Today I want to start off by sharing a few things that I have been researching for a while. I have had a lot of curiosity about incident response, I want to understand how it works, what is expected from an IR team, and much more.
For the last few days, I have also been asking my new friend ChatGPT about it so that I can get some of the answers and things that go on during an Incident Response engagement.
One more thing is that this document and Series will continue to be updated as I find more information.
What is Incident Response?
I have found a few definitions and the one that I like the most is one that mentions the following: IR is a systematic approach to responding to cybersecurity incidents. This sentence says a lot but the reality is that there is a lot more to it, so let’s break it down
Since it is a combination of processes to make sure that your IR team takes action accordingly, I believe this is an always-moving definition, I mean at least for an IR plan I think. Now let’s start by breaking down all the parts of IR.
The Steps (My Research)
- Preparation
- Detection and Analysis
- Containment
- Eradication
- Recovery
NIST does an excellent job at creating a framework of how this is supposed to work, they organize it in a different way, as well as provide additional information and Context
The Steps NIST lays out in its framework
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
There is a lot more from the NIST framework, which is what I was expecting to see from their publication. They lay out the steps an incident plan needs since its inception, with things that include the characteristics of a policy and teams that need to be involved in such events
Now let’s break it down at a high level to see beyond the big picture, I have taken the definitions from my research for me to study beyond this point. The idea here is to breakdown further each of those steps along with other guidance from the NIST Framework
IR: Preparation
Before an incident occurs, organizations should have an incident response plan in place that outlines the roles and responsibilities of the IR team, the steps to be taken during an incident, and the tools and resources that will be needed.
IR: Detection and analysis
When an incident is detected, the IR team will gather and analyze evidence to determine the nature and scope of the incident. This may involve reviewing logs, network traffic, and system configurations, as well as running forensic analysis on compromised systems.
IR: Containment
The goal of containment is to stop the incident from spreading and minimize the damage caused. This may involve disconnecting affected systems from the network, disabling compromised accounts, or implementing other measures to prevent the incident from spreading.
IR: Eradication
Once the incident has been contained, the IR team will work to remove the cause of the incident and restore affected systems to their normal state. This may involve cleaning up malware, patching vulnerabilities, or rebuilding systems from scratch.
IR: Recovery
After the incident has been eradicated, the IR team will work to restore normal operations and get the organization back to business as usual. This may involve bringing systems back online, repairing any damage caused by the incident, and communicating with stakeholders.
IR: Review and Improvement
After the incident has been resolved, the IR team should review the response process and identify any areas for improvement. This may involve updating the incident response plan, training team members on new techniques, or acquiring new tools and resources.
Before Creating a Plan
Few things that my research did not cover but I was able to find them under the NIST Framework. This one is simple but covers a lot of things. The creation of a Policy, Plan, and Procedure Creation. I will not spend too much time on this, however, I believe this is the foundation of the process to follow for every incident. Another interesting piece of information I can gather from the NIST Framework is communications, I know that some of the sections listed above go over it, but in this case, I’m referring to communication from the IR Team with multiple outlets such as media and Communication companies.
The following graphic will include IR Communications with Outside parties:
Where did I find all this useful information?
I went inside the ChatGPT rabbit hole! It was interesting and it continues to be interesting using the tool to learn more. However, most of this information will be already documented under NIST’s Special Publication 800-61 Revision 2
What to look forward to?
A few more posts will help provide more context for each Incident Response phase.
About the Author:
Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.