5

Professional Practice Governance and Risk

Modelling threats, attacks and defencesRisk managementCybersecurity ExercisesIncident ResponseInformation Security Policy

Incident Response

PPGR - Unit 3 - Incident Response

Last Update Unknown

What is resilience?

  • Incident handling is a type of risk mitigation
  • In the traditional sense, 'resilience' means the ability of a material to revert to its original shape after it has been deformed
  • In information security (and in business continuity), resilience describes the ability of an enterprise to recover and absorb external shocks or events and their internal impacts

Business impact analysis

  • Results of business impact analysis (BIA) and risk assessment
    • specific risks and scenarios, threats and vulnerabilities analysis, etc.
    • clustered (aggregated) risk
    • potential impacts and strategic options (with residual risk)
  • Identify key technologies
    • Currently: Cloud, network interconnections, supervisory control and data acquisition (SCADA) and other industrial control systems.
  • Focus is: what if they fail?

Not all events are incidents

  • Distinguish between events and incidents.
  • NIST defines an event as "any observable occurrence in a network or system."
    • This includes normal network operations, such as connections to servers, email transactions and database updates.
  • A computer security incident is "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices."
  • Remember: Non-security incidents can also bring your system down

Incident Response

  • Despite an organisation's best efforts, attackers are sometimes successful.
    • When this happens, an incident occurs.
  • When incidents occur, it is essential to have a plan in place to handle them
    • The purpose of incident response.
  • Terminology:
    • The people trained to deal with incidents are called incident handlers
    • They are part of an incident response team.

Phases

Preparation to establish roles, responsibilities and plans for how an incident will be handled

Preparation phase

  • The first step of incident response should occur long before an incident actually happens.
  • Includes
    • creating an organisation's incident response plans,
    • establishing policies for handling incidents and
    • developing relationships with external stakeholders that may be involved in the incident response plan
      • E.g. law enforcement and Internet service providers (ISPs),
  • Acquire the forensics tools and skills needed to investigate an incident.
  • During preparation, an organisation should
    • implement controls on systems
    • establish baselines
    • perform risk assessments.

Detection and Analysis capabilities to identify incidents as early as possible and effectively assess the nature of the incident

Investigation capability if identifying an adversary is required

Detection

  • Threats will be identified during the detection and analysis phase.
  • Incidents may be detected from a variety of sources, including
    • reports from end users, administrators and external entities.
    • triggered by an alarm from intrusion detection systems (IDSs) or log management software.
  • First step: incident response team analyses the information to determine whether an actual incident has occurred (and what type it is) or whether it was simply an event.
    • This analysis should use the known baseline information from the preparation phase, event correlation and external resources.
  • The information gathered and the analysis performed should be thoroughly documented.
    • If forensic evidence is gathered, a chain of custody should be established, documenting each person involved in handling the evidence

Mitigation and Recovery procedures to contain the incident, reduce losses and return operations to normal 

Containment

  • Once an incident has been declared, the next step is containment.
  • The idea is to
    • limit the amount of damage the attacker can cause
    • preserve evidence.
  • This may include moving the machine to an isolated Virtual local area network (VLAN) or disconnecting it from the network to prevent it from affecting other systems and to disrupt the attacker's control.
    • A VLAN is a networking technique that allows systems to be virtually grouped or isolated from other networked systems, regardless of physical location. This is accomplished by a setting on the switch or the router that connects the device to the network.
    • Additional forensic data is often collected at this point for further analysis, or for use in legal action.
  • The system involved will be unavailable
    • The length of containment should be agreed on by the system owner and the incident response team

Eradication & recovery

  • Once the attack has been contained, the eradication phase begins.
    • The root cause of the incident is determined, and it is eradicated
    • The systems should be cleaned up and checked for new vulnerabilities
  • After the system has been restored, recovery takes place by reinstating the services the system provided.
    • The analysis and recovery phase and the containment and eradication phase can feed into each other.
    • As new information is discovered, the incident handler should identify and analyse this information and act appropriately.

Post-incident Analysis to determine corrective actions to prevent similar incidents in the future

Post-incident Activity

  • Part of a continuous improvement process:
    • Primarily about lessons learned
  • The incident handling team should document
    • the steps taken
    • the results of the investigation
  • Review should include
    • the incident itself
    • the processes and performance of the incident team