Professional Documents
Culture Documents
A Practical Guide To Managing Cybersecurity Incidents
A Practical Guide To Managing Cybersecurity Incidents
Author: ChatGPT
Illustrations: Dall-E
Reviewed and Edited by: Christian Galvan & Lawren Epstein
Chapter 1: Introduction to Incident Response 4
What is incident response? 4
The importance of incident response 5
The incident response process 5
responding to a cybersecurity incident or breach. It typically follows a set of steps that are
designed to prevent the incident from escalating, minimize the impact of the incident, and
The incident response process can vary depending on the specific needs and resources of the
organization, as well as the nature and severity of the incident. It is important to have a
well-defined and tested incident response process in place to ensure that the organization is
that could occur within an organization, and establishing a set of procedures for responding to
those incidents effectively. Here are some steps to consider when developing an incident
response plan:
1. Identify the types of incidents that could occur: Consider the various types of incidents
that could occur within your organization, such as data breaches, malware infections,
network intrusions, and phishing attacks.
2. Determine the impact of each type of incident: Consider the potential impact of each
type of incident on your organization, including financial losses, damage to reputation,
and legal liabilities.
3. Establish an incident response team: Identify the individuals who will be responsible for
responding to incidents, including their roles and responsibilities. Consider establishing
an incident response team that includes personnel from different departments and with
different areas of expertise, such as IT, legal, and HR.
4. Develop incident response procedures: Establish procedures for responding to each type
of incident, including steps for identifying and analyzing the incident, containing and
eradicating the cause, and recovering from the incident.
5. Establish communication protocols: Determine how you will communicate with
stakeholders during an incident, including employees, customers, and regulatory
authorities.
6. Test and update the incident response plan: Regularly test and update the incident
response plan to ensure that it is effective and up to date.
against cybersecurity incidents. It helps ensure that you are prepared to respond effectively and
response team will depend on the size and complexity of the organization, as well as the types
of incidents that are most likely to occur. However, some common roles that may be included
It is important to establish clear roles and responsibilities for the incident response team to
ensure that the team is able to respond effectively to incidents. It may also be helpful to assign
backup personnel for each role to ensure that the team is able to function even if key members
are unavailable.
Identifying incidents
designed to collect, analyze, and report on security-related events and data. However, there are
other ways to identify security incidents even if you do not have a SIEM system in place. Here
1. Monitor log files: Monitor log files for unusual activity or error messages that could
indicate a security incident. This can include system log files, application log files, and
network logs.
2. Use network monitoring tools: Use tools like network analyzers and intrusion detection
systems to monitor network traffic for suspicious activity that could indicate a security
incident.
3. Use security alerts and notifications: Set up alerts and notifications from security tools
and devices, such as firewalls, antivirus software, and intrusion prevention systems, to
notify you of potential security incidents.
4. Monitor system and application behavior: Monitor system and application behavior for
unusual activity that could indicate a security incident. For example, you might look for
changes in system performance, unexpected system shutdowns, or unusual network
traffic patterns.
5. Use threat intelligence feeds: Use threat intelligence feeds from sources like the
Cybersecurity and Infrastructure Security Agency (CISA) or the Federal Bureau of
Investigation (FBI) to stay informed about potential security threats and incidents.
By using these techniques, you can identify security incidents even if you do not have a SIEM
system in place. It is important to have a plan in place for how you will monitor and respond to
By determining the scope and impact of the incident, you can gain a better understanding of
the impact of it will have on the organization and stakeholders involved.
Chapter 4: Containment, Eradication, and Recovery
By implementing these containment measures, you can prevent the incident from escalating
and minimize its impact on your organization. It is important to act quickly to contain the
incident and prevent further damage.
By following these steps, you can eradicate the cause of a security incident and prevent future
incidents from occurring. It is important to act quickly to address the root cause of the incident
and implement appropriate remediation measures in order to protect your organization
By following these steps, you can recover from a security incident in AWS and take steps to
prevent future incidents from occurring. It is important to have a plan in place for how you will
recover from a security incident in order to minimize the impact on your organization.
How to recover from a security incident in GCP?
Recovering from a security incident in Google Cloud Platform (GCP) involves restoring affected
systems and data, and taking steps to prevent future incidents from occurring. Here are some
steps to consider when recovering from a security incident in GCP:
1. Restore affected systems and data: Restore affected systems and data to a known good
state. This may involve things like restoring from backups, rebuilding systems, or
recreating data.
2. Implement security controls: Implement security controls, such as firewalls and
intrusion prevention systems, to protect against future incidents.
3. Use Cloud Security Command Center: Consider using Cloud Security Command Center,
which is a GCP service that provides visibility into the security of your cloud resources.
It can provide alerts when specific security-related events occur, such as unauthorized
access attempts or resource changes.
4. Review and update policies and procedures: Review and update policies and procedures
as needed to ensure that they are effective in preventing future incidents.
5. Conduct a post-incident review: Conduct a post-incident review to identify any lessons
learned and opportunities for improvement.
By following these steps, you can recover from a security incident in GCP and take steps to
prevent future incidents from occurring. It is important to have a plan in place for how you will
recover from a security incident in order to minimize the impact on your organization.
Chapter 5: Post-Incident Activities
By following these steps, you can update your incident response plan after an incident in a
systematic and effective manner. It is important to regularly review and update the incident
response plan to ensure that it is effective and up-to-date.
Advanced security threats are sophisticated and often difficult to detect and defend against.
Here are some steps that organizations can take to respond to advanced security threats:
1. Implement security controls: Implement security controls, such as firewalls, intrusion
prevention systems, and antivirus software, to protect against advanced threats.
2. Use threat intelligence: Use threat intelligence to stay informed about the latest threats
and vulnerabilities, and to identify potential indicators of compromise.
3. Conduct security assessments: Conduct regular security assessments to identify
vulnerabilities and areas for improvement in the organization's security posture.
4. Educate and train employees: Educate and train employees on how to identify and
prevent advanced threats, and encourage them to report any suspicious activity.
5. Develop a robust incident response plan: Develop a robust incident response plan that
includes procedures for responding to advanced threats, and ensure that all team
members are trained on the plan.
By following these steps, organizations can be better prepared to respond to advanced security
threats and minimize their impact on the organization. It is important to be proactive in
security and stay informed about the latest threats in order to effectively defend against
advanced threats.
Leveraging technology in incident response
Technology can be leveraged in a number of ways to improve incident response efforts. Here
are some examples of how technology can be leveraged for incident response:
1. Security information and event management (SIEM) systems: SIEM systems collect and
analyze security-related data from various sources, such as network logs, application
logs, and system alerts. This data is used to identify potential security incidents and
trigger alerts to incident response teams.
2. Automated response tools: Automated response tools can be used to automate certain
aspects of the incident response process, such as quarantining affected systems or
blocking malicious traffic.
3. Threat intelligence platforms: Threat intelligence platforms provide information about
the latest threats and vulnerabilities, and can be used to identify potential indicators of
compromise.
4. Collaboration tools: Collaboration tools, such as chat or video conferencing software,
can be used to facilitate communication and coordination among incident response
team members.
5. Mobile apps: Mobile apps can be used to provide incident response team members with
access to relevant information and tools, such as checklists and playbooks, while in the
field.
By leveraging technology, organizations can improve their incident response efforts and respond
more effectively to security incidents. It is important to select the appropriate technology tools
and ensure that they are properly configured and used effectively in order to maximize their
benefits.
After analyzing and collecting sufficient details the scope and impact was determined. A report
was generated for management and individuals who are part of the Incident Response Team to
be aware of their responsibilities during this event. The initial actions were to inform people
applying to the company to be aware of the issue, report this issue to the various cloud
providers, submit URLs as malicious to numerous security vendors, and collaborate with
agencies such as US-CERT & FBI IC3 for increased awareness.
The security team noticed that when it comes to copyright issues, these can be lengthy and
cloud companies might not respond right away. Also, it was quickly discovered that there are no
“International Copyright” protections. Taking matters into their own hands the security team
submitted a fictitious job application with encoded messages and using the address of an FBI
field office. Any hacker who received encoded messages or a payload signaling that they’ve been
discovered would be immediately covering their tracks and tearing down infrastructure. Which
is exactly what happened in this case, the malicious domain with international infrastructure
was taken down the next day. For more details, read this article, “ How Security & HR Teamed
up to take down an employment scam,” published by Sam Blum on the matter.
The organization launched an investigation: Capital One launched an investigation into the
incident and worked with law enforcement and cybersecurity experts to identify the cause of
the breach and the extent of the damage. Customers were provided credit monitoring and
identity protection services: Capital One provided credit monitoring and identity protection
services to affected individuals to help them protect themselves against potential fraud or
identity theft. Enhanced security measures were applied, Capital One implemented additional
security measures, including upgrading its firewall and implementing multi-factor
authentication, to prevent future breaches. Some of the challenges that Capital One faced were
legal consequences. Capital One faced legal consequences, including class action lawsuits and
regulatory fines, as a result of the breach. Which was interesting because 30 other companies
were targeted and the headlines only focused on Paige Thompson targeting the bank, probably
because it was a larger story. Additionally, through the investigation it was confirmed that the
data stolen was not accessed nor used for fraud.
By taking these steps, Capital One was able to respond to the cyber attack and take steps to
protect affected individuals and prevent future breaches. It is important for organizations to
have a plan in place for responding to cyber attacks and to take steps to protect affected
individuals and prevent future incidents.
Google blocked and maintain resiliency against the largest DDoS attack
ever
This proved to be a valuable resource for a Google Cloud Armor customer on June 1, 2022.
This customer “was targeted with a series of HTTPS DDoS attacks which peaked at 46 million
requests per second. This is the largest Layer 7 DDoS reported to date...” [1] This customer was
proactive in adopting a resource that could detect potential risks and vulnerabilities. In this
instance, the Cloud Armor Adaptive Protection detected and analyzed the traffic early in the
attack lifecycle at more than 10,000 requests per second (rps), before quickly ramping up to
100,000 rps. The customer deployed the recommended protective rule before the attack was
fully engaged. Cloud Armor blocked the attack effectively protecting their organization from a
security incident and ensured the end-user’s uninterrupted service. The attack continued to
increase to 46 million rps within a few minutes, but due to the protective rule, Cloud Armor was
blocking the traffic and, ultimately, the attacker(s) relented.
The customer prepared for potential incidents by configuring their Cloud Armor security policy to
establish a baseline model of normal traffic patterns for their service. So, when an attack
occurred, their Adaptive Protection was able to detect the DDos attack early in its life cycle and
generate a protective rule to block the attack traffic. “As the attack ramped up to its 46 million
rps peak, the Cloud Armor-suggested rule was already in place to block the bulk of the attack
and ensure the targeted applications and services remained available.” [1]
As attacks are a near guarantee, a robust strategy must be in place to detect attacks and
protect your applications and services. “This strategy includes performing threat modeling to
understand your applications’ attack surfaces, developing proactive and reactive strategies to
protect them, and architecting your applications with sufficient capacity to manage unanticipated
increases in traffic volume.” [1]
References
Blum, S. (2022, August 30). How CoinDesk's IT and HR departments teamed up to take down
https://www.hr-brew.com/stories/2022/08/30/how-coindesk-s-it-and-hr-departments-team
ed-up-to-take-down-an-employment-scam
https://www.informationweek.com/2016-informationweek-elite-100-winners/d/d-id/132506
0?
Open AI. (2022, December 19). Retrieved December 19, 2022, from
https://chat.openai.com/chat
Open AI. (2022, December 19). Retrieved December 19, 2022, from
https://labs.openai.com/e/9GzufHlFwmjxTLYm63e49sjX
Powell, O. (2022, October 6). IOTW: Capital One hacker given probation following cyber attack.
yber-attack
Wang, S. (2022, August 18). How Google Cloud blocked largest Layer 7 DDoS attack yet, 46
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-large
st-layer-7-ddos-attack-at-46-million-rps