Incident Response 101

A Practical Guide to Managing Cybersecurity Incidents

Author: ChatGPT
Illustrations: Dall-E
Reviewed and Edited by: Christian Galvan & Lawren Epstein
Chapter 1: Introduction to Incident Response 4
What is incident response? 4
The importance of incident response 5
The incident response process 5

Chapter 2: Planning and Preparation 7

Developing an incident response plan 7
Establishing an incident response team 8
Training and testing 9

Chapter 3: Detection and Analysis 11

Identifying incidents 11
How to identify security incidents in AWS? 11
How to identify security incidents in GCP? 12
How to identify security incidents in Splunk? 13
How to identify security incidents without a SIEM? 13
How to identify security incidents using Windows Event IDs 14
Gathering and analyzing evidence 15
Determining the scope and impact of the incident 15

Chapter 4: Containment, Eradication, and Recovery 17

Containing the incident 17
How to contain a security incident in AWS? 17
How to contain a security incident in GCP? 18
How to contain a security incident on a windows system? 19
Eradicating the cause of the incident 19
Recovering from the incident 20
How to recover from a security incident in AWS? 20
How to recover from a security incident in GCP? 21

Chapter 5: Post-Incident Activities 22

Conducting a post-incident review 22
Updating the incident response plan 23
Communicating with stakeholders 24

Chapter 6: Advanced Incident Response Techniques 25

Responding to advanced threats 25
Leveraging technology in incident response 27
 Working with law enforcement 27

Chapter 7: Incident Response in the Real World 29

Mini Case studies of successful incident response 29
CoinDesk response to international HR phishing scam 29
Capital One swift response and fix to Zero-Day Vulnerability in AWS 30
Google blocked and maintain resiliency against the largest DDoS attack ever 31
Common pitfalls to avoid 32
Best practices for incident response professionals 32
Chapter 1: Introduction to Incident Response

What is incident response?

Incident response is the process of identifying, analyzing, and responding to a cybersecurity
incident or breach. It involves a set of activities that are designed to prevent the incident from
escalating, minimize the impact of the incident, and restore normal operations as quickly as
possible.
Incident response typically follows a specific process, which includes:
 1. Planning and preparation: Developing an incident response plan and establishing an
incident response team to ensure that the organization is prepared to respond to
incidents effectively.
2. Detection and analysis: Identifying and analyzing the incident to determine its scope
and impact.
3. Containment, eradication, and recovery: Taking steps to contain the incident and
eliminate the cause, and then recovering from the incident.
4. Post-incident activities: Conducting a post-incident review, updating the incident
response plan, and communicating with stakeholders.
Effective incident response requires a combination of technical expertise, strong
communication skills, and the ability to make quick, informed decisions under pressure. It is an
essential part of any organization's cybersecurity strategy.

The importance of incident response

Incident response is important because it helps organizations protect their assets, minimize the
impact of cybersecurity incidents, and restore normal operations as quickly as possible.
A cybersecurity incident or breach can have serious consequences for an organization,
including financial losses, damage to reputation, and legal liabilities. By responding to
incidents effectively, organizations can minimize these negative impacts and protect their
stakeholders.
Effective incident response also helps organizations maintain customer and stakeholder trust,
as it demonstrates that the organization is taking proactive measures to protect against cyber
threats and is able to respond effectively when incidents do occur.
In addition, incident response is an essential part of an organization's compliance with various
laws and regulations, such as the General Data Protection Regulation (GDPR) in the European
Union and the Health Insurance Portability and Accountability Act (HIPAA) in the United
States.
Overall, the importance of incident response cannot be overstated. It is a critical component of
any organization's cybersecurity strategy and helps ensure the ongoing security and resilience
of the organization.

The incident response process

The incident response process is a structured approach to identifying, analyzing, and

responding to a cybersecurity incident or breach. It typically follows a set of steps that are
designed to prevent the incident from escalating, minimize the impact of the incident, and

restore normal operations as quickly as possible.

Here is a general outline of the incident response process:

1. Planning and preparation: Developing an incident response plan and establishing an

incident response team to ensure that the organization is prepared to respond to
incidents effectively. This may also involve training and testing the incident response
team and other relevant personnel.
2. Detection and analysis: Identifying and analyzing the incident to determine its scope
and impact. This may involve gathering and analyzing evidence, such as log files,
network traffic, and other data sources.
3. Containment, eradication, and recovery: Taking steps to contain the incident and
eliminate the cause, and then recovering from the incident. This may involve
disconnecting affected systems from the network, restoring backups, and implementing
other remediation measures.
4. Post-incident activities: Conducting a post-incident review, updating the incident
response plan, and communicating with stakeholders. This may involve analyzing the
root cause of the incident and identifying ways to prevent similar incidents in the
future.

The incident response process can vary depending on the specific needs and resources of the

organization, as well as the nature and severity of the incident. It is important to have a

well-defined and tested incident response process in place to ensure that the organization is

prepared to respond effectively to incidents.

Chapter 2: Planning and Preparation

Developing an incident response plan

Developing an incident response plan involves identifying the potential cybersecurity incidents

that could occur within an organization, and establishing a set of procedures for responding to
those incidents effectively. Here are some steps to consider when developing an incident

response plan:

1. Identify the types of incidents that could occur: Consider the various types of incidents
that could occur within your organization, such as data breaches, malware infections,
network intrusions, and phishing attacks.
2. Determine the impact of each type of incident: Consider the potential impact of each
type of incident on your organization, including financial losses, damage to reputation,
and legal liabilities.
3. Establish an incident response team: Identify the individuals who will be responsible for
responding to incidents, including their roles and responsibilities. Consider establishing
an incident response team that includes personnel from different departments and with
different areas of expertise, such as IT, legal, and HR.
4. Develop incident response procedures: Establish procedures for responding to each type
of incident, including steps for identifying and analyzing the incident, containing and
eradicating the cause, and recovering from the incident.
5. Establish communication protocols: Determine how you will communicate with
stakeholders during an incident, including employees, customers, and regulatory
authorities.
6. Test and update the incident response plan: Regularly test and update the incident
response plan to ensure that it is effective and up to date.

Developing an incident response plan is an important step in protecting your organization

against cybersecurity incidents. It helps ensure that you are prepared to respond effectively and

minimize the impact of any incidents that do occur.

Establishing an incident response team

Establishing roles for an incident response team is an important step in preparing for and

responding to cybersecurity incidents. The specific roles and responsibilities of an incident

response team will depend on the size and complexity of the organization, as well as the types
of incidents that are most likely to occur. However, some common roles that may be included

on an incident response team include:

1. Incident Commander: The incident commander is responsible for overall coordination

of the incident response effort and makes key decisions about the response.
2. Technical Lead: The technical lead is responsible for analyzing the technical aspects of
the incident, such as identifying the root cause, determining the scope and impact of
the incident, and developing and implementing remediation plans.
3. Communications Lead: The communications lead is responsible for managing
communications with stakeholders during the incident, including employees,
customers, and regulatory authorities.
4. Legal Counsel: Legal counsel is responsible for advising the incident response team on
legal issues related to the incident, such as compliance with laws and regulations and
potential legal liabilities.
5. Human Resources Representative: The HR representative is responsible for managing
employee-related issues during the incident, such as providing support to affected
employees and communicating with the employee union (if applicable).
6. Public Relations Representative: The public relations representative is responsible for
managing the organization's public image during the incident and communicating with
the media.

It is important to establish clear roles and responsibilities for the incident response team to

ensure that the team is able to respond effectively to incidents. It may also be helpful to assign

backup personnel for each role to ensure that the team is able to function even if key members

are unavailable.

Training and testing

Training and testing are essential components of incident response preparedness. There are
several ways to train and test your incident response team and other relevant personnel to
ensure that they are prepared to respond to incidents effectively. Here are some suggestions:
1. Conduct regular training sessions: Provide regular training sessions for the incident
response team and other relevant personnel to ensure that they are familiar with the
 incident response plan and procedures. Training should cover topics such as the
incident response process, technical skills, and communication skills.
2. Use simulated exercises: Conduct simulated exercises that simulate different types of
incidents and allow the incident response team to practice responding to those
incidents. This can help the team identify any weaknesses or gaps in their preparedness
and make necessary improvements.
3. Participate in external training programs: Consider participating in external training
programs that are specifically designed to prepare incident response teams for various
types of incidents. These programs may include workshops, seminars, and other
learning opportunities.
4. Use tabletop exercises: Conduct tabletop exercises that allow the incident response
team to discuss and practice how they would respond to different types of incidents.
These exercises typically involve a facilitated discussion and do not require any actual
technical skills.
5. Conduct regular drills: Conduct regular drills that test specific aspects of the incident
response plan and procedures. For example, you might conduct a drill that tests the
team's ability to identify and contain an incident, or a drill that tests the team's
communication protocols.
By training and testing regularly, you can ensure that your incident response team is prepared
to respond effectively to incidents and minimize the impact of those incidents on your
organization.
Chapter 3: Detection and Analysis

Identifying incidents

How to identify security incidents in AWS?

There are several ways to identify security incidents in Amazon Web Services (AWS):
 1. Monitor AWS security events: AWS provides a range of security-related events that can
be monitored in order to identify potential incidents. These events include things like
unauthorized access attempts, resource changes, and network activity.
2. Use AWS CloudWatch: AWS CloudWatch is a monitoring service that can be used to
monitor AWS resources and applications. It can provide alerts when specific
security-related events occur, such as unauthorized access attempts or resource
changes.
3. Use AWS Config: AWS Config is a service that provides visibility into the configuration of
AWS resources. It can be used to detect when resources are created, deleted, or modified
in a way that could indicate a security incident.
4. Use AWS Security Hub: AWS Security Hub is a central place to view, investigate, and
respond to security alerts from across AWS accounts. It can provide alerts for a wide
range of security events and can be configured to send notifications to incident response
teams.
5. Monitor log files: Monitor log files for unusual activity or error messages that could
indicate a security incident. This can include things like system log files, application log
files, and network logs.
By using these tools and techniques, you can identify security incidents in AWS and take
appropriate action to respond to those incidents.

How to identify security incidents in GCP?

There are several ways to identify security incidents in Google Cloud Platform (GCP):
1. Monitor GCP security events: GCP provides a range of security-related events that can
be monitored in order to identify potential incidents. These events include things like
unauthorized access attempts, resource changes, and network activity.
2. Use Cloud Security Command Center: Cloud Security Command Center is a GCP service
that provides visibility into the security of your cloud resources. It can provide alerts
when specific security-related events occur, such as unauthorized access attempts or
resource changes.
3. Use Cloud Audit Logs: Cloud Audit Logs is a GCP service that provides a record of
system and user activity within GCP. It can be used to detect when resources are created,
deleted, or modified in a way that could indicate a security incident.
4. Use Cloud Security Scanner: Cloud Security Scanner is a GCP tool that can be used to
scan applications for vulnerabilities and security misconfigurations. It can provide alerts
when potential security issues are identified.
5. Monitor log files: Monitor log files for unusual activity or error messages that could
indicate a security incident. This can include things like system log files, application log
files, and network logs.
By using these tools and techniques, you can identify security incidents in GCP and take
appropriate action to respond to those incidents.

How to identify security incidents in Splunk?

Splunk is a data analytics platform that can be used to identify security incidents by analyzing
data from various sources, including log files, network traffic, and security devices. Here are
some ways that Splunk can be used to identify security incidents:
1. Use Splunk Enterprise Security: Splunk Enterprise Security is an add-on to Splunk that
provides a set of tools and features specifically designed for security incident detection
and response. It can analyze data from various sources to identify potential security
incidents, and provides a dashboard and other tools for investigating and responding to
those incidents.
2. Use Splunk Machine Learning Toolkit: The Splunk Machine Learning Toolkit is a set of
tools that can be used to build and deploy machine learning models to detect anomalies
and other patterns in data that could indicate a security incident.
3. Use Splunk App for PCI Compliance: The Splunk App for PCI Compliance is a tool that
can be used to monitor and analyze data from various sources to ensure compliance with
the Payment Card Industry Data Security Standard (PCI DSS). It can provide alerts when
potential security incidents or violations are identified.
4. Use custom searches and alerts: Splunk allows users to create custom searches and
alerts to identify specific patterns or conditions in the data that could indicate a security
incident. For example, you might create an alert that triggers when a specific IP address
is detected in your log data, or when a particular error message appears.
By using these tools and techniques, you can identify security incidents in Splunk and take
appropriate action to respond to those incidents

How to identify security incidents without a SIEM?

A Security Information and Event Management (SIEM) system is a tool that is specifically

designed to collect, analyze, and report on security-related events and data. However, there are

other ways to identify security incidents even if you do not have a SIEM system in place. Here

are some suggestions:

1. Monitor log files: Monitor log files for unusual activity or error messages that could
indicate a security incident. This can include system log files, application log files, and
network logs.
 2. Use network monitoring tools: Use tools like network analyzers and intrusion detection
systems to monitor network traffic for suspicious activity that could indicate a security
incident.
3. Use security alerts and notifications: Set up alerts and notifications from security tools
and devices, such as firewalls, antivirus software, and intrusion prevention systems, to
notify you of potential security incidents.
4. Monitor system and application behavior: Monitor system and application behavior for
unusual activity that could indicate a security incident. For example, you might look for
changes in system performance, unexpected system shutdowns, or unusual network
traffic patterns.
5. Use threat intelligence feeds: Use threat intelligence feeds from sources like the
Cybersecurity and Infrastructure Security Agency (CISA) or the Federal Bureau of
Investigation (FBI) to stay informed about potential security threats and incidents.

By using these techniques, you can identify security incidents even if you do not have a SIEM

system in place. It is important to have a plan in place for how you will monitor and respond to

potential security incidents in order to protect your organization.

How to identify security incidents using Windows Event IDs

Windows event IDs are codes that are assigned to specific events that occur on a Windows
system. These events can include things like system startup and shutdown, application events,
and security-related events. Here are some steps to consider when using Windows event IDs to
identify security incidents:
1. Review relevant event logs: Review the event logs that are relevant to security, such as
the Security event log, to identify potential security incidents.
2. Look for specific event IDs: Look for specific event IDs that may indicate a security
incident. Some common event IDs that may indicate a security incident include 4624
(successful logon), 4625 (failed logon), and 4672 (special logon).
3. Check for event ID patterns: Look for patterns in the event IDs that may indicate a
security incident. For example, multiple failed login attempts (event ID 4625) may
indicate a brute force attack.
4. Review event details: Review the details of the events identified in step 2 to gather more
information about the incident. This may include things like the source IP address, user
account, and event description.
By using these steps, you can use Windows event IDs to identify potential security incidents
and take appropriate action to respond to those incidents. It is important to regularly review
event logs and be aware of potential security-related event IDs in order to effectively identify
and respond to security incidents.

Gathering and analyzing evidence

Gathering and analyzing evidence is an important step in the incident response process. It
involves collecting data about the incident and analyzing that data to determine the scope and
impact of the incident, as well as the root cause and any potential remediation steps. Here are
some steps to consider when gathering and analyzing evidence for incident response:
1. Determine what evidence to collect: Identify the types of evidence that are relevant to
the incident, such as log files, network traffic, and system configurations.
2. Collect the evidence: Gather the relevant evidence from the affected systems and
devices. It is important to handle the evidence in a way that preserves its integrity and
authenticity, such as by making copies of the evidence rather than altering the original
data.
3. Analyze the evidence: Use tools and techniques such as log analysis, packet analysis,
and forensic analysis to analyze the collected evidence. This may involve reviewing the
evidence manually or using automated tools to identify patterns or anomalies that could
indicate the cause of the incident.
4. Document the findings: Document the findings of the evidence analysis in a clear and
concise manner. This may include things like a timeline of the incident, a description of
the root cause, and any relevant technical details.
5. Review and confirm the findings: Review the findings with relevant stakeholders and
confirm that the evidence supports the conclusions that have been drawn.

Determining the scope and impact of the incident

Determining the scope and impact of a security incident is an important step in the incident
response process. It involves assessing the extent of the incident and understanding the
potential impact on the organization and its stakeholders. Here are some steps to consider
when determining the scope and impact of a security incident:
1. Identify the systems and data that were affected: Determine which systems and data
were directly affected by the incident, as well as any systems and data that may have
been indirectly impacted.
2. Assess the extent of the impact: Evaluate the extent to which the affected systems and
data have been compromised or disrupted. This may include things like data loss,
system downtime, or unauthorized access to sensitive information.
 3. Determine the potential impact on the organization: Consider the potential impact of
the incident on the organization, including financial losses, damage to reputation, and
legal liabilities.
4. Assess the potential impact on stakeholders: Evaluate the potential impact of the
incident on stakeholders, including employees, customers, and partners.
5. Determine the likelihood of future incidents: Consider the likelihood of future incidents
occurring as a result of the current incident, and the potential impact of those incidents.

By determining the scope and impact of the incident, you can gain a better understanding of
the impact of it will have on the organization and stakeholders involved.
Chapter 4: Containment, Eradication, and Recovery

Containing the incident

How to contain a security incident in AWS?

Containing a security incident in Amazon Web Services (AWS) involves taking steps to prevent
the incident from escalating and minimize its impact. Here are some suggestions for containing
a security incident in AWS:
1. Disconnect affected systems from the network: If a system has been compromised,
consider disconnecting it from the network to prevent the incident from spreading to
other systems.
2. Stop or terminate affected resources: If a resource, such as an Amazon Elastic Compute
Cloud (EC2) instance, is being used to conduct the incident, consider stopping or
terminating the resource to prevent further damage.
3. Implement network segmentation: Use network segmentation to isolate affected
systems from other systems on the network. This can help prevent the incident from
spreading to other systems.
4. Implement security controls: Implement security controls, such as firewalls and
intrusion prevention systems, to protect against future incidents.
5. Use Amazon GuardDuty: Consider using Amazon GuardDuty, which is a threat detection
service that uses machine learning to identify and alert on potential security threats.

By implementing these containment measures, you can prevent the incident from escalating
and minimize its impact on your organization. It is important to act quickly to contain the
incident and prevent further damage.

How to contain a security incident in GCP?

Containing a security incident in Google Cloud Platform (GCP) involves taking steps to prevent
the incident from escalating and minimize its impact. Here are some suggestions for containing
a security incident in GCP:
1. Disconnect affected systems from the network: If a system has been compromised,
consider disconnecting it from the network to prevent the incident from spreading to
other systems.
2. Stop or delete affected resources: If a resource, such as a Compute Engine virtual
machine, is being used to conduct the incident, consider stopping or deleting the
resource to prevent further damage.
3. Implement network segmentation: Use network segmentation to isolate affected
systems from other systems on the network. This can help prevent the incident from
spreading to other systems.
4. Implement security controls: Implement security controls, such as firewalls and
intrusion prevention systems, to protect against future incidents.
5. Use Cloud Security Command Center: Consider using Cloud Security Command Center,
which is a GCP service that provides visibility into the security of your cloud resources.
 It can provide alerts when specific security-related events occur, such as unauthorized
access attempts or resource changes.
By implementing these containment measures, you can prevent the incident from escalating
and minimize its impact on your organization. It is important to act quickly to contain the
incident and prevent further damage.

How to contain a security incident on a windows system?

Containing a security incident on a Windows system involves taking steps to prevent the
incident from escalating and minimize its impact. Here are some suggestions for containing a
security incident on a Windows system:
1. Disconnect the system from the network: If a system has been compromised, consider
disconnecting it from the network to prevent the incident from spreading to other
systems.
2. Terminate any malicious processes: Use Task Manager or other tools to identify and
terminate any malicious processes that may be running on the system.
3. Block traffic to and from the system: Use a firewall or other security controls to block
traffic to and from the system. This can help prevent the incident from spreading to
other systems.
4. Enable security controls: Enable security controls, such as antivirus software and
intrusion prevention systems, to protect against future incidents.
5. Isolate the system: If possible, isolate the system from other systems on the network to
prevent the incident from spreading.
By implementing these containment measures, you can prevent the incident from escalating
and minimize its impact on your organization. It is important to act quickly to contain the
incident and prevent further damage.

Eradicating the cause of the incident

Eradicating the cause of a security incident involves identifying and addressing the root cause
of the incident in order to prevent future incidents from occurring. Here are some steps to
consider when eradicating the cause of a security incident:
1. Identify the root cause: Determine the root cause of the incident by analyzing evidence
and identifying the underlying cause of the incident. This may involve things like
reviewing log files, analyzing network traffic, and examining system configurations.
2. Develop a remediation plan: Based on the root cause identified in step 1, develop a plan
to address the root cause and prevent future incidents from occurring.
3. Implement the remediation plan: Implement the remediation plan by taking the
necessary steps to address the root cause of the incident. This may include things like
 applying patches, updating system configurations, or implementing new security
controls.
4. Verify that the root cause has been eradicated: Verify that the root cause of the incident
has been eradicated by testing the systems and procedures that were impacted by the
incident.
5. Review and update policies and procedures: Review and update policies and procedures
as needed to ensure that they are effective in preventing future incidents.

By following these steps, you can eradicate the cause of a security incident and prevent future
incidents from occurring. It is important to act quickly to address the root cause of the incident
and implement appropriate remediation measures in order to protect your organization

Recovering from the incident

How to recover from a security incident in AWS?

Recovering from a security incident in Amazon Web Services (AWS) involves restoring affected
systems and data, and taking steps to prevent future incidents from occurring. Here are some
steps to consider when recovering from a security incident in AWS:
1. Restore affected systems and data: Restore affected systems and data to a known good
state. This may involve things like restoring from backups, rebuilding systems, or
recreating data.
2. Implement security controls: Implement security controls, such as firewalls and
intrusion prevention systems, to protect against future incidents.
3. Use Amazon GuardDuty: Consider using Amazon GuardDuty, which is a threat detection
service that uses machine learning to identify and alert on potential security threats.
4. Review and update policies and procedures: Review and update policies and procedures
as needed to ensure that they are effective in preventing future incidents.
5. Conduct a post-incident review: Conduct a post-incident review to identify any lessons
learned and opportunities for improvement.

By following these steps, you can recover from a security incident in AWS and take steps to
prevent future incidents from occurring. It is important to have a plan in place for how you will
recover from a security incident in order to minimize the impact on your organization.
How to recover from a security incident in GCP?
Recovering from a security incident in Google Cloud Platform (GCP) involves restoring affected
systems and data, and taking steps to prevent future incidents from occurring. Here are some
steps to consider when recovering from a security incident in GCP:
1. Restore affected systems and data: Restore affected systems and data to a known good
state. This may involve things like restoring from backups, rebuilding systems, or
recreating data.
2. Implement security controls: Implement security controls, such as firewalls and
intrusion prevention systems, to protect against future incidents.
3. Use Cloud Security Command Center: Consider using Cloud Security Command Center,
which is a GCP service that provides visibility into the security of your cloud resources.
It can provide alerts when specific security-related events occur, such as unauthorized
access attempts or resource changes.
4. Review and update policies and procedures: Review and update policies and procedures
as needed to ensure that they are effective in preventing future incidents.
5. Conduct a post-incident review: Conduct a post-incident review to identify any lessons
learned and opportunities for improvement.
By following these steps, you can recover from a security incident in GCP and take steps to
prevent future incidents from occurring. It is important to have a plan in place for how you will
recover from a security incident in order to minimize the impact on your organization.
Chapter 5: Post-Incident Activities

Conducting a post-incident review

A post-incident security interview is a structured conversation with individuals involved in a
security incident in order to gather information about the incident and identify any lessons
learned or opportunities for improvement. Here are some steps to consider when conducting a
post-incident security interview:
 1. Identify the individuals to interview: Determine who should be interviewed as part of
the post-incident review. This may include individuals who were directly involved in the
incident, as well as those who may have witnessed the incident or had relevant
information.
2. Prepare for the interview: Review the relevant documents and information about the
incident, and develop a list of questions to ask during the interview.
3. Conduct the interview: Conduct the interview in a structured and professional manner,
asking the prepared questions and allowing the interviewee to provide their perspective
on the incident. Be sure to listen actively and take notes on the conversation.
4. Document the interview: Document the results of the interview in a clear and concise
manner, including any relevant information provided by the interviewee.
5. Use the information gathered during the interview to identify lessons learned and
opportunities for improvement: Review the information gathered during the interview
and use it to identify any lessons learned or opportunities for improvement.
By conducting post-incident security interviews, you can gather valuable information about the
incident and use it to improve your organization's security posture. It is important to conduct
these interviews in a professional and unbiased manner in order to gather accurate and useful
information.

Updating the incident response plan

Updating an incident response plan after an incident involves reviewing the plan and making
changes as needed to improve the organization's ability to respond to future incidents. Here are
some steps to consider when updating an incident response plan after an incident:
1. Conduct a post-incident review: Conduct a post-incident review to identify any lessons
learned and opportunities for improvement. This may include things like reviewing the
incident response process, analyzing the effectiveness of the plan, and identifying any
areas where improvements can be made.
2. Review and update the incident response plan: Based on the findings of the
post-incident review, review and update the incident response plan as needed. This may
include things like adding or modifying procedures, updating contact information, or
revising roles and responsibilities.
3. Test and train on the updated plan: Test the updated incident response plan to ensure
that it is effective and all team members are familiar with the revised procedures.
Provide training to team members as needed to ensure that they are prepared to
respond to future incidents.
 4. Communicate the updates to relevant stakeholders: Communicate the updates to the
incident response plan to relevant stakeholders, including team members and
leadership.

By following these steps, you can update your incident response plan after an incident in a
systematic and effective manner. It is important to regularly review and update the incident
response plan to ensure that it is effective and up-to-date.

Communicating with stakeholders

Effective communication with stakeholders is an important skill for a security professional.
Here are some tips for how a security professional can best communicate with stakeholders:
1. Identify the stakeholders: Determine who the stakeholders are and what their specific
needs and concerns are. This may include employees, customers, partners, and
leadership.
2. Use clear and concise language: Use clear and concise language when communicating
with stakeholders. Avoid technical jargon and explain concepts in simple terms that can
be easily understood.
3. Use appropriate channels: Choose the appropriate channels for communication based
on the needs and preferences of the stakeholders. This may include things like email,
in-person meetings, or conference calls.
4. Be timely: Respond to stakeholders in a timely manner, and follow up as needed to
ensure that their needs and concerns are addressed.
5. Use visual aids: Use visual aids, such as diagrams or charts, to help explain complex
concepts or processes.
By following these tips, a security professional can effectively communicate with stakeholders
and ensure that their needs and concerns are addressed. It is important to be proactive in
communication and make an effort to understand the needs and concerns of stakeholders in
order to build trust and maintain good relationships.
Chapter 6: Advanced Incident Response Techniques

Responding to advanced threats

Advanced security threats are sophisticated and often difficult to detect and defend against.
Some examples of advanced security threats include:
1. Advanced persistent threats (APTs): APTs are long-term, targeted attacks that are often
conducted by nation-states or other highly skilled attackers. APTs are designed to
 infiltrate an organization's network and exfiltrate sensitive data over a period of time,
often without being detected.
2. Zero-day vulnerabilities: Zero-day vulnerabilities are software vulnerabilities that have
not yet been publicly disclosed or patched. Attackers can exploit these vulnerabilities to
gain unauthorized access to systems or data.
3. Ransomware: Ransomware is a type of malware that encrypts a victim's files and
demands payment in exchange for the decryption key. Ransomware can be particularly
difficult to defend against due to its ability to evade detection and spread quickly.
4. Spear phishing: Spear phishing is a targeted form of phishing that is designed to trick
individuals into disclosing sensitive information or installing malware. Spear phishing
attacks often use personalized and convincing messages to trick victims into falling for
the scam.
5. Supply chain attacks: Supply chain attacks involve compromising the supply chain of an
organization in order to gain access to systems or data. These attacks can be difficult to
detect and prevent because they often involve trusted partners or suppliers.
By understanding these advanced security threats and taking steps to protect against them,
organizations can better defend against these sophisticated attacks.

Advanced security threats are sophisticated and often difficult to detect and defend against.
Here are some steps that organizations can take to respond to advanced security threats:
1. Implement security controls: Implement security controls, such as firewalls, intrusion
prevention systems, and antivirus software, to protect against advanced threats.
2. Use threat intelligence: Use threat intelligence to stay informed about the latest threats
and vulnerabilities, and to identify potential indicators of compromise.
3. Conduct security assessments: Conduct regular security assessments to identify
vulnerabilities and areas for improvement in the organization's security posture.
4. Educate and train employees: Educate and train employees on how to identify and
prevent advanced threats, and encourage them to report any suspicious activity.
5. Develop a robust incident response plan: Develop a robust incident response plan that
includes procedures for responding to advanced threats, and ensure that all team
members are trained on the plan.
By following these steps, organizations can be better prepared to respond to advanced security
threats and minimize their impact on the organization. It is important to be proactive in
security and stay informed about the latest threats in order to effectively defend against
advanced threats.
Leveraging technology in incident response
Technology can be leveraged in a number of ways to improve incident response efforts. Here

are some examples of how technology can be leveraged for incident response:

1. Security information and event management (SIEM) systems: SIEM systems collect and
analyze security-related data from various sources, such as network logs, application
logs, and system alerts. This data is used to identify potential security incidents and
trigger alerts to incident response teams.
2. Automated response tools: Automated response tools can be used to automate certain
aspects of the incident response process, such as quarantining affected systems or
blocking malicious traffic.
3. Threat intelligence platforms: Threat intelligence platforms provide information about
the latest threats and vulnerabilities, and can be used to identify potential indicators of
compromise.
4. Collaboration tools: Collaboration tools, such as chat or video conferencing software,
can be used to facilitate communication and coordination among incident response
team members.
5. Mobile apps: Mobile apps can be used to provide incident response team members with
access to relevant information and tools, such as checklists and playbooks, while in the
field.

By leveraging technology, organizations can improve their incident response efforts and respond

more effectively to security incidents. It is important to select the appropriate technology tools

and ensure that they are properly configured and used effectively in order to maximize their

benefits.

Working with law enforcement

Law enforcement can be a valuable resource during a security incident, particularly in cases
where the incident involves criminal activity. Here are some ways that law enforcement can
help during a security incident:
1. Provide expertise: Law enforcement agencies have expertise in investigations and can
provide guidance on how to gather and preserve evidence in a manner that is admissible
in court.
 2. Assist with tracking down perpetrators: If the incident involves criminal activity, law
enforcement can help track down the perpetrators and bring them to justice.
3. Provide resources: Law enforcement agencies often have access to resources, such as
forensic labs and specialized personnel, that can be useful in the response to a security
incident.
4. Coordinate with other agencies: Law enforcement agencies can coordinate with other
agencies, such as the FBI or Secret Service, to provide additional resources and expertise
as needed.
It is important to establish a relationship with your local law enforcement agency and to have a
plan in place for how to engage them in the event of a security incident. By working with law
enforcement, organizations can better protect themselves and their assets during a security
incident.
Chapter 7: Incident Response in the Real World

Mini Case studies of successful incident response

CoinDesk response to international HR phishing scam

The leading platform that specializes in Bitcoin and Digital currencies faced a unique challenge
in the summer of 2022. People were following up with the companies VP of People & HR about
roles they had applied to or saw a post about. HR quickly determined that these were not real
and engaged the security team along with internal employees. At the same time they also
shared with their network to ensure that job applications were only submitted via official
methods such as LinkedIn. The security team immediately sprang into action to get detailed
information about the infrastructure of the malicious domain. Through DNS queries and
performing OSINT it was determined that these servers were being hosted in Germany, Africa,
and the UK using various cloud resources to limit single point of failure.

After analyzing and collecting sufficient details the scope and impact was determined. A report
was generated for management and individuals who are part of the Incident Response Team to
be aware of their responsibilities during this event. The initial actions were to inform people
applying to the company to be aware of the issue, report this issue to the various cloud
providers, submit URLs as malicious to numerous security vendors, and collaborate with
agencies such as US-CERT & FBI IC3 for increased awareness.

The security team noticed that when it comes to copyright issues, these can be lengthy and
cloud companies might not respond right away. Also, it was quickly discovered that there are no
“International Copyright” protections. Taking matters into their own hands the security team
submitted a fictitious job application with encoded messages and using the address of an FBI
field office. Any hacker who received encoded messages or a payload signaling that they’ve been
discovered would be immediately covering their tracks and tearing down infrastructure. Which
is exactly what happened in this case, the malicious domain with international infrastructure
was taken down the next day. For more details, read this article, “ How Security & HR Teamed
up to take down an employment scam,” published by Sam Blum on the matter.

Capital One swift response and fix to Zero-Day Vulnerability in AWS

Capital One has been previously rated with the #1 most innovative company using business
technology in 2016. Through the years they’ve even hired more AWS certified professionals
than other industries. As any security professional would confirm that there is no such thing as
a secure system, except the one that is powered off and at the bottom of the golden gate bridge.
In 2019, Capital One experienced a significant cyber incident that exposed the personal
information of over 100 million individuals. Here are some steps that Capital One took in their
response to the cyber attack. The company notified affected individuals: Capital One notified
affected individuals and provided them with information about the steps they could take to
protect themselves.

The organization launched an investigation: Capital One launched an investigation into the
incident and worked with law enforcement and cybersecurity experts to identify the cause of
the breach and the extent of the damage. Customers were provided credit monitoring and
identity protection services: Capital One provided credit monitoring and identity protection
services to affected individuals to help them protect themselves against potential fraud or
identity theft. Enhanced security measures were applied, Capital One implemented additional
security measures, including upgrading its firewall and implementing multi-factor
authentication, to prevent future breaches. Some of the challenges that Capital One faced were
legal consequences. Capital One faced legal consequences, including class action lawsuits and
regulatory fines, as a result of the breach. Which was interesting because 30 other companies
were targeted and the headlines only focused on Paige Thompson targeting the bank, probably
because it was a larger story. Additionally, through the investigation it was confirmed that the
data stolen was not accessed nor used for fraud.

By taking these steps, Capital One was able to respond to the cyber attack and take steps to
protect affected individuals and prevent future breaches. It is important for organizations to
have a plan in place for responding to cyber attacks and to take steps to protect affected
individuals and prevent future incidents.

Google blocked and maintain resiliency against the largest DDoS attack
ever

With heavy internet-facing workloads, organizations face increased risk of distributed

denial-of-service (DDoS) attacks. To mitigate the risk, Google created Cloud Armor for Cloud
customers to leverage the scale and capacity of Google’s network edge to protect their
environment from DDoS attacks.

This proved to be a valuable resource for a Google Cloud Armor customer on June 1, 2022.
This customer “was targeted with a series of HTTPS DDoS attacks which peaked at 46 million
requests per second. This is the largest Layer 7 DDoS reported to date...” [1] This customer was
proactive in adopting a resource that could detect potential risks and vulnerabilities. In this
instance, the Cloud Armor Adaptive Protection detected and analyzed the traffic early in the
attack lifecycle at more than 10,000 requests per second (rps), before quickly ramping up to
100,000 rps. The customer deployed the recommended protective rule before the attack was
fully engaged. Cloud Armor blocked the attack effectively protecting their organization from a
security incident and ensured the end-user’s uninterrupted service. The attack continued to
increase to 46 million rps within a few minutes, but due to the protective rule, Cloud Armor was
blocking the traffic and, ultimately, the attacker(s) relented.

The customer prepared for potential incidents by configuring their Cloud Armor security policy to
establish a baseline model of normal traffic patterns for their service. So, when an attack
occurred, their Adaptive Protection was able to detect the DDos attack early in its life cycle and
generate a protective rule to block the attack traffic. “As the attack ramped up to its 46 million
rps peak, the Cloud Armor-suggested rule was already in place to block the bulk of the attack
and ensure the targeted applications and services remained available.” [1]

As attacks are a near guarantee, a robust strategy must be in place to detect attacks and
protect your applications and services. “This strategy includes performing threat modeling to
understand your applications’ attack surfaces, developing proactive and reactive strategies to
protect them, and architecting your applications with sufficient capacity to manage unanticipated
increases in traffic volume.” [1]

Common pitfalls to avoid

Incident response can be a complex and challenging process, and there are several common
pitfalls that organizations can encounter. Here are some common pitfalls when doing incident
response:
1. Lack of preparedness: Without a robust incident response plan and appropriate training,
organizations may be unprepared to effectively respond to a security incident.
2. Lack of coordination: Without proper coordination among incident response team
members, the response to a security incident may be disorganized and inefficient.
3. Lack of communication: Poor communication with stakeholders, such as employees,
customers, and leadership, can lead to confusion and mistrust during an incident.
4. Lack of resources: Insufficient resources, such as personnel, tools, and funding, can
hinder an organization's ability to effectively respond to a security incident.
5. Lack of post-incident review: Failing to conduct a post-incident review to identify
lessons learned and opportunities for improvement can lead to the same mistakes being
made in future incidents.
By avoiding these pitfalls, organizations can improve their incident response efforts and better
protect themselves in the event of a security incident. It is important to be proactive in incident
response and to have a well-planned and well-executed incident response process in place.

Best practices for incident response professionals

Incident response professionals play a crucial role in protecting organizations from security
incidents. Here are some best practices for incident response professionals:
1. Be proactive: Incident response professionals should be proactive in identifying
potential threats and vulnerabilities, and take steps to prevent incidents from occurring.
2. Stay informed: Stay informed about the latest threats and vulnerabilities, and stay
up-to-date on best practices and techniques for incident response.
 3. Have a plan: Develop a robust incident response plan that is well-documented and
tested, and ensure that all team members are trained on the plan.
4. Coordinate with other stakeholders: Coordinate with other stakeholders, such as law
enforcement, IT, and leadership, to ensure a coordinated and effective response to
incidents.
5. Communicate effectively: Communicate effectively with stakeholders, including
employees, customers, and leadership, to keep them informed about the status of the
incident and any steps being taken to address it.
6. Conduct post-incident reviews: Conduct post-incident reviews to identify lessons
learned and opportunities for improvement, and update the incident response plan as
needed.
By following these best practices, incident response professionals can effectively protect their
organizations from security incidents and minimize their impact. It is important to be proactive
and well-prepared in order to effectively respond to security incidents.

References

Blum, S. (2022, August 30). How CoinDesk's IT and HR departments teamed up to take down

an employment scam. HR Brew. Retrieved December 20, 2022, from

https://www.hr-brew.com/stories/2022/08/30/how-coindesk-s-it-and-hr-departments-team

ed-up-to-take-down-an-employment-scam

InformationWeek. (2016). 2016 InformationWeek Elite 100 Winners. InformationWeek.

Retrieved December 20, 2022, from

https://www.informationweek.com/2016-informationweek-elite-100-winners/d/d-id/132506

0?

Open AI. (2022, December 19). Retrieved December 19, 2022, from

https://chat.openai.com/chat

Open AI. (2022, December 19). Retrieved December 19, 2022, from

https://labs.openai.com/e/9GzufHlFwmjxTLYm63e49sjX

Powell, O. (2022, October 6). IOTW: Capital One hacker given probation following cyber attack.

Cyber Security Hub. Retrieved December 20, 2022, from

 https://www.cshub.com/attacks/news/iotw-capital-one-hacker-given-probation-following-c

yber-attack

Wang, S. (2022, August 18). How Google Cloud blocked largest Layer 7 DDoS attack yet, 46

million rps. Google Cloud. Retrieved December 20, 2022, from

https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-large

st-layer-7-ddos-attack-at-46-million-rps