Crafting a Cybersecurity Incident Response Plan: A MindMap Approach

Before we get into the incident response process, lets define two terms. We’ll start with an event? What’s an event? An event is an observable occurrence. Someone logging in is an event. A file being written to a drive is an event. Someone scanning the external firewall is an event. We do not particularly care about the vast majority of events.

Now, what is an incident? An incident is an event that negatively impacts the organization in some way. A server crashing. A password being brute forced. An attacker getting through the firewall. These are all incidents. We definitely care about incidents

Incident Response

Our incident response is focused on detecting these incidents, providing an effective & efficient response to reduce the impact to the organization, maintaining or restoring business continuity and defending against future attacks.

Preparation

To effectively respond to an incident, you must first do a fair bit of preparation: create an incident response policy and procedures, identify and train the appropriate people, put in place monitoring capabilities, etc. etc.

Triage

Once we begin collecting evidence there are a few principles, techniques and sources we should be aware of.

Locard’s Principle

The incident response process can be categorized into three buckets: Triage, Action & Investigation, and Recovery. We’ll start at the beginning of the incident response process: triage.

Detection

The first, and absolutely most important step in incident response is detection. If you cannot detect an incident, there is no way you can activate your incident response process and do all the rest of the stuff we are about to talk about. If you are asked on the exam to put the incident response process steps in order, always look for detection as the first step.

Sources (SIEM, IDS/IPS, DLP, Fire detectors, Etc.)

There are all sorts of ways that we can identify and detect incidents from the flood of events that are constantly occurring. We can use tools like Intrusion Detection systems which feed into our Security Information and Event Management Systems. Or building monitoring systems like fire alarms. Or a report from an employee. Among many other ways

Event

And remember the difference between an event, an observable occurrence

Incident

And an incident which is an event that has a negative impact on the organization

Digital Forensics

Digital forensics is the scientific examination & analysis of data from storage media in such a way that the information can be used as evidence in a court of law

Response (IR Team Deployed)

Once we have detected an incident the next step is to Respond by activating out incident response team. And one of the first things the incident response team is going to conduct is an impact assessment, they are going to try to determine the severity of the incident and how long it will take to recover. This impact assessment drives the rest of the process, and if the Maximum Tolerable Downtime is going to be exceeded, then this will not be treated as an incident, but rather we will declare a disaster and enact our BCP or DRP plans. More on that in Video 6 when I talk about Business Continuity Management. I’ll link to that video below.

Action / Investigation

The next category is Action & Investigation

Mitigation (Containment)

And the next step is mitigation. This is where we try to minimize the damage and contain the incident. For example, if we have a worm spreading across our network, we may decide to disconnect systems from the network, or if we have a fire, activate the fire suppression system. These are ways we can try to minimize the damage

Reporting (Relevant Stakeholders)

Reporting is actually conducted throughout the incident response process. What is important to remember is that there should be one dedicated contact person on the incident response team who is reporting out to all the relevant stakeholders (management, investors, regulators, customers, the media, etc.) while the rest of the team stays focused on responding to the incident.

Recovery

The recovery category is where we work on getting things back to business as usual and making improvements so that the same incident doesn’t occur again.

Recovery (Return to normal)

The recovery step is where we work on returning things to business as usual. In the worm outbreak example, we eradicate the worm and begin re-connecting systems to the network, or in the fire example, we clean up the charred soaking mess of the office, install new carpeting, paint the walls, move in new furniture etc. These are examples of recovering to get back to business as usual.

Remediation (Prevention)

Remediation actually begins in parallel with mitigation. Remediation is where we are performing root cause analysis to determine how we can prevent say the continued spread of the worm while we recover systems or prevent the re-ignition of the fire. Remediation continues through the recovery and the closure of the incident and leads into Lessons learned.

Lessons Learned (Improve Process)

Lessons learned is the post incident step where we do some soul searching: how did this happen? How can we prevent it from happening again? Why us? Just why?

The goal of lessons learned is to improve processes, and systems, and teach people to try and prevent future incidents, and if they do occur, detect them more quickly and respond more effectively.

Overview

And that is an overview of incident response within Domain 7, covering the most critical concepts to know for the exam.

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies!