Module-4

Incident Response –Roles, and

Responsibilities
 Incident Response –Roles, and
Responsibilities
– Incident Response
– Handling Different Types of Information Security
Incidents
– Preparation for Incident Response and Handling
– Incident Response Team
– Incident Response Team Dependencies
– Incident Response Process
 Incident Response
• Incident response (IR) is a structured
methodology for handling security incidents,
breaches, and cyber threats.
• A well-defined incident response plan allows
you to effectively identify, minimize the
damage, and reduce the cost of a cyber attack,
while finding and fixing the cause to prevent
future attacks.
 Incident Response
• During a cyber security incident, security teams will
face many unknowns and a frenzy of activity.
• In such a hectic environment, they may fail to follow
proper incident response procedures to effectively
limit the damage.
• This is important because a security incident can be a
high-pressure situation, and your IR team must
immediately focus on the critical tasks at hand.
• Clear thinking and swiftly taking pre-planned incident
response steps during a security incident can prevent
many unnecessary business impacts and reputational
damage.
 Incident Response
• Incident Response Team
– A Cyber Security Incident Response Team (CSIRT)
is a group of experts that assesses, documents
and responds to a cyber incident so that a
network can not only recover quickly, but also
avoid future incidents.
 Incident Response
• Incident Response Team Dependencies
– Employees
• the organization conducts all incident response-related
activities by itself, without any guidance or intervention
from external parties.
– Partially Outsourced
• the organization outsources certain elements of its
incident response-related activities to external parties.
– Fully outsourced
• the organization outsources all elements of its incident
response-related activities to external parties.
 Incident Response
• Incident response phases
 Incident Response
• The incident response phases are:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
 Incident Response
1. Preparation
– This phase will be the work horse of your incident
response planning, and in the end, the most crucial phase
to protect your business.
– Part of this phase includes:

• Ensure your employees are properly trained regarding their

incident response roles and responsibilities in the event of data
breach
• Develop incident response drill scenarios and regularly conduct
mock data breaches to evaluate your incident response plan.
– Ensure that all aspects of your incident response plan
(training, execution, hardware and software resources,
etc.) are approved and funded in advance
 Incident Response
1. Preparation
– Questions to address
• Has everyone been trained on security policies?
• Have your security policies and incident response plan
been approved by appropriate management?
• Does the Incident Response Team know their roles and
the required notifications to make?
• Have all Incident Response Team members participated
in mock drills?
 Incident Response
2. Identification
– This is the process where you determine whether you’ve
been breached. A breach, or incident, could originate
from many different areas.

– Questions to address
• When did the event happen?
• How was it discovered?
• Who discovered it?
• Have any other areas been impacted?
• What is the scope of the compromise?
• Does it affect operations?
• Has the source (point of entry) of the event been discovered?
 Incident Response
3. Containment
– When a breach is first discovered, your initial instinct may
be to securely delete everything so you can just get rid of it.
– However, that will likely hurt you in the long run since you’ll
be destroying valuable evidence that you need to
determine where the breach started and devise a plan to
prevent it from happening again..
– Instead, contain the breach so it doesn’t spread and cause
further damage to your business.
– If you can, disconnect affected devices from the Internet.
Have short-term and long-term containment strategies
ready.
– It’s also good to have a redundant system back-up to help
 Incident Response
3. Containment
– Questions to address
• What’s been done to contain the breach short term?
• What’s been done to contain the breach long term?
• Has any discovered malware been quarantined from the rest of
the environment?
• What sort of backups are in place?
• Does your remote access require true multi-factor authentication?
• Have all access credentials been reviewed for legitimacy, hardened
and changed?
• Have you applied all recent security patches and updates?
 Incident Response
4. Eradication
– Once you’ve contained the issue, you need to find and
eliminate the root cause of the breach.
– This means all malware should be securely removed, systems
should again be hardened and patched, and updates should
be applied.

– Whether you do this yourself, or hire a third party to do it,

you need to be thorough.
– If any trace of malware or security issues remain in your
systems, you may still be losing valuable data, and your
liability could increase.
 Incident Response
4. Eradication
– Questions to address
• Have artifacts/malware from the attacker been securely
removed?
• Has the system be hardened, patched, and updates
applied?
• Can the system be re-imaged?
 Incident Response
5. Recovery
– This is the process of restoring and returning
affected systems and devices back into your
business environment.
– During this time, it’s important to get your systems
and business operations up and running again
without the fear of another breach.
 Incident Response
5. Recovery
– Questions to address
• When can systems be returned to production?
• Have systems been patched, hardened and tested?
• Can the system be restored from a trusted back-up?
• How long will the affected systems be monitored and
what will you look for when monitoring?
• What tools will ensure similar attacks will not reoccur?
(File integrity monitoring, intrusion
detection/protection, etc)
 Incident Response
6. Lessons Learned
– Once the investigation is complete, hold an after-
action meeting with all Incident Response Team
members and discuss what you’ve learned from the
data breach.
– This is where you will analyze and document
everything about the breach.
– Determine what worked well in your response plan,
and where there were some holes.
– Lessons learned from both mock and real events
will help strengthen your systems against the future
 Incident Response
6. Lessons Learned
– Questions to address
• What changes need to be made to the security?
• How should employee be trained differently?
• What weakness did the breach exploit?
• How will you ensure a similar breach doesn’t happen
again?
 Incident Response
• Incident Response (IR) steps to take after a
cyber security event occurs
– The first priority is to prepare in advance by
putting a concrete IR plan in place.
– Your incident response methodology should be
battle-tested before a significant attack or data
breach occurs.
– It should address the following response phases as
defined by NIST Computer Security Incident
Handling Guide
 Incident Response
• Incident Response (IR) steps to take after a
cyber security event occurs
1. Assemble your team
2. Detect and ascertain the source
3. Contain and recover
4. Assess the damage and severity
5. Begin the notification process
6. Start now to prevent the same type of incident in
the future
 Incident Response
1. Assemble your team
– It’s critical to have the right people with the right
skills, along with associated tribal knowledge.
– Appoint a team leader who will have overall
responsibility for responding to the incident.
– This person should have a direct line of
communication with management so that
important decisions—such as taking key systems
offline if necessary—can be made quickly.
 Incident Response
2. Detect and ascertain the source
– The IR team you’ve assembled should first work to
identify the cause of the breach, and then ensure
that it’s contained.
 Incident Response
3. Contain and recover
– A security incident is analogous to a forest fire.
Once you’ve detected an incident and its source,
you need to contain the damage.
– This may involve disabling network access for
computers known to be infected by viruses or other
malware (so they can be quarantined) and installing
security patches to resolve malware issues or
network vulnerabilities.
– You may also need to reset passwords for users with
accounts that were breached, or block accounts of
insiders that may have caused the incident.
 Incident Response
4. Assess the damage and severity
– Until the smoke clears it can be difficult
to grasp the severity of an incident and the
extent of damage it has caused.
 Incident Response
5. Begin the notification process
– A data breach is a security incident in
which sensitive, protected or confidential data is
copied, transmitted, viewed, stolen or used by
an individual unauthorized person.
 Incident Response
6. Start now to prevent the same type of
incident in the future
– Once a security incident has been stabilized,
examine lessons learned to prevent recurrences of
similar incidents.
– This might include patching server vulnerabilities,
training employees on how to avoid phishing
scams, or rolling out technologies to better
monitor insider threats.
– Fixing security flaws or vulnerabilities found during
your post-incident activities is a given.