IR Best Practice

Best Practice
Penanganan Insidens Cyber

Desk Data & Informasi Covid 19
KEMENTERIAN KESEHATAN REPUBLIK INDONESIA
DIREKTORAT JENDERAL PELAYANAN KESEHATAN
https://blueteam.id/ Jakarta, Indonesia 1

About me
• Sida Nala Rukma J
• OSCP, CEH, CTIA, ECIH, CFR
• Co Founder – Blueteam ID & Wakil Ketua CDEF-ID
• IT Security Trainner, Splunker, Elasticians & Code Lovers
• Vloggers ( rudukmada )
• Project Experience : Managed Security Operation The Biggest Telco in Indonesia,
Cyber Security Trainer, Elastic Stack Implementation, Splunk Implementation, SOC
Design & Roadmap, SOC Gap Analysis & Maturity Assessments, SIEM Assessments &
Recommendations, Cyber Drill, Red Team & Blue Team Labs Development
• Open source tools dev : cocokloggy ( elasticsearch notification ), evtx2json, logstash-
filter-entropy_Shannon,

DISCLAIMER
This sessions is made for educational, ethical testing and

security awareness purposes only. Usage of tools in this slide
for attacking any Party without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local
and state laws. Presenter and blueteamid assume no liability
and are not responsible for any misuse or damage caused by
information in our sharing session. Again, There is no intention
to offend any Party. If there are similarities in cases, then it is
just a coincidence.

Intermezzo
16/03/2022 https://blueteam.id/ Jakarta, Indonesia 4

"There are two types of companies: those who have been
hacked, and those who don't yet know they have been
hacked."
John Chambers, the executive chairman
and former CEO of Cisco Systems

Dwell Time in Cyber Security
Mandiant M-Trend Report 2021

Security Events and Incidents

Events
• What?
• An event is any observable occurrence in a system or network.
• Examples:
• a user connecting to a file share
• a server receiving a request for a Web page
• a user sending electronic mail (email)
• a firewall blocking a connection attempt

Security Events – Adverse Events
• What?
• Events with a negative consequence
• Examples:
• System crashes
• Network packet floods
• Unauthorized use of system privileges
• Unauthorized access to sensitive data
• Execution of malicious code that destroys data

Security Incidents
• What?
• Violation or “imminent threat of violation” of computer security
policies, acceptable use policies, or standard security practices.
• Examples:
• Denial of Service
• Malicious Code
• Unauthorized Access
• Inappropriate Usage

What
Incident Response:
• Incident response is a structured process used by
organizations to detect and respond to cybersecurity
incidents. (NIST-800-61r2)
• Ideally Incident Response would be a set of policies that
allow an individual or individuals to react to an incident in an
efficient and professional manner thereby decreasing the
likelihood of grave consequences.

Why – Goals of Incident Response Plan
• Verify that an incident has occurred

• Maintain or restore Business Continuity
• Reduce the impact of the incident
• Determine attack vectors and how the incident occurred
• Prevent future attacks/incidents
• Improve the organization’s security posture
• Keep management informed and follow proper chain of
command procedures

Cyber Defense Team Role and Responsibilities
• Cyber Defense Team is primary composed of security analyst

organized to:
• Prevent
• Detect
• Analyze Cybersecurity Incident
• Respond to
• Report on

Consider the implications of people, process, technology and information
CREST 4 Key Element for Incident Response

Consider the implications of people, process, technology and information
Summary of the main challenges :

• People :
• Organizations often do not have a formal cyber security incident response team or even a
named individual who is responsible for dealing with such an incident. More important can be
that there is often a lack of technical expertise and nobody available who can take business
decisions quickly.
• Process :
• Many organizations do not have adequate processes or methodologies (if they have any at all)
to help them deal with cyber security incidents in a fast, effective and consistent manner. They
struggle to know what to do, how to do it, who to contact — and can even compromise
investigations by their actions.
• Technology :
• Many organizations have not configured their systems or networks to help them identify or
respond to cyber security incidents, with inadequate monitoring processes in place. In particular,
systems may not have been configured to record appropriate events, identify possible attacks
or provide adequate assistance to investigators.
• Information :
• Organizations seldom have information readily available that will help the cyber security
incident response team (including third party experts) to respond quickly and effectively, such as
details about business management; IT infrastructure; key suppliers; sensitive data; and event
logging.

3 Phase Cyber Security Incident Process
CREST 3 Phase Cyber Security Incident Process

Aspect of Measurement for Incident Response Maturity Assessment
• Measurement of readiness for organizations on 5 step

incident response process :
• Preparation
• Detection and Analysis
• Containment
• Eradication and Recovery
• Post Incident Activity
• Maturity Leveling on Incident Response Readiness
• Foundation (Level 1)
• Emerging (Level 2)
• Established (Level 3)
• Dynamic (Level 4)
• Optimized (Level 5)

Framework and Best Practice (1)
• NIST SP 800-61, Computer Security Incident Handling Guide;
• Preparation
• Detection and Analysis
• Containment
• Eradication and Recovery
• Post Incident Activity
• CREST – Cyber Security Incident Response Maturity Assessment Tools
• Prepare for a cyber security incident: performing a criticality assessment; carrying
out threat analysis; addressing issues related to people, process, technology and
information; and getting the fundamentals in place
• Respond to a cyber security incident: covering identification of a cyber security
incident; investigation of the situation (including triage); taking appropriate action
and recovering from a cyber security incident
• Follow up a cyber security incident: considering your need to investigate the
incident more thoroughly; report the incident to relevant stakeholders; carry out a
post incident review; build on lessons learned; and update key information, controls
and processes.

Measurement of readiness for organizations on 5 step incident response process
NIST SP 800-61 – Cyber Security Incident Handling Guide

1. Preparation
• Getting ready for incident response, creating documentation,
building tools, etc. Key elements measurement for this step :
• Policy
• Response Plan / Strategy
• Communication
• Documentation (Checklist, IR Form,)
• Preparing Team
• Preparing Tools

2. Detection and Analysis

• This is the step where we determine whether an organization is
ready if an incident has occurred. Based on events observation,
indicators, you look for deviations from normal operations. You
look for malicious acts or attempts to do harm. It’s where you
leverage the alerts and logs from your routers, firewalls, IDS,
SIEM, AV gateways, operating system, network flows, etc
3. Containment
• This is the stage of responding to incidents. It consists of limiting
the damage. Stop the bleeding. Stop the attacker. It’s where you
make decision on which strategy you will use to contain the
incident bases on your processes and procedures

4. Eradication and Recovery

• The next step entails removing the cause of the incident. In the case of a virus
incident it may simply require removing the virus. On other complex incident cases
you might need to identify and mitigate exploited vulnerabilities. It’s on this step that
you should determine how it was initially executed and apply the necessary measures
to ensure don’t happen again. After eradication process it comes into recovery
process, It means back in production. Eventually, restoring a backup or re-image a
system. It’s where you return to normal operational status. After successfully
restoration is important to monitor it for a certain time period. Why? Because you
want to potentially identify signs that evaded detection.
5. Post Incident Activity
• Follow up activity is crucial. It’s where you can reflect and document what happen.
Where you can learn what failed and what worked. It’s where you identify
improvements for your incident handling processes and procedures. It’s where you
write your final report.

• Different types of organization will require different levels of maturity in cyber

security incident response. For example, a small company operating in the
retail business will not have the same requirement or ability to respond to
cyber security incidents in the same way as a major corporate organisation in
the finance sector or a government department.
CREST Maturity Level on Incident Response

Readiness

FIRST - CSIRT Services Framework Service Areas and Services
https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1

• ISO/IEC 27001:2013 Information Security Management Standard;
• Annex A.16 : Information Security Incident Management
• A.16.1 Management of information security incidents and improvements
→ Objective: To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events and
weaknesses
1. A.16.1.1 Responsibilities and procedures
2. A.16.1.2 Reporting information security events
3. A.16.1.3 Reporting information security weaknesses
4. A.16.1.4 Assessment of and decision on information security events
5. A.16.1.5 Response to information security incidents
6. A.16.1.6 Learning from information security incidents
7. A.16.1.7 Collection of evidence

• ISO/IEC 27005:2011 Information Security Risk

Management;
Risk Identification
Risk Analysis
Risk Evaluation
• ISO/IEC 27032:2012 Guidelines for Cybersecurity;
Stakeholder in Cyber Space
Assets in the Cyberspace
Threats against the security of the Cyberspace
Roles of stakeholders in Cybersecurity
Guidelines for stakeholders
Cybersecurity controls
Framework of information sharing and coordination

• ISO/IEC 27035:2011: Information Security Incident Management.

ISO/IEC 27035:2011 provides a structured and planned approach to:
a. Principles of incident management (ISO/IEC 27035-1);
b. Guidelines to plan and prepare for incident response (ISO/IEC 27035-
2);
c. Guidelines for incident response operations (ISO/IEC 27035-3).

Need for Incident Responses

Need for Incident Response
Benefit
• Responding to incidents systematically so that the
appropriate steps are taken
• Helping personnel to recover quickly and efficiently from
security incidents, minimizing loss or theft of information and
disruption of services
• Using information gained during incident handling to better
prepare for handling future incidents and to provide stronger
protection for systems and data
• Dealing properly with legal issues that may arise during
incidents.
People
• The Defenders
• A Blue Team is a group of individuals who perform an
analysis of information systems to:
• Identify and give some recommendation for critical assets & systems
• Ensure security has been implemented
• Identify security flaws and inform into system owners
• Verify the effectiveness of each security measure
• Make certain all security measures will continue to be effective after
implementation.
• Example : Security Analyst, Security Engineer, Incident
Responder, Threat Hunter, Digital Forensic Investigator,
Malware Analyst
People
• Interest, curiosity, self-motivation and passion

• Persistent
• Creative
• Think like a bad guy
• At least one specialty
• Critical thinking: Analysis and synthesis skills
• Scripting and automation skills
• Writing and presenting ability ( to report )
• Quality over quantity
• Talent attracts talent
• Self-Improvement
You can't protect your network & system by thinking like a nice guy

Ideal Preventive System

Ideal Preventive System
• A minimum requirements to prevent or minimize security

incidents, and also to make incident detection and analysis
become easier.
• Minimum requirements:
• Security Device
• Preventive : Firewall, IPS, Cisco NAC, etc
• Detective : SIEM, IDS, System Logs, Honeypot, Threat Intelligence, etc
• Centralized Logs
• Integrity Check
• Log Monitoring
• Backup Procedure

Source of Precursors and
Indications

Source of Precursors and Indications
• Precursors and indications are identified using many

different sources:
• Computer security software alerts
• Logs
• Publicly available information
• People

• Computer security software alerts:
• Network-based, host-based, wireless, and network behavior analysis IDPSs
• use a set of attack signatures to identify malicious activity
• often produces false positives
• Antivirus, anti-spyware, and anti-spam software File integrity checking
software
• Incidents may cause changes to important files
• Detects such changes by regularly recalculating checksums and comparing
with previous values
• Third-party monitoring service
• Early warning once events/incidents occur

• Logs:
• Operating system, service and application logs
• Provide a wealth of information
• No evidences --> disabled, not properly configured, hacked?
• Centralized logging
• Network device logs
• Valuable in identifying trends
• Valuable for events correlation

• Publicly available information:

• Information on new vulnerabilities and exploits
• Keep up with the newest vulnerabilities and exploits
• Information on incidents at other organizations

• People :
• People from within the organization
• Usually when conflicting data is discovered
• People from other organizations

NIST SP 800-61rev2
• An event is any observable occurrence in a system or

network. Events include a user connecting to a file share, a
server receiving a request for a web page, a user sending
email, and a firewall blocking a connection attempt.
• Adverse events are events with a negative consequence,
such as system crashes, packet floods, unauthorized use of
system privileges, unauthorized access to sensitive data, etc.
• computer security incident is a violation or imminent threat
of violation1 of computer security policies, acceptable use
policies, or standard security practices.

Intro to Incident Handling and Incident Response (Cont’d..)
• Incident handling (or response) is an organized approach to

addressing and managing the aftermath of a security breach
or attack (also known as an incident). The goal is to handle
the situation in a way that limits damage and reduces
recovery time and costs. An incident response plan includes
a policy that defines, in specific terms, what constitutes an
incident and provides a step-by-step process that should be
followed when an incident occurs.
• Incident Handling = First Aid Kit

Incident Management Terminology
• Wikipedia:
Information Security Incident Management involves the monitoring
and detection of security events on a computer or computer network,
and the execution of proper responses to those events.
• ISACA (CISM Review Manual):
Information Security Incident Management is the operational part of
risk management. It is the activities that take place as a result of
unanticipated attacks, losses, theft, accidents, or any other unexpected
adverse events that occur as a result of the failure or lack of controls.
• ITIL:
Incident management is a defined process for logging, recording and
resolving incidents. The aim of incident management is to restore the
service to the customer as quickly as possible, often through a work
around or temporary fixes, rather than through trying to find a
permanent solution

Incident Management and Incident Handling

Need for Incident Response
• Attacks frequently compromise personal and business
data, and it is critical to respond quickly and effectively
when security breaches occur.
• The concept of computer security incident response has
become widely accepted and implemented. One of the
benefits of having an incident response capability is that it
supports responding to incidents systematically (i.e.,
following a consistent incident handling methodology) so
that the appropriate actions are taken.
• Incident response helps personnel to minimize loss or
theft of information and disruption of services caused by
incidents.
• The ability to use information gained during incident
handling to better prepare for handling future incidents
and to provide stronger protection for systems and data

Goals of an Incident Handling Plan
• Verify that an incident has occurred

• Maintain or restore Business Continuity
• Reduce the impact of the incident
• Determine attack vectors and how the incident occurred
• Prevent future attacks/incidents
• Improve the organization’s security posture
• Keep management informed and follow proper chain of
command procedures

Policy Element
Policy governing incident response is highly individualized to the
organization. However, most policies include the same key
elements:
• Statement of management commitment
• Purpose and objectives of the policy
• Scope of the policy (to whom and what it applies and under what
circumstances)
• Definition of computer security incidents and related terms
• Organizational structure and definition of roles, responsibilities,
and levels of authority
• Prioritization or severity ratings of incidents
• Performance measures
• Reporting and contact forms.

Plan Elements
The incident response plan should include the following elements:
• Mission
• Strategies and goals
• Senior management approval
• Organizational approach to incident response
• How the incident response team will communicate with the rest
of the organization and with other organizations
• Metrics for measuring the incident response capability and its
effectiveness
• Roadmap for maturing the incident response capability
• How the program fits into the overall organization.

Procedure Element
• Procedures should be based on the incident

response policy and plan. Standard operating
procedures (SOPs) are a delineation of the specific
technical processes, techniques, checklists, and forms
used by the incident response team.
• SOPs should be reasonably comprehensive and
detailed to ensure that the priorities of the
organization are reflected in response operations.

Incident Response Team Structure
• An incident response team should be available for anyone

who discovers or suspects that an incident involving the
organization has occurred.
• One or more team members, depending on the magnitude
of the incident and availability of personnel, will then handle
the incident.
• The incident handlers analyze the incident data, determine
the impact of the incident, and act appropriately to limit the
damage and restore normal services.

Team Models
• Central Incident Response Team.

• A single incident response team handles incidents throughout the
organization. This model is effective for small organizations and for
organizations with minimal geographic diversity in terms of
computing resources.
• Distributed Incident Response Teams.
• The organization has multiple incident response teams, each
responsible for a particular logical or physical segment of the
organization. This model is effective for large organizations
• Coordinating Team.
• An incident response team provides advice to other teams without
having authority over those teams—for example, a departmentwide
team may assist individual agencies’ teams. This model can be
thought of as a CSIRT for CSIRTs

Security Incident Life Cycle

Phases of the Security Incident Cycle
• Plan
Security incident cycle starting with the plan phase. The
organization prepares to defend its IT infrastructure and data
by assessing its security posture. This involves understanding
what threats it is likely to face and understanding the extent
to which its current state is vulnerable to such threats.
• Resist
Having planned out its defense tactics and strategies, and
deployed the appropriate components of its security
architecture, the organization resists attacks.

Phases of the Security Incident Cycle
• Detect
It is naive to expect that the organization will be able to resist
all intrusion attempts, it puts effort into Detecting
compromises. This involves having visibility into the state of
the environment at all levels of IT infrastructure (networks,
applications, data, etc.)
• Respond
Once a breach has been detected, the organization mobilizes
its incident handlers to respond to the intrusion. This process
typically involves understanding the incident's scope,
containing the situation, eradicating the attacker's presence
and recovering from the incident.

Incident Response Life Cycle (NIST)

Incident Response Life Cycle (Cont’d..)
1. Preparation
• Getting ready for incident response, creating documentation,
building tools, etc. Key elements for this step :
• Policy
• Response Plan / Strategy
• Communication
• Documentation (Checklist, IR Form,)
• Preparing Team
• Preparing Tools

2. Detection and Analysis

a. Incident occurred. This is the step where you determine if an incident has
occurred (Attack Vector), whether it comes from USB Media, Email, Social
Engineering, Web, Improper usage
b. Signs of an Incident. Based on events observation, indicators, you look for
deviations from normal operations. You look for malicious acts or attempts to
do harm. It’s where you leverage the alerts and logs from your routers,
firewalls, IDS, SIEM, AV gateways, Proxy, etc.
c. Incident detection and analysis would be easy if every precursor or indicator
were guaranteed to be accurate; unfortunately, this is not the case. For
example, user-provided indicators such as a complaint of a server being
unavailable are often incorrect. Intrusion detection systems may produce false
positives—incorrect indicators. These examples demonstrate what makes
incident detection and analysis so difficult:

3. Containment, Eradication, Recovery

• This is the stage of responding to incidents. It consists of
limiting the damage. Stop the bleeding. Stop the attacker.
After Containment, then you continue to eradicate the
source of root cause problem, and then going to recovery
phase. It’s where you make decision on which strategy you
will use to contain the incident bases on your processes and
procedures
• Key Points : Isolate Networks and PC / Servers from
Internal and External Networks. Removing the cause of
the incident, and going back to normal operation.

4. Post Incident Activity

• Follow up activity is crucial. It’s where you can reflect and
document what happen. Where you can learn what
failed and what worked. It’s where you identify
improvements for your incident handling processes and
procedures. It’s where you write your final report.

Tips for Building Effective Incident Handling Plan
• Building Incident Response Team and Assure Adequate Staff

• Define Roles and Responsibilities for each team member
clearly
• Increase security awareness program for user and provide
training regularly for avoiding advanced threats.
• Maintain documentation for incident handling and
procedure

Tips for Building Effective Incident Handling Plan (Cont’d)
• Improve vulnerability management Program

• Learn from past incidents and breaches
• Improve incident handling workflow process
• Building centralized monitoring system to protect the
infrastructure

FIRST services framework – Typical CSIRT services

FIRST services framework – Typical SOC services

Start – Small Team Member
• Small CSIRT, in the range of 3 to 10 people.
• Small CSIRT operations with three staff members (manager, two incident handlers)
• If a CSIRT is required to provide operations 24/7 for 365 days a year, it needs at least 12
additional employees (six teams of two staff members to cover 24/7, with each shift covering 8
hours)
CSIRT Manager
Security
Tier 1 Lead Tier 2 Lead
Engineering Lead
• Call centre • Incident analysis • Infrastructure O&M

• Realtime • Incident • Sensor tuning &
monitoring & triage coordination & maintenance
• Cyber news response • Tool engineering &
collection, analysis, • Remote incident deployment
distribution response • Custom signature
• Alerts & warnings • Forensic artifact creation
notification handling • Scripting &
• Vulnerability • Malware analysis automation
scanning
• External report
Tier 1 Tier 2 Security Engineering

Training courses for CSIRT incident Handlers
• Incident Handler :
• Networking fundamentals
• Networks, ICT concepts, cybersecurity fundamentals : ISACA - CSX,
CompTIA – Security+ , (ISC)² - SSCP, SANS – SEC301
• Incident handling basics : EC-Council – ECIH,
• Senior Incident Handler :
• Incident handling : EC-Council - ECIH, SANS - SEC504
• Penetration testing : EC-Council – CEH, SANS – SEC560
• Security architecture : (ISC)² - CISSP
• Incident handling basics : EC-Council – ECIH,
• Incident Handling Manager
• Advanced incident handling : SANS – FOR508, FOR572
IR Life Cycle Recap for Web App Hacking Incident
• Preparation: get ready to handle the incident

• Identification: detect the incident
• Containment: limit the impact of the incident
• Eradication: remove the threat
• Recovery: recover to a normal stage
• Lesson Learned: draw up and improve the process

Terima kasih / QnA / Penutup / Kontak
Any Questions?
Contact me :
sida@blueteam.id

IR Best Practice

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IR Best Practice

Uploaded by

Copyright:

Available Formats

Best Practice

Penanganan Insidens Cyber

https://blueteam.id/ Jakarta, Indonesia 1

https://blueteam.id/ Jakarta, Indonesia 2

This sessions is made for educational, ethical testing and

https://blueteam.id/ Jakarta, Indonesia 3

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 4

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 5

Mandiant M-Trend Report 2021

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 6

https://blueteam.id/ Jakarta, Indonesia 7

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 8

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 9

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 10

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 11

• Verify that an incident has occurred

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 12

• Cyber Defense Team is primary composed of security analyst

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 13

CREST 4 Key Element for Incident Response

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 14

Summary of the main challenges :

https://blueteam.id/ Jakarta, Indonesia 15

CREST 3 Phase Cyber Security Incident Process

• Measurement of readiness for organizations on 5 step

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 17

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 18

NIST SP 800-61 – Cyber Security Incident Handling Guide

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 19

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 20

2. Detection and Analysis

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 21

4. Eradication and Recovery

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 22

• Different types of organization will require different levels of maturity in cyber

CREST Maturity Level on Incident Response

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 23

https://blueteam.id/ Jakarta, Indonesia 24

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 25

• ISO/IEC 27005:2011 Information Security Risk

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 26

• ISO/IEC 27035:2011: Information Security Incident Management.

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 27

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 28

• Interest, curiosity, self-motivation and passion

https://blueteam.id/ Jakarta, Indonesia 31

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 32

• A minimum requirements to prevent or minimize security

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 33

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 34

• Precursors and indications are identified using many

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 35

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 36

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 37

• Publicly available information:

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 38

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 39

• An event is any observable occurrence in a system or

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 40

• Incident handling (or response) is an organized approach to

• Incident Handling = First Aid Kit

16/03/2022 https://blueteam.id/ Jakarta, Indonesia 41