Cyber Security Incident Response Explained | Preparation Phase | TryHackMe Preparation
We covered an introduction to incident response in cyber security including the phases starting with prepraration, identification then moving on to containment and eradication and ending with recovery & lessons learned. We focused on the preparation phase which includes preparing the required tools, technology, creating the incident response team, conducting security assessments and training people and users on security awareness. We solved TryHackMe Preparation room for practical demonstration.
Definition of Incident Response in Cyber Security
Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimising impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical personnel.
Definition of Incident Response Plan (IRP)
An incident response plan (IRP) is a document that outlines the steps an organisation will take to respond to an incident. The IRP should be the organisation’s Swiss Army knife, comprehensively covering all aspects of the incident response process, roles and responsibilities, communication channels between stakeholders, and metrics to capture the effectiveness of the IR process.
Event vs Incident
- Event: This is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.
- Incident: This is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services.
The Cyber Security Incident Response Phases
- Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
- Identification: Operational deviations must be noted and determined to cause adverse effects.
- Analysis or Scoping: The organisation determines the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.
- Containment: Damage limitation is paramount, therefore, isolating affected systems and preserving forensic evidence is required.
- Eradication: Adversarial artefacts and techniques will be removed, restoring affected systems.
- Recovery & Lessons Learned: Business operations are to resume fully after removing all threats and restoring systems to full function. Additionally, the organisation considers the experience, updates its response capabilities, and conducts updated training based on the incident.
Preparing Incident Response Tools
To conduct any investigations during an attack or breach, incident responders must ensure they can validate executing scripts and installers on all endpoints and hosts within their network and implement technical capabilities to facilitate attack containment, analysis, and replication. There should be means of collecting forensic evidence using disk and memory imaging tools, secure storage only accessible to the CSIRT, and analysis tools such as sandboxes. Accompanying these efforts should be an incident-handling jump bag. This bag contains all the necessary tools for incident response. Each kit will be unique; however, as an incident responder, the following items are worth having in your arsenal:
- Media drives to store evidence being collected.
- Disk imaging and host forensic software such as FTK Imager, EnCase, and The Sleuth Kit.
- Network tap to mirror and monitor traffic.
- Cables and adapters such as USB, SATA, and card readers to accommodate common scenarios.
- PC repair kits that include screwdriver sets and tweezers.
- Copies of incident response forms and communication playbooks.
Room Answers | TryHackMe Preparation
Room answers can be found here.
