INCIDENT HANDLING AND RESPONSE

(HC-08)

Dr Bishwajeet Pandey, SMIEEE

CSE Research Coordinator-Jain University, India

PhD (Gran Sasso Science Institute, L'Aquila, Italy)

Visiting Professor at
UCSI UNIVERSITY-Malaysia
L.N. Gumilyov Eurasian National University-Kazakhstan
ABOUT MYSELF

• PhD from Gran Sasso Science Institute, Italy

• PhD Supervisor Prof Paolo Prinetto from Politecnico Di Torino, World Rank 13 in
Electrical Engineering
• MTech from Indian Institute of Information Technology, Gwalior
• Visited 41 Countries Across The Globe
• Written 200+ Research paper with 193 Researcher from 63 Universities
• Scopus Profile: https://www.scopus.com/authid/detail.uri?authorId=57203239026
• Google Scholar: https://scholar.google.com/citations?user=UZ_8yAMAAAAJ&hl=hi
• IBM Certified Solution Designer
• EC-Council Certified Ethical Hacker
• AWS Certified Cloud Practitioner
• Qualified GATE 4 times
• Email dr.pandey@ieee.org, p.biswajeet@jainuniversity.ac.in
MY SCOPUS PROFILE
MY GOOGLE SCHOLAR PROFILE
IHR Syllabus
Investigation Phase
Investigation Phase
Investigation Phase
The following issues relates to the process of investigation.

• The distinction between investigative tasks and investigative thinking

• The progression of the investigative process
• The distinction between tactical investigative and strategic
investigative responses
• The concepts of event classification and offence recognition
• The threat vs. action response dilemma
• The distinction between active events and inactive events
• The connection of active events and Level 1 priority results to the
powers afforded under exigent circumstance
• The Response Transition Matrix (RTM) and the critical need to transition
from tactical response to strategic response
Topic 1: The Distinction Between Investigative
Tasks and Investigative Thinking

• To understand the process of investigation, it is necessary to

comprehend the distinction between investigative tasks and
investigative thinking.

• Investigative tasks relate to the information gathering processes

that feed into investigative thinking and the results.

• Investigative thinking, on the other hand, is the process of

analyzing information and theorizing to develop investigative
plans. Let us consider this distinction in a little more depth.
Topic 2: Progression of the Investigative Process

• The investigative process is a progression of activities or steps

moving from evidence gathering tasks, to information analysis,
to theory development and validation, to forming reasonable
ground to believe, and finally to the arrest and charge of a
suspect.

• Knowing these steps can be helpful because criminal incidents

are dynamic and unpredictable.

• The order in which events take place, and the way evidence
and information become available for collection, can be
unpredictable.
Topic 2: Progression of the Investigative Process

• The investigative process is a progression of activities or steps

moving from evidence gathering tasks, to information analysis,
to theory development and validation, to forming reasonable
ground to believe, and finally to the arrest and charge of a
suspect.

• Knowing these steps can be helpful because criminal incidents

are dynamic and unpredictable.

• The order in which events take place, and the way evidence
and information become available for collection, can be
unpredictable.
Investigation Phase
Topic 3: Distinction Between a Tactical Investigative
Response and a Strategic Investigative Response

• These two different types of investigative

responses are defined by the nature and status
of the event that the investigator is facing.

• If it is an active event, it will require a Tactical

Investigative Response and if it is an inactive
event it will require a Strategic Investigative
Response.
Topic 4: Event Classification and Offence Recognition

• In order to enter any investigation in either the tactical

or the strategic response mode, an investigator must
engage their thinking processes and make decisions
about the event they are confronting.
• Thinking about these situational elements of active
event or inactive event is call event classification.
• Considering the possible crime being committed in the
event is called “offence recognition,” and this
recognition of a specific offence activates the
investigator’s thinking to look for the evidence that
supports the elements of that recognized offence.
Topic 5: Classifying the Event as Either an Active
Event or an Inactive Event

• For each of these classifications of active event or

inactive event, the investigator has some different
legal authorities to put into action, as well as some
immediate responsibilities for the protection,
collection, and preservation of evidence.
• When attending the scene of any reported event,
the investigator should assume that the event is
active until it has been established to be inactive.
Topic 5: Classifying the Event as Either an Active
Event or an Inactive Event
Topic 6: Threat vs. Action Analysis Dilemma

• Two armed teenagers went on a shooting spree in the high school

killing 13 people and wounding 20 others before turning their
weapons on themselves and committing suicide.
• Officers responding to that call followed departmental protocols of
that era.
• These protocols dictated they should wait for the arrival of their
Emergency Response Team in events where armed suspect
confrontations were taking place.
• The fact that these first responders waited despite ongoing killing
taking place inside the high school led to a determination that
police have a duty to take action in such cases, and waiting is not
the correct response.
Topic 7: Rules of Engagement for an Active Event or
an Inactive Event
Topic 7: Rules of Engagement for an Active Event or
an Inactive Event
Topic 8: RTM
Post Investigation Phase

Post-Incident Activity

• Complete an Incident Report: Documenting the

incident will help to improve the incident
response plan and augment additional security
measures to avoid such security incidents in the
future.
What is a Post incident Response (PIR)?

• A PIR is a high level assessment of safety data

following the happening of a workplace safety
incident.
• This is a stage where safety professionals review
what procedures, data and tools were available, as
well as how efficient those were used, or perhaps
not, in order to calculate preventative measures in
the future.
Purpose of Post Incident Response

• Overall, the creation of a PIR further demonstrates

that an organization has taken the necessary steps
to learn from an incident and ensure that a similar
one does not reoccur in the future, according to
Digital Guardian.
• Coincidentally, PIRs are often “one of the most
neglected components” in planning for disaster
recoveries, per Disaster Response Journal;
however, VictorOps found in a study that 75% of
“incident life cycle” is spent specifically on
response.
Purpose of Post Incident Response

• To help facilitate continued incident response lifecycle

improvement over time, organizations should establish post-incident
review processes that specify the key metrics to obtain and exact
steps to follow.
• Not only should the hardware and virtual aspects of a system be
analyzed — the actions taken by the humans behind the machines
are also key to a strong PIR.
• Data on processes, tooling and the people involved For example, a
PIR may identify a pattern of employee habits that led to an
incident in the first place.
Purpose of Post Incident Response

• Post-incident reviews that are simply focused

on processes and tooling — and not the people
involved — won’t holistically improve the
incident lifecycle over time….painting the full
picture of what happens during an incident
leads to deeper insights and helps teams
optimize the human part of being on-call,” a
VictorOps article notes.
How to conduct a PIR

• At a minimum, experts recommend a handful of

important steps that an organization should take
when carrying out a post-incident response process
• from the creation of an incident report to
organization-wide interdepartmental
coordination to prevent an issue from
reappearing.
• Other experts further recommend a number of
metrics to consider and questions to ask in carrying
out these steps in a PIR plan.
How to conduct a PIR

Based on expert recommendations, here are three

steps to follow in creating a PIR:
1. Create an incident report:
2. Monitor the situation post incident and respond
accordingly
3. Coordinate, update and implement the
mitigation plan
Create an Incident Report

• In particular, this step in the process should record

and present metrics garnered from incident
analysis.
• At a minimum, an incident report should include a
timeline with key details such as when the issue
was first detected, when and if the incident
escalated in severity and even which remediation
tasks attempted respectively had positive, negative
or non-observable impacts on the situation,
according to VictorOps.
Monitor the situation post incident and respond
accordingly

• At this point, those completing the PIR should

have answered initial questions related to
incident detection, response and resolution,
among others, such as “how can we know more
quickly?” and “how do we recover more
quickly?”
• As a whole, the plan should also detail what
was learned from an incident in terms of the
people, processes and technology involved.
Coordinate, update and implement the
mitigation plan

• According to Digital Guardian, this includes the

creation of what are known as enhanced
security initiatives;
• for example, system management should
employ cybersecurity controls to stay in
compliance with their incident mitigation plan,
such as continued monitoring, administrator
privileges, intruder detection alerts, and data
and malware protection.
Different Phases of Investigation
Forensic Readiness

• Forensic Readiness In the current situation, protecting vital IT

assets from varied cyber security attacks by means that of
various technical and security procedures isn’t comfortable.
• Organizations got to be ready to thwart the evolving cyber
security threats.
• Forensic readiness helps organizations to boost this cyber
security posture, cut back the impact caused thanks to
security incidents, and facilitate security professionals in
demonstrating that economical and effective security
measures are taken to shield vital IT assets.
Forensic Readiness

• Forensic readiness refers to associate

organization’s ability to form best use of digital
proof in an exceedingly restricted amount of
your time and with marginal investigation
prices.
• It includes technical and nontechnical actions
that maximize an organization’s capability to
use digital proof.
Forensic Readiness

• Forensic readiness includes the institution of

specific incident response procedures and
selected trained personnel to handle the
procedures just in case of a breach.
• It permits a corporation to gather and preserve
digital proof quickly and with efficiency with
marginal investigation prices.
Forensic Readiness

• Such a state of readiness together with associate

enforceable security policy helps the organization
mitigate the chance of threat from workers and
prepare preventative measures.
• A forensically trained and well-prepared incident
response team ensures correct reaction against any
mishap and also the ability to handle proof
consistent with correct legal procedure for
attainable use in an exceedingly court of law.
Forensic Readiness

• An organization desires access to the particular

digital proof to support a correct forensics
investigation method.
• The rhetorical readiness approach consists of these
technical associated nontechnical actions that
maximize an organization’s capability to use digital
proof.
• The main focus of rhetorical readiness is to support
the organizations need to use digital proof.
Forensic Readiness Planning

The following steps describe the key activities in Forensic

readiness planning:

1. Identify the potential evidence required for an

incident
2. Determine the supply of the proof
3. Establish a policy for firmly handling and storing the
collected proof
4. Identify if the incident requires full or formal
investigation
Forensic Readiness Planning

The following steps describe the key activities in Forensic

readiness planning:

5. Train the staff to handle the incident and preserve the

proof
6. Create a special method for documenting the procedure
7. Establish a legal board to guide the investigation process
8. Forensic Readiness Procedures: Forensic Policy
1. Identify the potential evidence required
for an incident

• Define the aim of proof assortment, gather information

to determine evidence sources that may facilitate wear
down the crime, and design the best ways of collection.
• Produce an evidence requirement statement unitedly
with the people liable for managing the business risk
and the ones running and monitoring information
systems.
• Possible evidence files embrace IT audit and device
logs, network logs, and system data.
2. Determine the supply of the proof

• Forensic readiness should include data of all the

sources of potential proof gift.

• Determine what presently happens to the

potential proof data and its impact on the
business whereas retrieving the information.
3. Establish a policy for firmly handling and
storing the collected proof

• Secure the collected proof in such manner that

it’s out there for retrieval whenever needed
within the future.
• Outline a policy for safe storage and
management of potential proof likewise as
outline security measures to shield legitimacy
of the info and proof integrity whenever
somebody tries to access, use, move, or store
further digital info.
4. Identify if the incident requires full or
formal investigation

• Incidents are of different types.

• Estimate the event and evaluate it to envision
if it requires a full or formal investigation or
may be neglected supported its impact on the
business.
• Escalate an incident only if it’s a major impact
on business continuity.
5. Train the staff to handle the incident and
preserve the proof

• Incident management needs a strong and

well-qualified workforce, thus ensure that the
staff has obtained appropriate training required
for fulfilling their roles.
• It’s also necessary to ensure that staff members
are competent to perform any role related to
the handling and preservation of evidence.
6. Create a special method for documenting
the procedure

• Special method of documenting is critical to answer some

queries similarly as support the answers it provides.

• Documenting the complete process will help recheck the

process if it yields false results and provide a backup for
future reference.

• It’ll conjointly help present the evidence in a court of

law.
7. Establish a legal board to guide the
investigation process

• All investigation processes ought to have a legal stance and the

organization should seek legal recommendation before taking
any action on the incident.

• This is often because some incidents might injury the

company’s name.

• Type a legal board consisting of experienced personnel who

perceive the company’s stance and may offer sound advice on
the strength of the case and recommend any action.
8. Forensic Readiness Procedures: Forensic
Policy

• Forensic policy is a set of procedures describing the actions an

organization must take to preserve and extract forensic
evidence during an incident.

• Organizations must create a forensics policy and implement it

for the incident responders to follow.

• In organizations, the Chief Information Security Officer CISO

will be responsible to set proper guidelines in association with
other security and audit personnel.
Forensic Readiness and Business Continuity

• Incidents will impact and injury net servers,

applications, systems, accounts, and networks crucial
for providing services to shoppers and customers, so
disrupting the business.
• Forensic readiness helps maintain business continuity by
permitting fast and straightforward identification of the
compact parts and substitution them to continue the
services and business.
• It consists of technical and un technical actions that
maximize an organization’s capability to use digital
proof.
Forensic Readiness and Business Continuity

Forensic readiness permits businesses to:

• Quickly verify the incidents

• Understand relevant info
• Collect wrongfully sound evidences and analyse
them to spot attackers
• Minimize the specified resources
• Eliminate the threat of continual incidents
Forensic Readiness and Business Continuity

Forensic readiness permits businesses to:

• Quickly get over injury with less down time

• Gather proof needed to say insurance
• Legally prosecute the perpetrators and claim
damages
Forensic Readiness and Business Continuity

Lack of forensic readiness causes:

• Loss of shoppers by damaging the organization’s
name
• System period
• Data manipulation, deletion, and theft
• Inability to gather wrongfully sound proof