We covered an introduction to incident response in cyber security including the phases starting with prepraration, identification then moving on to containment and eradication and ending with recovery & lessons learned. We focused on the preparation phase which includes preparing the required tools, technology, creating the incident response team, conducting security assessments and training people and users on security awareness. We solved TryHackMe Preparation room for practical demonstration.
Blue Team Cyber Security & SOC Analyst Study Notes
Definition of Incident Response in Cyber Security
Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimising impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical personnel.
Definition of Incident Response Plan (IRP)
An incident response plan (IRP) is a document that outlines the steps an organisation will take to respond to an incident. The IRP should be the organisation’s Swiss Army knife, comprehensively covering all aspects of the incident response process, roles and responsibilities, communication channels between stakeholders, and metrics to capture the effectiveness of the IR process.
Event vs Incident
- Event: This is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.
- Incident: This is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services.
The Cyber Security Incident Response Phases
- Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
- Identification: Operational deviations must be noted and determined to cause adverse effects.
- Analysis or Scoping: The organisation determines the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.
- Containment: Damage limitation is paramount, therefore, isolating affected systems and preserving forensic evidence is required.
- Eradication: Adversarial artefacts and techniques will be removed, restoring affected systems.
- Recovery & Lessons Learned: Business operations are to resume fully after removing all threats and restoring systems to full function. Additionally, the organisation considers the experience, updates its response capabilities, and conducts updated training based on the incident.
Preparing Incident Response Tools
To conduct any investigations during an attack or breach, incident responders must ensure they can validate executing scripts and installers on all endpoints and hosts within their network and implement technical capabilities to facilitate attack containment, analysis, and replication. There should be means of collecting forensic evidence using disk and memory imaging tools, secure storage only accessible to the CSIRT, and analysis tools such as sandboxes. Accompanying these efforts should be an incident-handling jump bag. This bag contains all the necessary tools for incident response. Each kit will be unique; however, as an incident responder, the following items are worth having in your arsenal:
- Media drives to store evidence being collected.
- Disk imaging and host forensic software such as FTK Imager, EnCase, and The Sleuth Kit.
- Network tap to mirror and monitor traffic.
- Cables and adapters such as USB, SATA, and card readers to accommodate common scenarios.
- PC repair kits that include screwdriver sets and tweezers.
- Copies of incident response forms and communication playbooks.
Room Answers | TryHackMe Preparation
What is an observed occurrence within a system?
Event
What is described as a violation of security policies and practices?
Incident
Under which incident response phase do organisations lay down their procedures?
Preparation
Under which phase will an organisation resume business operations fully and update its response capabilities?
Recovery & Lessons Learned
A group that handles events involving cyber security breaches, comprising individuals with different skills and expertise, is known as?
cyber security incident response team
Which documents would be used to accompany any evidence collected and keeps track of who handles the investigation procedures?
chain of custody documents
What would a kit containing the necessary incident-handling tools be called?
Jump bag
What is the Event ID for the File Created rule associated with the test?
11
Under the Software Restriction Policies, what is the default security level assigned to all policies?
Unrestricted
Find the Audit Policy folder under Local Policies. What setting has been assigned to the policy Audit logon events?
Failure
Video Walkthrough | TryHackMe Preparation
