Incident Response: Computer Security Lectures 2014/15 S1

This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.

The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.

Topics covered in this lecture include:
Defining a security incident
When security incidents occur, there should be processes in place to detect the incident, to assess and react to the incident
There should be a team (or at least someone) that is prepared to deal with incidents
Incident Response Teams (IRT, CIRT, CERT, ERT)
IRT success
Real teams
Virtual teams, advantages and disadvantages
Procedures
How incidents are classified, triaged, and handled
Response strategy (as determined during risk management)
Procedures should be methodical, and well documented
A formal incident methodology such as the “PDCERF incident response methodology” can be used or adapted
PDCERF steps are: preparation, detection, containment, eradication, recovery, and follow-up
Detection
There should be monitoring procedures to detect common threats
IDS, integrity management, log monitoring, general system administration monitoring
Reports may be submitted by various people in the organisation: for example, a staff member’s computer is “behaving strangely”
Incoming reports
Handling incidents and information
Initial response
Managing expectations
Ticketing
Law enforcement
Understanding the incident – investigations help to understand the incident beyond the original report
Logs, live system analysis, IDS, and so on
Reacting
The reaction should be decided, based on:
Available options
Policies, such as risk management plans
Decisions by people with authority (managers)
Then the system may be isolated / defence: firewalls, routing, sandboxing, disconnection, or shutdown
Resolution
Further data collection and investigation
Restore systems: from backups or images, remove vulnerabilities and malware, etc
Prevent future events
After an incident

Previous post:

Next post: