Cyber Security Incident Response
What is an Incident
An Incident can be classified as something adverse, a threat, to our computer systems or networks. It implies harm or someone attempting to harm the organization. Not all Incidents will be handled by an IRT ("Incident Response Team") as they do not necessarily have an impact, but those which do the IRT is summoned to help deal with the incident in a predictable and high quality manner.
The IRT should be closely aligned to the organizations business objectives and goals and always strive to ensure the best outcome of incidents. Typically this involves reducing monetary losses, prevent attackers from doing lateral movement and stopping them before they can reach their objectives.
Preparation
This phase is for getting ready to deal with incident response. There are many things an IRT should consider to make sure they are prepared.
Preparation should include development of playbooks and procedures which dictates how the organization should respond to certain kinds of incidents. Rules of Engagement should also be determined in advance: how should the team respond? Should the team actively try to contain and clear threats, or is it sometimes acceptable to monitor a threat in the environment to learn valuable intelligence on for example how they broke in, who they are and what they are after?
What are the common types of incidents?
Phishing attacks
-
350% rise in phishing websites at the start of 2020 – United Nations
Denial-of-Service attacks
-
595% year-over-year increase in DDoS attacks against utilities worldwide – NETSCOUT
SQL injections
-
8000% rise in SQL Injection attacks in 2019, versus 2018 – WatchGuard
Ransomware attacks
-
20% hike in ransomware attacks within 6-months, amounting to 121.4 million events – SonicWall
Preparation
The Incident Response Plane (IRP) is a critical component of the incident response process. It provides a secure and centralized environment where incidents can be addressed.
The Business Continuity Plane (BCP) is a critical component of the incident response process. It provides a plan for recovering from a cyber attack or natural disaster, ensuring your business remains operational and secure.
Disaster recovery plans help you quickly recover from a cyber attack or natural disaster, ensuring your business remains operational and secure.
Cyber Security Incident Response?
IP Care Technologies stands out as the best Microsoft certified services provider in the UAE, offering a wide range of features and benefits that empower businesses to harness the power of the cloud. Here are the key features of our company as a leading cloud solutions provider:
IRT - Incident Response Team
An IRT is a dedicated team to tackle Cyber Security Incidents. The team may consist of Cyber Security specialists only, but may synergize greatly if resources from other grouping are also included.
PICERL - A Methodology
Do not consider this methodology as a waterfall model, but instead as a process where you can go forwards and backwards. This is important to ensure you fully deal with incidents that happen
Identification
Looking through data and events, trying to point our finger at something which should be classified as an incident. This task is often sourced to the SOC, but the IRT can partake in this activity and with their knowledge try improve the identification.
Containment
Containment should try stop the attackers in their tracks and prevent further damages. This step should ensure the organization does not incur any more damages and ensure the attackers can not reach their objectives.
The IRT should as soon as possible consider if a backup and imaging should be done. Backup and imaging is useful to preserve evidence for later. This process should try to secure:
1. A copy of the hard-drives involved for file forensics
2. A copy of the memory of the involved systems for memory forensic
Eradication
If containment has been properly performed, the IRT can move into the eradication phase, sometimes called the remediation phase. In this phase the goal is to remove the attackers artifacts.
There are quick options to ensure eradication, for example:
1. Restoring from a known good backup
2. Rebuilding the service
Recovery
Restoring to normal operations is the target state for the IRT. This might involve acceptance testing from the business units. Ideally we add monitoring solutions with information about the incident. We want to discover if the attackers suddenly return, for example because of artifacts we failed to remove during eradication.