Incident Response Guide for CIO and CISO | Lucideus Research

Introduction
Before getting directly into understanding incident, we shall understand first how incident occur and identified. It will start with an event. An Event is a change in state, whether it is a positive or negative, for example- network breakdown is an event, firewall blocks a request is a event, firewall allows a request is an event. So event can be anything that has happened, regardless of true, false, positive, negative.

Now, if multiple event that having a negative impact in a system or environment, that can cause a disruption into the processes or businesses will become an incident. So in other words we can say an Incident is a negative event.

It is really important to identify the incident as soon as possible before it can start affecting the services, for that there is a need of process to respond to every incident occurs in the organization. Thus the process can be called as Incident Response.

Incident Response
Incident Response is the ability to prepare for and respond to events that present a negative effect on our network, to minimize any disruption on any business processes. Which directly means to deal with any incident pro-actively or reactively to avoid or minimize the effect of disruption on any processes. So to plan an incident response, we need

  • Incident response team selected and trained
  • Formal Policies and procedures written and posted
  • Necessary tools provided
  • Support from Senior Management

Incident Response Lifecycle
To deal with any incident we should be having a proper documented approach prepared. To prepare that documented approach, there are certain steps, that we need to follow in order to prepare a well suited and appropriate incident response. Below are the recognized steps (lifecycle) needed in order to develop a procedure for incident response.
  • Prepare
  • Identify
  • Contain
  • Eradicate
  • Remediate
  • Lesson Learned (Documentation)
Prepare
Incident response starts with preparing a plan to move further in order to prevent from any incident. It defines the preparation work that has to be completed prior to having any capability to respond to incidents. Below are some steps needed for preparation stage-

Coordinate planning and designs
  • Identify incident management requirements
  • Obtain funding and sponsorship
  • Develop implementation plan
Coordinate Implementation
  • Develop Policies, processes and plans
  • Establish Incident handling criteria
  • Defined criticality for incident
  • Evaluate incident management capability
  • Define post-mortem review
  • Defined process change procedure
Identify
The next step of the life cycle is identify, whether the negative event triggered is actually a negative event and is not any false positive. Now to identify any unusual / suspicious activity that might compromise critical business function or infrastructure, we might be following both the approaches that is defined below
Proactive detection - conduct detective monitoring regularly
  • Honeypots
  • Scan for unauthorized servers or hosts
  • Analyze network traffic
  • Review audit logs and files
For Proactively detecting any incident we need proper tools such as Firewall, Intrusion detection etc, which can raise an alert for any malicious activity that is trying to happen. There will be an appropriate network architecture diagram implemented. For detecting any incident before it happened we shall be make our network unbreakable. 

Complete process and implementation guidelines will be explained in another article.

Reactive detection is essential as well to be able to quickly detect and attack
  •   SIEM Solutions
  •   Review audit logs and files
For reactively detection of any incident we shall be needing a proper SIEM solutions, which can analyse logs and raise alerts for any malicious activity already happened. Logs can play a crucial logs in detecting any negative events, so there will be a need of log management process as well. 
There are many things and a huge process for reactive approach, which will be explained in another article.

Contain
In the previous step, we have identified that the negative event / malicious activity is an incident not any false positive or any event that is generated accidentally, now our next step will be to stop that incident before it get spreaded into an organisation’s network and can start disrupting business processes.

Contain is the step to help incidence response to stop spreading of an incident, for that it follows certain steps
  • Triage : Triage is the step to Identify the most critical incident by analysing the impact on our business processes and then prioritizing it, so that we can deal with those incidents accordingly.
Process of sorting, categorizing, correlating, prioritizing and assigning incoming report / events.
Analyze what is known, then prioritize
Allows events to be managed based on order of criticality

  • Isolate infected system or network
    Pull network cable
    Isolate segment
    Ensure forensics measures are taken
Eradicate and Remediate
Till now we have started the containment process for any incident. We had prioritize the incident as per business impact, also isolated the infected system or network. Now our next will be to treat the incident, for that it is necessary to eradicate the behaviour of incident and to remediate it, which can stop spreading of incident and start identifying the root cause of incident happen to prevent it from happening it again. 

Below are the certain steps implemented for the same
  • Remove Malware
  • Re-image and / or rebuild systems
  • Restore from media
  • Restore from backups
  • Delete / disable accounts
  • System and network device hardening
  • Increase log monitoring
  • Scan Systems
Lesson Learned
This step is very crucial in a complete incident response, that is document everything from How it has happened? To How it is removed? Which can help you in analysing incident continuity and to prepare a full proof audit trails for future references.
  • Debrief Incident Response team
  • Document findings
  • Consider modifying security baselines
  • Evaluate responses
  • Re-train if necessary

Incident Response Flowchart
The image attached below will make you understand the complete lifecycle of any incident from occurring, detecting to solving any incident, this is one of the example for incident response, it can be modified, updated according to its need.


Steps To Incident Response as per above figure.

  • Found Unusual Logs / Malicious Traffic / IDS or IPS Alerts / Unusual Files
  • Detected Unauthorized access
  • Assuming a Data Breach
  • Identifying is it still getting Breached?
  • Identifying the Data Source? Either we identified or we don’t.
  • If We have a data source
    - Can we Freeze the data source? Either we can freeze or we can’t.
    - If we can freeze the data source
  • Raise Incident Ticket
  • Remove the data source from the network
  • Securing Data Source for Evidence
  • Investigating Data Source
  • Do we obtain the source where the hack begin? Either we identified or we don’t.
  • If we identified the source where the hack begins (i.e Hacker and Vulnerability in the data source)
    - Collect and Secure Evidence
    - Take Actions by approaching the target and catching the target.
    - Parallely Mitigate the Data Source
    - Document Each and Every Step, make a chain of custody etc
    - Review Mitigation
    - Unfreeze the Server
    - Close Ticket
    - Prepare Lesson Learned
  • If we are not able to identify the source where the hack begins(i.e Hacker)
    - Continue Investigation
    - Parallel Mitigate the Data source
    - Document Each and Every Step, make a chain of custody etc
    - Review Mitigation
    - Unfreeze the Server
    - Close Ticket
    - Prepare Lesson Learned

  • If we don’t have a DR Site
    - Identifying is mitigation possible on production environment? Either it is possible or it isn’t.
    - If we have a Mitigation Plan
       - Perform Mitigation
       - Document Each and Every Step, make a chain of custody etc
       - Review Mitigation
       - Close Ticket
       - Prepare Lesson Learned
       - Create a DR Site
  • If we don’t have a Mitigation Plan
    - Invest in DR Site and Develop a DR Site
    - Perform Activity from “If we have a DR Site”.
  • If we are not able to identify the Data Source
    - Continue Investigation to identify the Data Source
    - Have we found a Data Source? Either We get it or not?
    - If we found a data source

    Perform activity from “Can we Freeze the data source?”
  • If we are not able to identify the Data Source
    - Deadlock - Pray to God
    - Invest in DR Site and Develop a DR Site
    - Perform Activity from “If we have a DR Site”.
Conclusion
As Incident Response is important for any organisation to prevent from any malicious activity spreading into the organisation, which can cause any data leakage, server compromisation, unauthorised access etc, it is really important for any organisation to take cyber security very seriously, because many organisation failed to implement cyber security as their top management do not want to invest in it, then we read the same in news about the hacks happened on the company due to carelessness, we have multiple example of hacks that happened due to this.

This is a completely different topic which needs to be discussed in detail, we will cover the same in some another article.
But spending only in Incident response can also help you prevent from any attack going to happen or to detect any attack that has happened or started in the organization, for that a support from top management is very crucial to develop appropriate processes, hiring and assigning resources and deploying tools to implement those processes. Sometimes, simplicity of the incident response can mislead management, it is recommended to provide proper training and exercises for the resources to develop a proper incident free atmosphere and to perform regular audits to detect any flow in the processes.






Post a Comment

0 Comments