Professional Documents
Culture Documents
Cyber Incident Response Playbook
Cyber Incident Response Playbook
Response PLAYBOOK
The purpose of the Cyber
Incident Response Playbook (IT)
is to define activities that should
be considered when detecting,
analysing and remediating Cyber
cyber incidents. Incident
Response
Containment
Cycle Eradication & Post-incident
The playbook also identifies the Preparation Detection
& Analysis Recovery Activity
Containment
Preparation Detection Eradication & Post-incident
& Analysis Recovery Activity
Security Level 1:
Affected more than 50% of the IT system
Security Level 2:
2 E
At least 1 business function/operation
L
Within 4 hours Deputy GM/CIO affected
P
Material financial impact
AM Security Level 3:
3 X
Minor system failure has occured
E
Service Degradation has occured
Within 6 hours Deputy GM/CIO
Security Level 4:
Suspicious security issues detected by SIEM
Severity
1-3
Classify 1 Hour
Alert CISO Severity
Severity
1 Hour 1-4 Analyse
Inform Business
Assessment
Owner, CIO, CEO
Daily Update at 6 PM
Escalate Severity
Inform Business Owner, CIO,
CEO
Containment
Remediation
Response Action
Closed
How do you HANDLE Infections can be devastating to an
RANSOMWARE/CRYPTOLOCKER? individual or organization.
Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
ransomware attacks
How do you HANDLE Organizations should have a robust
MALWARE INFECTION? incident response process capability
that addresses malware incident
handling.
Investigate
ransomware in the Verify all infected
Engage IT Technical Scope of the
secure/standalone Identify the impact asset are in process
Team attack/infection
environment being quarantine
Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
malware
How do you HANDLE There are several human and
PHISHING ATTACK? technological factors that companies
should consider to avoid falling
victim to phishing attacks.
It's also important to
eraperP
Investigate receiver,
Engage IT Technical Scope of the verification of sender
Team attack/infection Identify the impact
and have recipient
account compromised
Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
phishing attacks
How do you HANDLE The most important step to take
DATA BREACH? after a data breach is to understand
the root of the issue.
Confirm the data Scope of attack Analyze data type and quantity to determine
Engage IT Technical involved -classification of the lost / compromised data whether:
Team (Customer/ - are customer affected Privacy breach
Organization) - Legal & regulatory requirement violated financial data loss
Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
data breaches
How do you HANDLE Recovering from a DDoS attack is no
simple matter, but once an attack is
DoS ATTACK? over, it is important to do a thorough
inventory of your systems and data.
Many times, DDoS
attacks are used as a
eraperP
DoS attack (service (slow access to files, Collate and classify Incident reporting
inability to access the Activate SOC (CIRT) cybersecurity incident Escalate according
desk & SIEM/SOAR) according to incident
website, internet data severity (1-4)
disconnection) response
esylanA
Decide whether
Implement immediate step to Business Continuity Consider filtering Placing IP restriction on affected system
mitigate e.g request ISP to drop all Plan (BCP) plan traffic at ISP level
traffic targeting affected system should be enacted
tnedicni-tsoP
Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
attack
Prepared by:
Chairman of Cyber-Security Sub-Committee - Mr Leslie Yee, PIL
Vice-Chairman of Cyber Security Sub-Committee - Mr David Aw, PIL
Members Review:
Naveen Selvam, ABS Group
Duncan Ng, MSC
References:
1. NIST Cybersecurity Framework
2. BIMCO - The Guidelines on Cyber Security Onboard Ships
3. The Singapore Computer Emergency Response Team (SingCERT) - Report a Cyber-Incident to SingCERT
To report an incident, please call the SingCERT hotline at 6323 5052. Alternatively, please email SingCERT
at singcert@csa.gov.sg