Forensic Chapter 1 - Preparing for Incidents

1. Difference between Event and Incident

Event A cybersecurity event is any observable occurrence in a network or system.
Incident A specific type of event that actually harms or represents a real threat to the integrity, confidentiality, or availability of data or systems.

For an event, we need to:

  1. Obeservation: To see if the event is a potential incident or not.
  2. Take actions: Monitor the situation, review logs and so on.
  3. Get outcome: Give a conclusion based on the actions.

2. Cyber Incidents Response

  1. Terms

    Policy Why we need to do it?
    Standard What is required?
    Procedure How to do it?
    Guideline Customized procedure

  2. A sample procedure of CIR

    1. Rapid Containment
    2. Reduce Damage and Cost
    3. Legal and Regulatory Compliance
    4. Maintain Trust and Reputation
    5. Learning and Improvement
    6. Ensuring Business Continuity

  3. Information Sharing
    We need to inform some entities when incidents happenning.

    1. Idnerify Key Stakeholders

      1. Internal: within the company, group-level
      2. supply chain
      3. regulators
      4. law enforcements
      5. within an dcross-sectors

    2. Manage Media Interaction

      1. designated spokesperson
      2. timely updates
      3. flow of updates

  4. Types of Cyber Security Incidents Response Team (CSIRT)

    1. Security Team

    2. Centralized CSIRT

    3. Distributed CSIRT

    4. Extemalized CSIRT

    5. Coordinating CSIRT

    6. Hybrid CSIRT

      Team Types

  5. Incident Responders in different periods

    Incident Responders in different periods

  6. A Recommendation Guideline

    A Recommendation Guideline

3. Incident Response Lifecycle

  1. Overall Lifecycle

    1. Preparation

    2. Detection & Analysis

    3. Containment, Eradication and Recovery

    4. Post-incident Activity

      Lifecycle

  2. Preparation (Documentation)

    1. Asset lists
      1. Cloud Assets
      2. Business and System owners
    2. Others
      1. Network diagram
      2. Baselines
    3. Facility
      1. Secure storage facility
      2. Designated War room
    4. Communication
      1. Up-to-date contact information
      2. Mobile phones
    5. Information sharing platform
      1. MISP -> Malware information sharing platform
      2. TheHive
    6. Computers
    7. Softwares

  3. Detction & Analysis

    1. Know the attack vectors
    2. Analysis
    3. Documentation
    4. Prioritization
    5. Notification