The Incident Management Cycle
DIGITAL FORENSICS AND INCIDENT RESPONSE
The Incident Management Cycle
Planning and Preparation
A hybrid of NIST SP 800- 61r2 and ISO/IEC 27035
Detection and Analysis
Containment
Lessons Learned
Recovery
Eradication
2
Planning and Preparation
• Development of the Information Security Incident Management Policy
• Updating related Information Security Policies
• Development of the Information Security Incident Management Plan
• Establishing an Incident Response Team
― Technical support
― Support from HR, legal, etc.
• Relationships with other organizations
― E.g. national CIRT/CERT
• Input to Information Security Incident Awareness and Education/Training
• Testing the Incident Management Plan
• Updating plans in the light of Lessons Learned
3
Planning and Preparation
INCIDENT RESPONSE TEAM ROLES
• Junior Security Analyst (Level 1)
― Mixed sysadmin, network and programming skills
― Manages and configures monitoring tools, runs vulnerability scans and reviews vulnerability assessments
― Performs triage and passes non-security events back to IT
• Senior Security Analyst (Level 2)
― Responds to detection events
― Analyses IOC’s, identifies affected systems and scope of attack, performs
forensic investigation on affected systems
• Threat Hunter
― A senior analyst who uses advanced tools to identify previously-undetected threats
• SOC Manager
― Recruits, trains and supervises SOC staff
4
Detection and Analysis
• Human reporting ― Via Help Desk
• Automated detection
― From intrusion detection systems Signature-based
• Matching known indicators of compromise, which implies known malware, known techniques
Anomaly-based
• Triggers on exceptions, non-routine behaviour or system events
― From Security Incident and Event Management System Correlation of individually less-significant events
Threat Hunting
• Uses machine learning techniques
5
Analysis
• Triage
― Tier 1 analysts review the most critical events and eliminate spurious events before passing the significant events to tier 2 analysts
― Event indicators are correlated with other information in the SIEM and the stage of the kill chain identified
The later in the kill chain, the higher the severity
The more sensitive or critical the asset, the higher the severity Are there compliance & reporting implications
• Escalation to higher-level management: five questions:
― Threat to people?
― Threat to operational infrastructure?
― Potential loss of IT and communications?
― Threat to reputation?
― Situation outside your control?
6
Containment
• Determine the extent of the attack
• Quarantine affected systems
• Trace any lateral movement and identify locations where the attacker may have stored tools in order to persist
7
Eradication
• Removal of the attacker’s tools
• Simplest case – simple malware which antivirus/antimalware identifies and quarantines or removes
• Worst case – indications of extensive and diverse back doors and malware, requiring reimaging/re-installation of operating systems
― Actually, even worse: malware which can persist in BIOS flash ROM or system management processor flash
8
Recovery
• Restoration of business service delivery
• Restoration of confidence
9
Lessons Learned
This closes the loop with a quality improvement step
Lessons Learned
Recovery
Planning and Preparation
Detection and Analysis
Containment
Eradication
10