Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • Where are the tools?
  • Things that shape communication plan for IR
  • Legalities
  • Compliance
  • Communications with media
  • Internal communications
  • Out-of-band communications
  • Reporting
  1. Stages of Incident Response
  2. Incident identification

Communication/notification of an incident

Where are the tools?

  • On the internal network

  • On each endpoint (i.e., memory forensics agents)

  • Internet service provider

  • In the cloud

    • Sometimes with your cloud provider

Things that shape communication plan for IR

  • Legal requirements

  • Compliance

  • Media and public disclosure

  • Internal communications

Legalities

Regulations are different for some industry groups

Different countries have different requirements

Privacy may be of concern

Compliance

  • HIPAA

  • SOX - Sarbanes-Oxley

  • PCI

  • Others

Communications with media

Should be filtered through legal team and PR team

Who should receive reports (daily updates, etc)?

Internal communications

  • Who has the need to know?

  • Use standard normal communications?

  • Set up separae communication paths

  • Dedicated internet connections

  • Out-of-band file storage and digital communications between the team

Do we continue to use internal messaging email if that system is compromised?

If the network is compromised, does that potentially include mail servers?

  • Bad guys might be monitoring our IR process!

Out-of-band communications

Set up separate email and messaging and file storage system outside the network

Used exclusively for these type of incidents

Consider backup/alternate devices for connectivity to these massaging and storage systems

Reporting

Reports should be treated as highly confidential, distributed as need-to-know only

Daily status report to be shared among incident handlers

Weekly status report for upper management ar a minimum

  • Sometimes management will request daily reports, usually depending on the severity of the incident

PreviousIncident Response classification levelsNextIdentification tools and techniques

Last updated 8 months ago