The document provides an overview of an incident response concept and framework. It discusses the benefits of incident response, common incident response structures and lifecycles. It also outlines the key steps in an incident response process including preparation, detection, analysis, containment, eradication, recovery, reporting and lessons learned. Specific approaches and activities at each step are also described for a company's incident response implementation.

1. CYBER SECURITY
INCIDENT RESPONSE
CONCEPT
VERSION: 1.3
DATE: 25/06/2019
AUTHOR: SYLVAIN MARTINEZ
REFERENCE: ES-CSIR
CLASSIFICATION: PUBLIC

2. 2
• IR framework
benefits;
• Data breach statistics;
• Incident readiness;
• Incident response
concept;
• Teams and mandates;
• IR policy & plan
overview;
• Incident playbook
overview;
• NIST IR lifecycle;
• NIST IR steps;
• Incident Response
Check list
• ELYSIUMSECURITY
Incident Response;
• Overview;
• Rules of Engagement;
• Preparation;
• Detection;
• Categorization;
• Containment;
• Investigation;
• Remediation;
• Reporting;
• Lessons Learnt;
CONTENTS
PUBLIC
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
• Short Term – How to
start?;
• Long Term – IR
Implementation;
• Extra Resources.

3. INCIDENT RESPONSE FRAMEWORK BENEFITS
3
• REDUCED OPERATION DOWNTIME
• REDUCED INCIDENT IMPACT
• REDUCED/AVOID FINES
REDUCED IMPACT COST
• IMPROVED RESPONSE TIME
• IMPROVED INCIDENT CONTAINMENT
• IMPROVED INCIDENT VISIBILITY
IMPROVED SECURITY
• CONTRACT REQUIREMENT
• INDUSTRY REQUIREMENT
• LAW REQUIREMENT
BUSINESS ENABLEMENT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

4. DATA BREACH STATISTICS
4
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
EVERY DAY
6,313,865
RECORDS
EVERY HOUR
263,078
RECORDS
EVERY MINUTE
4,385
RECORDS
EVERY SECONDS
73
RECORDS
DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY
DATA RECORDS LOST OR STOLEN SINCE 2013
4 7 1 7 6 1 8 2 8 6, ,,1
Source: Breach Level Index - May 2019PUBLIC

5. INCIDENT READINESS
5
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
INCIDENT
READINESS
PUBLIC

6. INCIDENT RESPONSE CONCEPT
6
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
INCIDENT RESPONSE STRUCTURE
INCIDENT RESPONSE HANDLINGCOORDINATION
&
INFORMATION
SHARING
TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT
NIST
SP 800-61
PUBLIC

7. INTERNAL
AUDIT TEAM
COMPLIANCE
TEAM
SUBJECT EXPERT
VENDOR
SUPPORT TEAM
IT SUPPORT
TEAM
TEAMS AND MANDATES
7
CYBER SECURITY TEAM
SECURITY OPERATIONS
AND PROJECTS
CYBER RISK TEAM
RISK IDENTIFICATION
AND MANAGEMENT
CYBER INCIDENT
(VIRTUAL) TEAM
INCIDENT MANAGEMENT
AND RESPONSE
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

8. INCIDENT RESPONSE POLICY & PLAN - OVERVIEW
8
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
INCIDENT RESPONSE POLICY
INCIDENT SCOPE
INCIDENT DEFINITION &
PRIORITIZATION
INCIDENT REPORTING
INCIDENT RESPONSE PLAN
INCIDENT HANDLING
INCIDENT COORDINATION
CONTINUOUS
IMPROVEMENT

9. INCIDENT PLAYBOOK SCENARIOS
INCIDENT PLAYBOOK OVERVIEW
9
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
CONTAIN INCIDENT
UNDERSTAND CAUSE
OF INCIDENT
ANALYSE SIGNS OF INCIDENT
READY MADE SCENARIOS
PRACTICAL RESPONSE ACTIONS
AVAILABLE AND COMMUNICATED
PUBLIC

10. NIST INCIDENCE RESPONSE LIFECYCLE
10
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
PREPARATION
DETECTION &
ANALYSIS
CONTAINMENT,
ERADICATION &
RECOVERY
POST-INCIDENT
ACTIVITY
NIST SP 800-61 REV 2

11. NIST INCIDENCE RESPONSE - STEPS
11
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
PREPARATION
DETECTION &
ANALYSIS
CONTAINMENT,
ERADICATION &
RECOVERY
POST-INCIDENT
ACTIVITY
1. COMMUNICATION &
FACILITIES
2. HARDWARE &
SOFTWARE
3. RESOURCES
4. ATTACK VECTORS
IDENTIFICATION
11 CONTAINMENT
STRATEGY
15. LESSONS LEARNT
5. SIGN OF AN INCIDENT
6. SOURCE OF
PRECURSORS
7. INCIDENT ANALYSIS
8. INCIDENT
DOCUMENTATION
9. INCIDENT
PRIORITIZATION
10. INCIDENT
NOTIFICATION
12. EVIDENCE
GATHERING & HANDLING
13. IDENTIFYING THE
ATTACKING HOST
14. ERADICATION &
RECOVERY
16. USING COLLECTED
INCIDENT DATA
17. EVIDENCE
RETENTION

12. INCIDENCE RESPONSE CHECKLIST
12
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

13. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW
13
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PRACTICAL IMPLEMENTATION OF NIST
GUIDED PROCESS
SHORTER PROCESS
USED NIST AND FIRST CORE ELEMENTS
17x STEPS -> 8x STEPS
CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK
5x ACTIVITIES PER STEPS
PUBLIC

14. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW
14
{elysiumsecurity}
INCIDENT RESPONSE
FRAMEWORK
1. PREPARATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

15. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT
15
DO NOT
MAKE
THINGS
WORSE!
DO NOT ENGAGE OR INTERACT WITH THE
HACKER/THREAT GROUP
1
DO NOT CONNECT TO THE THREAT’S RELATED
NETWORK(S) FROM YOUR ORGANISATION
2
PRESERVE EVIDENCE3
COORDINATE INTERNAL AND EXTERNAL
COMMUNICATION WITH MANAGEMENT
4
ALL INCIDENT DETAILS MUST BE TREATED AS
CONFIDENTIAL
5
PUBLIC
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT

16. {es} INCIDENT RESPONSE - PREPARATION
16
INCIDENT RESPONSE PLAN1
TEAM, PROCEDURES, DOCUMENTATION,
APPROVAL, MANAGEMENT COMMITMENT
INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS
LOGISITICS3
MEETING ROOMS, LAPTOPS, REMOVABLE
STORAGE, PHONES, STATIONNARY, PRINTERS,
SLEEPING AND CATERING ARRANGEMENTS
CONTACTS4
TEAM, ALTERNATIVE CONTACT METHODS,
ESCALATION, ON CALL, SUPPORT, VENDOR,
SUPPORT5
INCIDENT REGISTER, ARCHITECTURE DIAGRAM,
NETWORK DIAGRAM, DATA FLOWS, APPLICATION
AND SYSTEM DOCUMENTATION
ACTIVITIES EXAMPLE
1. PREPARATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

17. {es} INCIDENT RESPONSE - DETECTION
17
WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS
WHAT IS THE DATE AND TIME OF THE THREAT
DETECTION/REPORT?2
NORMALISE TIME AND DATE ACROSS
REPORTING – RECORD TIME IN GMT
HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL
HAS A SIMILAR THREAT ALREADY BEEN
REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS
IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE
ACTIVITIES EXAMPLE
2. DETECTION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

18. {es} INCIDENT RESPONSE - CATEGORISATION
18
WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA
IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN
WHAT IS THE IMPACT OF THE THREAT?3
FINANCIAL, OPERATIONAL, REPUTATIONAL,
LEGAL
CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3)
CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED
ACTIVITIES EXAMPLE
3. CATEGORISATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

19. {es} INCIDENT RESPONSE - CONTAINMENT
19
COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION
LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER
IDENTIFY MAIN ATTACK AND COMPROMISE
VECTORS3 IP, PORTS, SIGNATURES, EMAIL
ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT
IMPLEMENT EMERGENCY CHANGES AS
REQUIRED5 NETWORK, SYSTEM, USER
ACTIVITIES EXAMPLE
4. CONTAINMENT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

20. {es} INCIDENT RESPONSE - INVESTIGATION
20
THREAT NETWORK ANALYSIS1
FIREWALL, CLOUD APP LOGS, ASSET LOGS,
INTERCEPTED TRAFFIC, TRAFFIC AND DATA
FLOWS, SIEM
THREAT MALWARE ANALYSIS2
A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE
ENGINEERING
THREAT SYSTEM ANALYSIS3
EVENT LOGS, APP/PLUGINS INSTALLED,
AD/EMAIL ACTIVITIES, AUTHENTICATED
VULNERABILITY ASSESSSMENT, SIEM
THREAT USER ANALYSIS4
INTERVIEW TARGETED USER, CONTEXT,
TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS
THREAT RESEARCH ANALYSIS5
ONLINE SEARCH FOR SIMILAR THREATS,
PROFESSIONAL FORUMS, VENDOR
ENGAGEMENT
ACTIVITIES EXAMPLE
5. INVESTIGATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

21. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION
21
THREAT NETWORK REMEDIATION1
BLOCK IP, PORTS, DOMAINS, EMAILS.
UPDATE F/W, IDS, APT AND SIEM RULES
THREAT MALWARE REMEDIATION2
UPDATE SYSTEM AND NETWORK A/V
SIGNATURES. ENGAGE WITH VENDORS
THREAT SYSTEM REMEDIATION3
REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR
INBOX RULES, REMEDIATE ISSUES FOUND WITH
THE VULNERABIULTIY ASSESSMENT
THREAT USER REMEDIATION4
INDIVIDUAL AND GROUP USER AWARENESS
SESSION RELEVANT TO THE THREAT
DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED
ACTIVITIES EXAMPLE
6. REMEDIATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

22. {es} INCIDENT RESPONSE - REPORTING
22
ON GOING REPORTING1
DOCUMENTATION AND EVIDENCE SHOULD BE
GENERATED AS MUCH AS POSSIBLE DURING THE
PREVIOUS PHASES
EVIDENCE GATHERING2
THREAT ACTORS, ATTACK VECTORS, ATTACK
SURFACE
INCIDENT DOCUMENTATION3
THREAT AND INCIDENT DETAILS, TRIGGERS,
OWNER, FINDINGS, TIMELINE
INCIDENT REGISTER4
CREATE/UPDATE AN OVERALL INCIDENT
REGISTER TO TRACK PROGRESS AND GENERATES
STATISTICS
INCIDENT REPORT COMMUNICATION5
INTERNAL, EXTERNAL, STAFF, MANAGEMENT,
BOARD, VENDORS, CLIENTS, GOVERNMENT,
REGULATORS, LAW ENFORCEMENT
ACTIVITIES EXAMPLE
7. REPORTING
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

23. {es} INCIDENT RESPONSE – LESSONS LEARNT
23
ROOT CAUSE ANALYSIS1
IDENTIFY AND DOCUMENT INCIDENT TRIGGERS
AND SECURITY GAPS THAT ENABLED THE
INCIDENT TO OCCUR
CONTROLS AND PROCESSES READINESS2
EVALUATE THE EFFICIENCY OF CURRENT
SECURITY CONTROLS AND PROCESSES IN LIGHT
OF THE INCIDENT
INCIDENT TRENDS ANALYSIS3
ARE YOU LEARNING FROM PAST INCIDENTS? IS
YOUR RISK PROFILE CHANGING?
MITIGATION PLAN4
MITIGATE IMPACT OF SIMILAR FUTURE
INCIDENTS
IMPROVEMENTS PLAN5
STOP OCCURRENCE OF SIMILAR FUTURE
INCIDENTS
ACTIVITIES EXAMPLE
8. LESSONS LEARNT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC

24. SHORT TERM – HOW TO START?
24
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
REVIEW EXISTING INCIDENT PROCESS1
ESTABLISH INCIDENT TEAM2
CONDUCT REGULAR INCIDENT TEAM
MEETING
3
SET GROUND RULES4
DEFINE WHAT IS AN INCIDENT5
INFORM STAFF OF RULES AND
INCIDENT CONTACT
6
CREATE INCIDENT REGISTER7
DOCUMENT RECENT AND FUTURE
INCIDENTS
8
FOLLOW NIST INCIDENT HANDLING
METHODOLOGY
9
CREATE HIGH LEVEL PLAYBOOK TO
COMPLEMENT CHECKLIST
10
PUBLIC

25. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION
25
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
SELECT INCIDENT RESPONSE FRAMEWORK
(NIST SP 800-61 REV 2 RECOMMENDED)
1
IMPLEMENT FULL INCIDENT RESPONSE
FRAMEWORK
2
DEDICATED INCIDENT RESPONSE TEAM AND
TRAINING
3
INCIDENT RESPONSE SIMULATION4
CONTINUOUS IMPROVEMENT5
PUBLIC

26. EXTRA RESOURCES
26
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK
(HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF)
NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61
(HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF)
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016
(HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML)
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016
(HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC)
CONTACT US!
(CONSULTING@ELYSIUMSECURITY.COM)
PUBLIC

27. © 2015-2019 ELYSIUMSECURITY LTD
ALL RIGHTS RESERVED
HTTPS://WWW.ELYSIUMSECURITY.COM
CONSULTING@ELYSIUMSECURITY.COM
ABOUT ELYSIUMSECURITY LTD.
ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY
VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE
RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE
SECURITY AWARENESS THROUGH AN ORGANIZATION.
ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED
THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE
INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST
SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES.
ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL
SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER
SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING
DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS.
ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE,
A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR
BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A
PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.