INCIDENT RESPONSE

Module Objectives

• Understand and identify incident response plans and

processes

• Implement disaster recovery and business continuity plans

• Understand how to investigate digital crime

Outline

• Incident Response Phases

• Disaster Recovery

• Digital Forensics
INCIDENCE RESPONSE
Introduction
Oh no! Cybercriminals have gained unauthorized access to the @Larry network and
a server has been compromised. What can @Larry do to minimize the impact of
this and other incidents that threaten the operation?

Keep calm! The first step is to have an organized approach to managing a security
incident like this. That way, the @Larry’s team can limit the damage and reduce the
recovery time and costs. Let’s take a closer look.
Preparation
Incident response is a set of procedures that an organization follows in the event of a
security incident or cyber threat. A data breach occurs anytime an unauthorized person
accidentally or intentionally copies, transmits, views, steals or accesses sensitive
information. When an incident occurs, an organization must know how to respond.
An organization needs to develop an incident response plan and put together a Computer
Security Incident Response Team (CSIRT) to manage their response.
The CSIRT:
• Maintains the incident response plan.
• Ensures its members understand the plan.
• Tests the plan.
• Gets management approval of the plan.
We have different CSIRTs, from organizational level to National CSIRTs who oversee
incident handling for a country.
Detection and Analysis
The next step, detection, begins when someone discovers an incident. Proper detection
means figuring out how the incident occurred, what data it involved, and what systems it
involved, it should reduce dwell time.

Once a breach has been detected, notification is sent to senior management and managers
responsible for the data and systems, so that they can be involved in the remediation and
repair. Detection and analysis include:

• Alerts and notifications.

• Monitoring and follow-up.

Incident analysis helps to identify the source, extent, impact and details of an incident,
including a data breach.
Containment, Eradication and Recovery
Containment: Isolate the infected system
Containment is the immediate action taken to isolate a system in order to prevent further spread
of the issue. For example, disconnecting a system from the local network to stop the information
leak.
Eradication: Eradicate the breach
After identifying the breach and containing it, the organization needs to eradicate it. This can
take many forms and may require additional downtime for systems.
Recovery: After remediation, restore all systems to their original state
The recovery stage involves taking action to resolve the breach and restore the systems
involved. After remediation, systems need to be restored to their original state.
Post Incidence
The final step in the process is to look at the lessons learned. After restoring all operations to a
normal state, the organization should look at the cause of the incident and ask the following
questions:
• What actions will prevent the incident from reoccurring?
• What preventive measures need strengthening?
• How can we improve system monitoring?
• How can we minimize downtime during the containment, eradication, and recovery phases?
• How can we minimize the impact to the business?
Looking at the lessons learned can help the organization to better prepare and improve its
incident response plan moving forward.
DISASTER RECOVERY
Introduction
It is critical to keep an organization functioning when a disaster
occurs. But what situations constitute a disaster and how do they
threaten the operation or security of an organization? Let's find
out.
Types of Disaster
A disaster includes any natural or human-caused event that damages assets or property and
impairs the ability of the organization to continue operating.
Natural disasters differ depending on location and are sometimes difficult to predict. They fall
into the following categories:
• Geological disasters such as earthquakes, landslides, volcanoes and tsunamis.
• Meteorological disasters such as hurricanes, tornadoes, snowstorms, lightning and hail.
• Health disasters such as widespread illnesses, quarantines and pandemics.
• Miscellaneous disasters such as fires, floods, solar storms and avalanches.
Types of Disaster
Human-caused disasters involve people or organizations and fall into the following categories:
• Labor events such as strikes, walkouts and slowdowns.
• Sociopolitical events such as vandalism, blockades, protests, sabotage, terrorism and war.
• Materials events such as hazardous spills and fires.
• Utility disruptions such as power failures, communication outages, fuel shortages and
radioactive fallout.
Disaster Recovery Plan
An organization puts its Disaster Recovery Plan (DRP) into action while the disaster is
ongoing, and employees are scrambling to ensure critical systems are online.
The DRP includes the activities the organization takes to assess, salvage, repair and
restore damaged facilities or assets.
To create the DRP, answer the following questions:
• Who is responsible for this process?
• What does the individual need to perform the process?
• Where does the individual perform this process?
• What is the process?
• Why is the process critical?
Disaster recovery controls minimize the effects of a disaster so that the organization
can resume operation.
 Preventive
controls Detective controls
Preventive measures Detective measures

Implementing Disaster include controls that

prevent a disaster
include controls that
discover unwanted
events. These measures
from occurring. They uncover new potential
Recovery Plan aim to identify and
mitigate risks.
threats.

Corrective controls
Corrective measures include
controls that restore the system
after a disaster or an event.
Business Continuity Plan
Business continuity is one of the most important concepts in computer security. Having
plans in place will ensure business continuity regardless of what may occur.
A business continuity plan (BCP) is a broader plan than a disaster recovery plan (DRP)
because it can include getting critical systems to another location while the repair of the
original facility is underway.
Creating a business continuity plan starts with carrying out a business impact analysis
(BIA) to identify critical business processes, resources and relationships between systems.
The BIA focuses on the consequences of the interruption to critical business functions and
examines the key considerations listed below.
Business Continuity Plan
Recovery Time Objectives (RTO)
The maximum tolerable length of time that a system, network or application can be
unavailable after a failure or disaster.
Recovery Point Objectives (RPO)
The average lifespan of a given asset before it fails.
Mean Time To Repair (MTTR)
The average time required to repair a failed component.
Mean Time Between Failures (MTBF)
The average time that elapses between one failure and the next.
Business Continuity Consideration
Business continuity controls are more than just backing up data and providing redundant
hardware.
An organization should look at the following tips to ensure business continuity:
• Getting the right people to the right places.
• Documenting configurations.
• Establishing alternate communication channels for both voice and data.
• Providing power.
• Identifying all dependencies for applications and processes so that they are properly
understood.
• Understanding how to carry out automated tasks manually.
Business Continuity Best Practices
National Institute of Standards and Technology (NIST)
1. Develop the policy statement
2. Conduct the business impact assessment
3. Calculate risk: Identify vulnerabilities, threats and calculate risksIdentify preventative
controls
4. Develop recovery strategies
5. Develop the contingency plan
6. Test the plan
7. Maintain the plan: Update the plan regularly
Exercising Disaster Recovery Plan
Tabletop exercises
The simplest is a tabletop exercise in which participants sit around a table with a
facilitator who supplies information related to a scenario incident and processes that are
being examined. Here, no actual processes or procedures are invoked.
Functional tests
Another type of exercise is a functional test where certain aspects of a plan are tested to
see how well they work (and how well-prepared personnel is).
Operational exercises
At the most extreme are full operational exercises, or simulations. These are designed to
interrupt services to verify that all aspects of a plan are in place and sufficient to respond
to the type of incident that is being simulated.
DIGITAL FORENSICS
Elements Of An Investigation
Digital forensics deals with legal evidence found on computers and storage media. The
goal is to examine the digital media to identify, preserve, recover, analyze and present
facts about the information.
As a cybersecurity expert, you might be called to help with digital forensics — even in
cases when the crime is not a cybercrime. You must document the investigation from the
initial notification, all the way through to its conclusion.
The forensics process emphasizes proper preservation and collection of data. The
discovery of electronically stored information is referred to as e-discovery.
Meanwhile, data recovery requires that you retrieve lost or corrupted data from media
using alternative methods when you cannot access it by conventional means.
Evidence
Identifying and acquiring evidence
Data is just a series of bits on a storage media — and this makes computer evidence a
challenge. As soon as the incident occurs, it’s helpful to document the current memory
and swap files, running processes and open files.
Protecting and storing evidence
Media containing digital evidence should not be stored in plastic containers, because
plastic can produce or convey static electricity.
The chain of custody
The chain of custody shows who obtained the evidence, where the evidence was
obtained, when the evidence was obtained, where it was stored and who has had control
of the evidence since the time it was obtained. The steps in the chain of custody must be
carefully followed to avoid allegations of tampering.
Data Acquisition
Data acquisition involves gathering data and then copying this data to an image
or other media for analysis.
In case of a crime, you can gather data from the following:
• System images, including components such as memory cards, device firmware,
or a disk drive that contains the operating system, files, running processes,
cached data, and deleted or hidden data.
• Network traffic and logs.
• Video from any surveillance system and photos taken to document the state of
the scene, time offset to include dates and times at the time of the incident.
• Hashes or checksums of all data and applications before and after any analysis,
to validate that they were not modified.
• Screenshots to supplement any photos of the scene.
• Witnesses interviewed as part of the investigation.
Digital Forensics Devices
• Forensics requires that you know about computer hardware, software and media.
• In the event of an incident, leave all mobile devices or smartphones in the power state in
which they were found. Of course, for any devices that are on, you will need special
packaging that properly blocks their signal — this will ensure nobody could alter the
contents of the device remotely, although it is still on and might even be online.
• Disconnect the system from the network. Capture any email logs, domain name service
logs or any other network service logs on servers.
• Do not open any files or start any applications.
Order of Volatility
Following the order of volatility helps ensure that you collect data before it disappears.
THANK YOU