Incident Response Phases and Communication

IR Phases
- Preparation
  - Incident procedure
  - Training, testing
- Identification
  - Detection, analysis
  - Is it a security incident?
- Containment
  - Isolate the damage
  - Segmentation vs isolation
- Eradication
  - Removing the root cause
  - Sanitazation, secure erase
- Recovery
  - Restoring systems
  - Reimaging
- Lessons Learned
  - Chosen solution
  - Reporting
OODA Loop
- Observe
- Orient
- Decide
- Act
Prioritization
- Human safety
- Prevent intrusion from continuing
- Identify the primary attack
- Avoid alerting the attacker
- Preserve evidence
Communication Plan
- Starts with the CSIRT or any similar team
- Use out of band communication
- CSIRT should be a single point of contact
- Adversaries might be insiders
External Communication
- Outside parties might need to be informed in the following situations (breaches)
  - Data theft
  - Insider data exfiltration
  - Device theft/loss
  - Misconfigurations
  - Integrity and Availability breaches
Response Coordination – Involving other departments
- Senior leadership
- Legal
- IT/Networking
- HR
- Marketing/PR
Data Involved in the Incident
- PII – personally identifiable information
- SPI – Sensitive Personal Information
- PHI – Personal Health Information
- Financial information
- IP – Intellectual property
- Corporate information
- HVA – High Value Assets
Train your people!
Test your IR plan!
- Tabletop exercises
- Penetration tests
  - Black box – No knowledge
  - Gray box – Some knowledge
  - White box – All knowledge
- Rules of engagement

PreviousContinuity Planning and Risk Assessment

Last updated 2 years ago