Its not a question of “if” it’s a matter of “when” a security breach occurs
What is an incident Adverse events in a system or network with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data as a result of successful attack .
Thus incident response is the process to respond and manage cyberattacks or security breaches.
Importance of incident response
- Having an incident response capability helps respond to incidents systematically so as to take appropriate actions.
- Helps personnel minimize loss or theft of information and disruption of services.
- Prepare for future incident handling and strengthening protection from information gained from previous incident handling..
- Mitigation of exploited vulnerabilities a
- Helps with dealing properly with legal disputes that may arise during incidents
- Compliance with regulations and standards in place.
Incident response life cycle
This is a sequence of phase that an incident goes through from the time its identified as a security compromise to the time it is resolved and reported.
Developing policies and incident handling procedures. This will include building a response team to handle incidents and the triggers to alert internal partners Contacts information and communication channels. Key to this process is effective training to respond to a breach, knowing your system and network by profiling and documentation to record actions taken for later review.
Detect deviation from normal status using various threat intelligence streams, intrusion detection systems and firewalls
Declare an incident once confirmed
Follow incident handling procedures
Prevent attackers from further damaging, isolating affected system and relying on system backup system to maintain operations until the breach is contained
Perform forensic analysis of the incident.
Finding the root cause of the incident and neutralizing that threat. Some actions include;
- Removing compromised accounts
- Revoke compromised credentials
- Remove malware/ artifacts left over by the attackers
- Restore that system from most clean backup
- Harden and patch your system
Put the system back to production in a control manner after validating that affected systems are no longer compromised.
Closely monitor the system for any abnormal network activity
It possible now to calculate the cost of the breach and subsequent damage.
6. Lessons learned
Complete the incident documentation
Learning from the incident to know what went right and what went wrong to improving future response efforts. It is more of a post mortem discussion.
Computer security incident response team (CSIRT)
This is a team that is selected within in organization or sectors and are tasked to detect, analysis and respond to incidents.
When putting up a team it important to put a cross functional team from the diverse parts of the business to ensure its effectiveness
A computer incident response team will include information security and general IT staff and not limited to representatives from legal, human resources and public relations departments and ensure to create role and responsibilities and assigning them accordingly to each member.
Examples of CSIRT
- Internal CSIRT is an in house team that provide services to their organization
- National CSIRT is a national wide team that provide services to the entire nation such as Kenya Computer Incident Response Team Coordination Centre Ke-CIRT/CC
- Incident response providers are companies majorly cybersecurity firms that offer paid services to their clients
- Detect incidents at early stages and make reports to prevent further incidents
- Secure organization data, hardware and critical business processes
- Provide training on security awareness, intrusion detection and penetration testing
- Create and execute incident response simulations
- Develop metrics for analyzing IR program initiatives that involve monitoring and alerting, communication among team members, and technology evaluations
- update our IR plan document periodically and consistently.
Why organization require response team
- It helps to recover from security breaches and threats
- Decrease response time during any future security breach
- Helps in deploying systems that follow security policy of the organization
Incident response policy and plan
Incident response policy is a document containing procedures, plans, guidelines among others to guide on incident response
Some of the important element that it should contain include
- Scope of the policy
- Profiling your assets that need to be protected.
- Definition of computer security incidents and related items
- Incident response team its creation, functions and powers
- Requirements for reporting incidents
- Guidelines for external communication and information sharing.
- Handoff and escalation points of incidents
- Prioritization or rating of incidents.
- Reporting forms.
Incident response plan in a formal roadmap for implementing incident response in a coordinated method.
Organization needs a plan that meets its own requirements which relates with mission, structure and functions. The plan provides necessary resources needed and management support. Some the important element that it should include are;
- Organization approach to incident response
- Incident response checklist/playbook
- How the incident response team will communicate with the rest of the organization and outside
- Metric for measuring incident response capability and its effectiveness.
Tools used in incident response
Incident analysis software and hardware include;
- Digital forensic workstations to create disk images with tools such as FTK imager, memory dumps with tools such as magnet RAM capture, preserve log files, and save other relevant incident data
- Laptops for activities such as analyzing data, sniffing packets, and writing reports
- Spare workstations, servers, and networking equipment, or the virtualized equivalents, which may be used for many purposes, such as restoring backups and trying out malware
- Blank removable media for evidence storage
- Printer to print copies of log files and other evidence from non-networked systems
- Packet sniffers and protocol analyzers to capture and analyze network traffic tools such as Wire Shark
- Digital forensic software to analyze disk images with tools such as Autopsy
- Removable media with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories, including hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags, and evidence tape, to preserve evidence for possible legal actions.
- Security information and events management these are tools that automate the incident process as they provides monitoring, alerts and logs that such as AlienVault, Solar Winds,
- Detection tool these include firewalls such as inbuilt windows firewall, PFSense, etc and intrusion detection systems such as Snort.
A formally documented incident response plan helps businesses respond rather than react.
Never panic as you may cause much harm to the system.
It’s important to keep backs up of your system which will be useful for recovery to ensure business continuity.
It is okay to ask for help
- Remove the affected computer from the internet and network to prevent your entire network from being infected or affected
- Do not which off the affected computer or system.
- Do not reinstall the system without a forensic copy
- If you got know idea of how to proceed immediately report to relevant personnel.
- Activation of the incident plan
As an organization it is time to
- Create IR plans and policy
- Review the existing incident process or creating one
- Establish IR team
- Conduct regular incident team meeting
- Set ground rules
- Train your staff
- Inform staff of rules and incident contacts
- Document recent and future incidents
- Follow at least one of the incident handling industrial standards such as NIST
- Create different high level playbooks to complement incident checklist