Incident Response Phases

6MB

Section 2: NIST and other phases and stages of IR.pdf

pdf

NIST five phases of Incident Response

NIST Special Publication 800-61 recommendation for incident response life cycle/phases

Stage 1 - Preparation

The first stage is preparation, where we plan and prepare for any potential incidents that may happen. This includes things like setting up a war room, defining what constitutes an incident, and training the team on how to respond.

This phase addresses primarily pre-incident planning and coordination.

Having a properly prepared team and plan is key to a successful response process.

The NIST guidelines also point out that while prevention is not a function of incident response, it is key to its success.

Pre-incident

• Appropriate contacts

• Incident reporting processes and systems

• War room accommodations

• Secure storage

• Incident definitions

  • What counts as an "incident" in your organization?

• Containment and eradication definitions created

• Training

• Incident-handling assets deployment

  • Software agents running on devices

  • Hardware in certain environments, etc.

Stage 2 - Identification

The second stage is identification, where we determine if an event is actually an incident that requires a response. This can be done through various sources like alerts from security systems, notifications from service providers, or even user reports.

Common identifying sources

• Excessive logon attempts

• Notifications from MSSP or CSP

• Alerts from IDS/IPS, firewalls, HIPS/HIDS and other endpoint protection

• End-user initiated, i.e, user reports some activity

• SOC analyst-initiated

• Threat-hunting team

• Confidential data showing up on the internet for sale!

Levels of classification

• Level 1 - Unauthorized access

• Level 2 - Denial of service

• Level 3 - Malicious code

• Level 4 - Improper usage

• Level 5 - Scans/probes/attempted unauthorized access

• Level 6 - Investigation of incident

Stage 3 - Containment

The third stage is containment, where we try to limit the impact of the incident and prevent it from spreading further. This involves protecting critical assets, determining the extent of the compromise, and preventing any further compromise.

Primary goals

• Protect and keep available the critical assets (which should have been identified in the Preparation stage)

• Determine operational statues of network, systems and other resources

• Get a handle of the depth and width of compromise

• Prevent further compromise

• Make sure you're clear on what the organization's definition of containment is

Million-dollar questions: Do we...

Disconnect compromised systems?

Do we even know which systems are compromised? Are we disconnecting them from the internet or the network as well?

Shut down compromised systems?

Are these critical systems? What will be the impact on operations? Will shutting down the systems actually help in our containment effort?

Record and observe?

Are the threat actors still active in the environment? Do you know enough yet to attempt to shut down systems?

Important questions

• What's been done to contain the breach?

• Has any discovered infections/malware been removed and quarantine?

• Have compromised systems been rebuilt? Have they been re-patched to be up to date?

• Have all potentially compromised credentials been changed?

• Have you applied all recent security patches and updates?

Stage 4 - Eradication

The fourth stage is eradication, where we eliminate the threat from the environment and restore affected systems to their clean state. The goal here is to completely remove the threat and prevent it from happening again.

Primary goals

• Eliminate the threat from the environment

• Restore affected systems to their previous clean state

• Prevent further compromise

  • The definition is defined by the organization

Stage 5 - Recovery

The final stage is recovery, where we restore interrupted business services and validate that everything is back to normal.

Primary goals/tasks

• Restoring all interrupted or stopped business services

• Performing validation testing to make sure restoration was successful and up to organization requirements

  • Don't forget to account for time of restoring data

  • Checking systems to make sure their patches are up to date

Stage 6 - Lessons learned/follow-up

We also take the opportunity to learn from the incident and make improvements for the future.

Primary goals/tasks

There are follow-up questions for the incident responders to answer:

• Was there sufficient preparation?

• Did detection occur promptly?

• Were communications adequate?

• What was the financial or informational cost of the incident?

• How can we prevent it from happening again?