Module 3: Phases of Incident Response

The Preparation Stage

Preparing for Incidents

The CREST framework again, specifically the Preparation step.

Preparation of Incident Response Plans

Typical Incident Response Playbooks

Category
Playbook

PB01 Scanning

PB01.1 IP Address Scan, PB01.2 Port Scan

PB02 Managed Threats

PB02.1 Virus quarantine, PB02.2 Failed Login Attempts Detected, PB02.3 Known Exploit Detected

PB03 Intrusion

PB03.1 Intrusion Indications Detected, PB03.2 Unprivileged Account Compromise, PB03.3 Unauthorized Privilege Escal$

PB04 Availability

PB04.1 Denial of Service (DOS/DDOS), PB04.2 Sabotage

PB05 Information

PB05.1 Unauthorized Access to Information, PB05.2 Unauthorized Modification of Information, PB05.3 Data Breach $

PB06 Fraud

PB06.1 Unauthorized use of Resources, PB06.2 Copyright Infringement, PB06.3 Spoofing an Identity

PB07 Malicious Content

PB07.1 Phishing Emails, PB07.2 Malicious Websites, PB07.3 Infected USB sticks

PB08 Malware Detection

PB08.1 Virus or Worm, PB08.2 Ransomware, PB08.3 APT

PB09 Technical Integrity

PB09.1 Website defacement, PB09.2 DNS Redirection

PB10 Theft

PB10.1 Theft of Asset

Unauthorized Access (Detect) Playbook example

A neat community development of Playbooks mapped to MTIRE techniques:

LogoGitHub - austinsonger/Incident-Playbook: GOAL: Incident Response Playbooks Mapped to MITRE Attack Tactics and Techniques. [Contributors Friendly]GitHub

Training Effective Incident Responders

  • Formal/Tool-specific training.

  • Active training with hands-on workshops and cyber drills

  • Advanced training with red-blue cyber-range exercises

  • Crisis exercises

  • Cyber drills

  • Cyber range exercises

Managing an Incident Response

Detect and Analyze Incidents

Signs of an incident fall into one of two categories: precursors and indicators.

  • A precursor is something that indicates an incident may happen in the future. An example would be logs showing that a port or web scanner has been used, which is a clear indicator that someone is seeking a vulnerability to exploit our systems. A new vulnerability in an established system is another example. We may also receive threat intelligence identifying a threat actor that is targeting our business sector.

  • According to SP800-61, an Indicator of Compromise (IoC) is a sign that an incident may have occurred or is occurring now. We may also come across the term Indicator of Attack (IoA), which indicates that an attack is taking place. We can use IoCs during incident response to determine the extent of an attack and to identify what data has been or is being breached. Examples include intrusion detection alerts, malware detection by antivirus software, unexpected changes to critical files, and multiple failed logins.

Contain, Eradicate, and Recover from Incidents

When an incident requires containment, it's important to do so before the attack becomes overwhelming. This may require making business impacting decisions, such as isolating a business system or terminating a customer connection.

Post Response Activities

Incident Post Mortem

Security Incident Post Mortem Template
PreviousModule 2: Fundamentals of Incident ResponseNextModule 4: Incident Response Communication Plans

Last updated