Incident Response Plan - Paiet/Tech-Journal-for-Everything GitHub Wiki

  • Incident response plan
    • Phases
      • Preparation
        • Create a forensics kit
      • Detection & Analysis
        • Security Event Indicators (NIST 800-61 p.36)
          • Alerts
            • IDS/IPS, AV, 3rd-Party Monitoring
          • Logs
            • OS/service/application generated
          • Public Info
            • CVEs, exploit-db, securityfocus.com
          • People
            • See something, say something
        • Create baselines and profiles of the network
        • Know how your network normally operates/behaves
        • Defined policy for logging events
          • What should be logged
          • Where should the logs be stored
        • Employ event management system
          • SIEM
        • Perform clock synchronization
          • NTP
          • Time is important to log collection
        • Keep an up-to-date knowledge-base about the system
          • Make it readily available to anyone that may need it
          • Should include
            • System profiles
            • Patters of Use
            • Anything that may help a CSIRT who is NOT familiar with the network
        • Capture network traffic IMMEDIATELY if incident is suspected
        • Filtering information
          • Organize needed data
          • Exclude unnecessary data
        • Get HELP when necessary
      • Containment & Recovery
        • Employ appropriate containment strategy
        • Gather evidence
        • Identify attacker(s) or attacking system(s)
        • Eliminate and Remediate attack and its effects
          • Get back to normal business
      • Post-Incident Activity
        • Lessons Learned
          • What happened and how can we prevent future incidents
            • Specifically what happened
            • What time did it happen
            • Was procedure followed
              • Was procedure inadequate
            • Any missteps that inhibited or were detrimental to recovery
            • Anything that could have been done differently/better
            • What can be corrected/implemented to stop similar events in the future
            • Any good indicators that could be used to detect similar attacks in the future
            • Any tools or resources needed that we could have used to prevent or stop similar attacks in the future
        • Evidence Retention
          • Identify internal and external evidence retention requirements
          • Consult legal before discarding any evidence
          • Follow standing retention policy
            • If you don't have one, make one now
            • Common 2-year retention
    • Develop an Incident Playbook
      • Sets of defined procedures for incident handling
        • Playbook for each type of incident
          • Data breach of customer PII
          • Physical loss/theft of mobile device
          • General undefined incident
        • Sample Playbook