Managing Security Incident Response Strategies

Nov 16, 2024

Mindmap

Lecture Notes: Handling Security Incidents

Introduction

  • Importance of dealing with security incidents for security administrators.
  • Various types of security incidents:
    • Malware from email attachments.
    • Distributed Denial of Service (DDoS) attacks.
    • Data exfiltration and ransom threats.
    • Unauthorized network access due to user-installed software.

Managing Security Incidents

  • Reference: National Institute of Standards and Technology's "Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide".
  • Lifecycle of incident handling:
    • Preparation
    • Detection and Analysis
    • Containment, Eradication, and Recovery
    • Post-Incident Activities

Preparation for Incidents

  • Plan before incidents occur:
    • Maintain a contact list for incident communication.
    • Have an "incident go bag" with necessary hardware and software.
    • Resources like server documentation, network diagrams, security baselines, and file hashes.
    • Mitigation tools such as known good operating system images.
    • Establish policies and procedures for incident handling.

Detecting Security Incidents

  • Challenges in recognizing attacks due to constant internet attacks.
  • Importance of logs to track network attacks.
  • Use a calendar for patch management (e.g., Microsoft updates).
  • Alerts from intrusion prevention systems and antivirus reports.
  • Monitor network traffic for unusual activities indicating data exfiltration.

Response to Security Attacks

  • Immediate action to stop attacks when detected.
  • Sandbox testing for suspicious software.
    • Sandbox allows running applications in a controlled environment.
    • Some malware may detect sandboxes and self-delete.

Recovery Process

  • Replace compromised software with known good software.
  • Disable breached user accounts.
  • Fix vulnerabilities exploited by attackers.
  • Use backups or original installation media to restore systems.

Post-Incident Analysis

  • Conduct post-incident meetings for:
    • Incident timeline review.
    • Evaluation of incident response effectiveness.
    • Identifying missed indicators for future monitoring improvements.
    • Integrating findings into future incident planning.

Importance of Preparation and Training

  • Extensive documentation and testing required before incidents.
  • Incident response plans should cover initial response, investigation, and reporting.
  • Training and planning can be costly but are crucial to manage big incidents effectively.