Professional Documents
Culture Documents
IR Best Practice
IR Best Practice
• What?
• An event is any observable occurrence in a system or network.
• Examples:
• a user connecting to a file share
• a server receiving a request for a Web page
• a user sending electronic mail (email)
• a firewall blocking a connection attempt
• What?
• Events with a negative consequence
• Examples:
• System crashes
• Network packet floods
• Unauthorized use of system privileges
• Unauthorized access to sensitive data
• Execution of malicious code that destroys data
• What?
• Violation or “imminent threat of violation” of computer security
policies, acceptable use policies, or standard security practices.
• Examples:
• Denial of Service
• Malicious Code
• Unauthorized Access
• Inappropriate Usage
Incident Response:
• Incident response is a structured process used by
organizations to detect and respond to cybersecurity
incidents. (NIST-800-61r2)
• Ideally Incident Response would be a set of policies that
allow an individual or individuals to react to an incident in an
efficient and professional manner thereby decreasing the
likelihood of grave consequences.
1. Preparation
• Getting ready for incident response, creating documentation,
building tools, etc. Key elements measurement for this step :
• Policy
• Response Plan / Strategy
• Communication
• Documentation (Checklist, IR Form,)
• Preparing Team
• Preparing Tools
3. Containment
• This is the stage of responding to incidents. It consists of limiting
the damage. Stop the bleeding. Stop the attacker. It’s where you
make decision on which strategy you will use to contain the
incident bases on your processes and procedures
https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
Benefit
• Responding to incidents systematically so that the
appropriate steps are taken
• Helping personnel to recover quickly and efficiently from
security incidents, minimizing loss or theft of information and
disruption of services
• Using information gained during incident handling to better
prepare for handling future incidents and to provide stronger
protection for systems and data
• Dealing properly with legal issues that may arise during
incidents.
16/03/2022 https://blueteam.id/ Jakarta, Indonesia 29
People
• The Defenders
• A Blue Team is a group of individuals who perform an
analysis of information systems to:
• Identify and give some recommendation for critical assets & systems
• Ensure security has been implemented
• Identify security flaws and inform into system owners
• Verify the effectiveness of each security measure
• Make certain all security measures will continue to be effective after
implementation.
• Example : Security Analyst, Security Engineer, Incident
Responder, Threat Hunter, Digital Forensic Investigator,
Malware Analyst
https://blueteam.id/ Jakarta, Indonesia 30
People
• Logs:
• Operating system, service and application logs
• Provide a wealth of information
• No evidences --> disabled, not properly configured, hacked?
• Centralized logging
• Network device logs
• Valuable in identifying trends
• Valuable for events correlation
• People :
• People from within the organization
• Usually when conflicting data is discovered
• People from other organizations
• Plan
Security incident cycle starting with the plan phase. The
organization prepares to defend its IT infrastructure and data
by assessing its security posture. This involves understanding
what threats it is likely to face and understanding the extent
to which its current state is vulnerable to such threats.
• Resist
Having planned out its defense tactics and strategies, and
deployed the appropriate components of its security
architecture, the organization resists attacks.
• Detect
It is naive to expect that the organization will be able to resist
all intrusion attempts, it puts effort into Detecting
compromises. This involves having visibility into the state of
the environment at all levels of IT infrastructure (networks,
applications, data, etc.)
• Respond
Once a breach has been detected, the organization mobilizes
its incident handlers to respond to the intrusion. This process
typically involves understanding the incident's scope,
containing the situation, eradicating the attacker's presence
and recovering from the incident.
1. Preparation
• Getting ready for incident response, creating documentation,
building tools, etc. Key elements for this step :
• Policy
• Response Plan / Strategy
• Communication
• Documentation (Checklist, IR Form,)
• Preparing Team
• Preparing Tools
CSIRT Manager
Security
Tier 1 Lead Tier 2 Lead
Engineering Lead
• Incident Handler :
• Networking fundamentals
• Networks, ICT concepts, cybersecurity fundamentals : ISACA - CSX,
CompTIA – Security+ , (ISC)² - SSCP, SANS – SEC301
• Incident handling basics : EC-Council – ECIH,
• Senior Incident Handler :
• Incident handling : EC-Council - ECIH, SANS - SEC504
• Penetration testing : EC-Council – CEH, SANS – SEC560
• Security architecture : (ISC)² - CISSP
• Incident handling basics : EC-Council – ECIH,
• Incident Handling Manager
• Advanced incident handling : SANS – FOR508, FOR572
https://blueteam.id/ Jakarta, Indonesia 64
IR Life Cycle Recap for Web App Hacking Incident
Any Questions?
Contact me :
sida@blueteam.id