Incident response

  1. Incident response
  2. ISO 27035
  3. NIST
    1. SP 800-61
    2. SP 800-81
  4. FIRST
  5. Containment

Incident response

  • steps:
    1. preparation
    2. detection
    3. analysis
    4. containment
    5. eradication
    6. recovery
    7. post-incident activity
  • must be developed in collaboration with lawyers
  • list of external contacts
  • call-tree for internal contacts
  • responsibilities map
  • actions to preserve evidence
  • what should be included into report
  • external world interaction plan (e.g. media, authorities)
  • CERT (computer emergency response team): informational security groups

ISO 27035

  • incident response process management
  • phases
    1. plan & prepare:
      • form IR team
      • update policies
      • test IR plan
      • training
    2. detection & reporting:
      • detect, collect and report events and vulnerabilities
    3. assessment & decision:
      • process collected info, gather additional information
      • preserve evidence
      • risk analysis
    4. responses
      • follow DRP
      • begin postmortem
    5. lessons learned

NIST

SP 800-61

  • incident handling

SP 800-81

  • secure DNS deployment

FIRST

  • forum of incident response and security teams
  • SIG: special interest group

Containment

  • do not power off, log out
  • record all actions
  • disconnect from network:
    • physically
    • shielded container: requires battery because network search consumer energy
    • airplane mode
    • FW rules may not be enough