An Incident is any event that negatively impacts the confidentiality, integrity, or availability of an organization's information systems or data.
Incidents can be intentional, such as cyberattacks, or unintentional, such as a system failure or human error. 📋Incident Response Plan
An Incident Response Plan (IRP) is a set of instructions or procedures that an organization follows to identify, respond to, and recover from security incidents or cyberattacks.
The goal of an IRP is to handle the situation in a way that limits damage and reduces recovery time and costs.
♻️Incident Response Process
The Incident Response Process is a structured approach for addressing and managing the aftermath of a security breach or cyberattack, also known as an incident.
The goal is to handle the situation in a way that limits damage, reduces recovery time and costs, and ensures that the incident is properly documented and learned from
The incident response process is typically broken down into six key steps:
Preparation: This is the first and arguably the most important step. It involves setting up an incident response team, defining roles and responsibilities, and ensuring the necessary tools and resources are in place. It also includes creating an incident response plan and training staff on how to implement it. Identification: This step involves detecting and acknowledging incidents. It includes monitoring systems for signs of an incident, analyzing logs and alerts, and establishing clear criteria for what constitutes an incident. The quicker an incident is identified, the quicker it can be contained and remediated. Containment: Once an incident is identified, steps should be taken to limit the scope and magnitude of the incident. Short-term containment may involve quick fixes to limit the immediate damage, while long-term containment focuses on securely restoring systems to normal operation. Eradication: This involves finding the root cause of the incident and removing it from the system. This could involve removing malware, closing security holes, or fixing vulnerabilities. The goal is to eliminate the threat from the environment. Recovery: This step involves restoring systems to normal operation, confirming that the systems are functioning normally, and preventing recurrence of the same incident. This might involve patching systems, restoring data from backups, or implementing new security measures. Lessons Learned: After an incident, it's important to review what happened, what was done to intervene, and how things could be done better. This is typically documented in a post-incident report. The goal is to learn from the incident to improve future response efforts and prevent similar incidents from occurring. Here's a mnemonic to help remember these stages:
People In Cities Eat Ripe Lemons 🍋
Preparing for Incident Response
The next step after understanding and defining an organization's IR process is to determine who will be on the organization's IR team, who will be in charge of the IR process, and who will lead the IR team.
Next, plans are built, and then the plans are tested via exercises 💪🏾Exercises
Incident response exercises are a crucial part of preparing an organization to respond effectively to a security incident.
These exercises help to ensure that the incident response team (IRT) understands their roles and responsibilities, and that the incident response plan (IRP) is effective and up-to-date. Here are three types of incident response exercises commonly used by IR teams:
Tabletop Exercises: These are discussion-based exercises where team members walk through a hypothetical incident scenario and discuss how they would respond. The scenario is usually presented by the exercise facilitator, and the team then discusses their roles, actions, and decision-making processes. This type of exercise is particularly useful for identifying gaps in the IRP, improving communication among team members, and clarifying roles and responsibilities. It's a low-cost, high-impact way to test the organization's incident response capabilities. Walkthrough (Functional Exercises): These are more hands-on than tabletop exercises. They involve simulating a realistic incident scenario and having the IRT perform their roles as if it were a real incident. This could involve activities like analyzing logs, performing forensics, developing and implementing containment strategies, and communicating with stakeholders. Functional exercises provide a more realistic test of the team's capabilities and the effectiveness of the IRP. Simulation (Full-Scale Exercises): These are the most complex and realistic type of exercise. They involve multiple teams, departments, or even organizations, and they simulate a full-scale incident that affects multiple aspects of the organization. This could involve not just the IRT, but also IT staff, management, PR, legal, and others. Simulations provide the most comprehensive test of the organization's incident response capabilities, but they are also the most resource-intensive to plan and execute.
🎯Attack Frameworks
Incident responders frequently need ways to describe attacks and incidents using common language and terminology. Attack frameworks are used to understand adversaries, document techniques, and to categorize tactics.
The Security+ exam outline covers three major frameworks, MITRE's ATT&CK, the Diamond Model of Intrusion Analysis, and Lockheed Martin's Cyber Kill Chain.
MITRE ATT&CK: The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It's used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The ATT&CK framework covers a wide range of tactics (the attacker's objective), techniques (how they achieve that objective), and procedures (the specific steps they take). It's widely used in incident response to understand the steps an attacker has taken or may take, and to develop effective detection and mitigation strategies. Cyber Kill Chain: Developed by Lockheed Martin, the Cyber Kill Chain framework outlines the stages of a cyber attack, from initial reconnaissance to action on objectives. The seven stages are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. The Cyber Kill Chain is often used in incident response to understand the progress of an attack and to disrupt it at the earliest possible stage. Diamond Model: The Diamond Model of Intrusion Analysis is a structured method for analyzing and documenting intrusions. It focuses on four core aspects of an intrusion: Adversary, Infrastructure, Capability, and Victim. The Meta-Features, which are start and end timestamps, phase, result, direction, methodology, and resources, which are used to order events in a sequence known as an activity thread, as well as for grouping events based on their features A Confidence Value, which is undefined by the model but that analysts are expected to determine based on their own work These aspects are represented as vertices of a diamond, with lines (known as "activity threads") connecting them to represent the relationships between them. The Diamond Model is used in incident response to understand the relationships between different elements of an attack and to develop a comprehensive picture of the attacker's activities Core Components of the Diamond Model: Adversary: This represents the threat actor or group responsible for the intrusion. It encompasses their skills, motivations, objectives, and resources. Capability: This refers to the tools, tactics, techniques, and procedures (TTPs) used by the adversary during the intrusion. It can include malware, exploits, scripts, and other technical means. Infrastructure: This represents the physical and virtual resources used by the adversary to conduct and support the intrusion. Examples include command and control (C2) servers, proxy nodes, domain names, and IP addresses. Victim: This represents the target of the intrusion. It can be an individual, organization, or system. The victim component includes details about vulnerabilities exploited, data targeted, and the potential impact on the victim.
🏗️Building Incident Response Plans
Incident response plans can include several subplans to handle various stages of the response process.
Your organization may choose to combine them all into a single larger document or may break them out to allow the response team to select the components that they need. Individual plans may also be managed or run by different teams.
📞Communication Plans
Communication plans are critical to incident response processes.
A lack of communication, incorrect communication, or just poor communication can cause significant issues for an organization and its ability to conduct business. At the same time, problematic communications can also make incidents worse, as individuals may not know what is going on or may take undesired actions, thinking they are doing the right thing due to a lack of information or with bad or partial information available to them
📈Stakeholder Management
Stakeholder Management plans are related to communication plans and focus on groups and individuals who have an interest or role in the systems, organizations, or services that are impacted by an incident.
Stakeholders can be internal or external to an organization and may have different roles and expectations that need to be called out and addressed in the stakeholder management plan. Many stakeholder management plans will help with prioritization of which stakeholders will receive communications, what support they may need, and how they will be provided, with options to offer input or otherwise interact with the IR process, communications and support staff, or others involved in the response procccess.
🏢Business Continuity
Business continuity (BC) plans focus on keeping an organizational functional when misfortune or incidents occur.
In the context of IR processes, BC plans may be used to ensure that systems or services that are impacted by an incident can continue to function despite any changes required by the IR process. That might involve ways to restore or offload the services or use of alternate systems. Business continuity plans have a significant role to play for larger incidents, whereas smaller incidents may not impact an organization's ability to conduct business in a significant way.
🌀Disaster Recovery (DR)
Disaster Recovery (DR) plans define the processes and procedures that an organization will take when a disaster occurs.
Unlike a business continuity plan, a DR plan focuses on natural and man-made disasters that may destroy facilities, infrastructure, or otherwise prevent an organization from functioning normally. A DR plan focuses on restoration or continuation of services despite a disaster.
🐔Continuity of Operations Plan (COOP)
COOP stands for Continuity of Operations Plan. It's a set of policies and procedures that an organization puts in place to ensure that essential functions can continue during and after a disaster.
The goal of a COOP is to prevent data loss and downtime, and to allow an organization to continue its critical operations even in the face of a significant disruptive event. A COOP typically includes the following elements:
Identification of Essential Functions: The organization identifies which functions are critical to its operation and must continue under any circumstances. These might include things like customer service, payroll, and IT infrastructure. Delegation of Authority: The plan should clearly outline who is responsible for what during a disaster. This includes identifying backups for key personnel. Orders of Succession: The plan should establish an order of succession to key positions to ensure that there is always someone available to perform critical functions. Alternate Facilities: The organization should identify alternate operating locations in case the primary facilities are not available. Interoperable Communications: The plan should ensure that the organization has the ability to communicate internally and externally during a disaster. Vital Records and Databases: The organization should identify and provide protection for records and databases that are necessary to perform essential functions. Tests, Training, and Exercises: The organization should regularly test the COOP and train personnel on how to implement it. Devolution of Control and Direction: If the organization's leadership is incapacitated or unavailable, the plan should outline how control and direction of the organization's operations will be transferred to another office or agency. Reconstitution: The plan should outline how normal operations will be restored once the disaster is over. Four stages of COOP
Readiness and Preparedness: Objective: Ensure that the organization is ready to respond to any disruption.. Activation and Relocation: Objective: Activate the COOP plan and, if necessary, relocate essential functions and personnel to an alternate site. Continuity of Operations: Objective: Ensure that essential functions continue to be performed during the disruption. Reconstitution and Termination: Objective: Return to normal operations once the emergency or disruption has been resolved.
🛸Retention Policies
Retention policies are guidelines that an organization establishes to govern how long it retains data.
These policies are crucial for managing information throughout its lifecycle, from creation and storage to disposal. They help organizations comply with legal and regulatory requirements, manage costs, and mitigate risks associated with data loss or breaches. Here are the key elements of a data retention policy:
Identification of Data: The policy should clearly define what types of data it covers. This could include emails, documents, databases, transaction logs, audit records, and more. Retention Periods: The policy should specify how long each type of data will be retained. These periods can vary depending on the nature of the data and the legal or business requirements. For example, financial records might need to be kept for several years to comply with tax laws, while other types of data might only need to be kept for a few months. Storage and Management: The policy should outline how data will be stored and managed during the retention period. This could include details on data backups, encryption, and access controls. Disposal: The policy should specify how data will be disposed of once the retention period has ended. This could involve deletion, shredding, or other forms of data sanitization. Roles and Responsibilities: The policy should clearly define who is responsible for implementing and enforcing the retention policy. This could include IT staff, data owners, and legal or compliance teams. Review and Update: The policy should be regularly reviewed and updated to reflect changes in legal requirements, business needs, or technology. 
4.2 Summarize the importance of policies, processes, and procedures for incident response
