Important Things to Know and Understand - secuguru/security-terms GitHub Wiki

Here’s an overview of each of these critical areas in incident management, with explanations of why each aspect is essential for effective responses and prevention.

1. Type of Alerts and Triggers

  • Why It’s Important: Different alerts indicate various stages or types of threats (e.g., unauthorized access attempts, data exfiltration). Understanding how these alerts are triggered helps identify the nature of the threat and its severity.
  • Key Knowledge: Familiarize yourself with alert types, thresholds, and how to set them based on the organization’s risk tolerance. This helps prioritize response efforts.

2. Finding the Root Cause

  • Why It’s Important: Identifying the root cause prevents recurrence by addressing the actual problem rather than just symptoms. Without root cause analysis, incidents may reoccur, wasting time and resources.
  • Key Knowledge: Train in investigative techniques and logging tools to trace the issue back to its origin (e.g., compromised credentials, configuration errors).

3. Stages of an Attack (Cyber-Kill Chain)

  • Why It’s Important: Knowing the attack stages (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives) aids in understanding where the attacker is within the system, enabling timely responses.
  • Key Knowledge: Tailor detection and response strategies to each stage to disrupt attacks earlier in the kill chain.

4. Symptom vs. Cause

  • Why It’s Important: Symptoms are visible signs (e.g., slow system performance), but causes are underlying issues (e.g., malware). Responding to symptoms alone may leave the root problem unaddressed.
  • Key Knowledge: Document common symptoms and their potential causes to help distinguish them quickly.

5. First Principles vs. In-Depth System Knowledge

  • Why Both Are Valuable: First principles thinking encourages understanding fundamental security principles, helping to solve novel problems. In-depth systems knowledge enables efficient troubleshooting within specific systems.
  • Application: Use first principles to reason through unprecedented attacks while leveraging system knowledge to quickly understand and address known issues.

6. Building a Timeline of Events

  • Why It’s Important: Timelines provide a chronological view of an incident, helping to reconstruct attacker activities and identify delays or missed detections.
  • Key Knowledge: Maintain logs, capture timestamps, and document actions taken. Use incident management tools to automate timeline tracking.

7. Assume Good Intent and Collaborative Communication

  • Why It’s Important: When working with colleagues or other departments, assuming good intent fosters cooperation and avoids blame. Misunderstandings can delay response efforts.
  • Application: Use collaborative language, and listen actively to others’ perspectives. Frame inquiries as part of learning and response improvement rather than critique.

8. Prevent Future Incidents with Root Cause Analysis

  • Why It’s Important: Preventative measures save time, resources, and reduce organizational risk. Learning from each incident strengthens overall defenses.
  • Implementation: Use the Lessons Learned stage to create actionable follow-ups, such as patching vulnerabilities, updating configurations, or training staff.

9. Response Models

  • SANS PICERL Model:
    • Preparation: Develop response playbooks, train teams, and establish clear protocols.
    • Identification: Detect, validate, and assess incidents.
    • Containment: Limit the attacker’s access without causing further harm.
    • Eradication: Remove the attacker from the environment.
    • Recovery: Restore normal operations securely.
    • Lessons Learned: Review the response, document findings, and adjust protocols.
  • Google’s IMAG (Incident Management at Google):
    • Focuses on: Speed, scalability, and post-incident documentation. IMAG emphasizes rapid response, clear communication, and robust post-mortem analysis to learn from every incident.
  • Why Response Models Matter: Both models provide structure and ensure a systematic approach, reducing oversights and enabling continuous improvement.

Understanding these concepts equips incident responders to handle incidents methodically, reducing risks and creating a proactive security posture for the organization.