat Sheet for Server Administrators (https://zeltser.com/security-incident-survey-cheat-sheet/)  The Seven Deadly Sins of Incident Response (http://www.infosectoday.com/Articles/Seven_Deadly_Sins.htm)
  • 17. Resources  SANS Sample Incident Handling Forms (https://www.sans.org/score/incident-forms)  Example Incident Response Plan (http://www.cio.ca.gov/ois/government/library/documents/incident_respon se_plan_example.doc)  ASD Information Security Manual (http://www.asd.gov.au/infosec/ism/index.htm)  CIRT Sample Policies (http://csirt.org/sample_policies/index.html (http://www.asd.gov.au/infosec/ism/index.htm)

Editor's Notes

  1. Add example of incident – refer SANS article