Report Blog Entry
CREDITS: The following notes were from a lecture originally created by Schweitzer Engineering Laboratories This is all for study purposes only. THESE WERE PUBLISHED WITH PERMISSION AS WELL.
Start at https://blog.spacehey.com/entry?id=683550 before entering, This is the last blog of my Cybersecurity training logs!
Response Planning
Subcategories
RS.RP-1: Response plan is executed during or after an incident.
Definitions
Incident Response Plan: The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organizations information systems.
NIST Incident Response Cycle
Benefits of Incident Response
Systematic approach
Minimized disruption
Minimized loss or theft
Reduced Chaos
Lessons learned
Legal issues reduced.
Incident handling
Implement an incident handling capability for incidents that is consistent with the incident response plan
Coordinate incident handling activities with contingency planning activities.
Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing.
OT Incident Response
OT environment differs significantly from enterprise IT environments
Protocols
Applications
Cyber Physical Systems
A separate IR plan is necessary to adequately respond to OT incidents.
If OT and IT are blended, clear communication paths and delineation of response activities is vital to successful response
Communications
Subcategories
RS.CO-1
RS.CO-2
RS.CO-4
RS.CO-5
Incident Response Personnel
Key incident response roles may include
Director of incident response
Technical Lead for Incident Response
Evidence Handler for Incident Response
System Owners
Subject Matter Experts (IT and OT)
Additional IR personnel roles can be defined as needed.
Communication is Key
Incident response reporting can be specific to environment
IT: Enterprise PC Help Desk
OT: SCADA Control Center
Communication paths need to be clearly defined and captured in policy
Stakeholders are both internal and external
IED vendors, law enforcement agencies, cooperative members, etc.
Analysis
Subcategories
RS.AN-1
RS.AN-2
RS.AN-3
RS.AN-4
RS.AN-5
Incident Analysis
Investigate all incident sources.
Reported through defined channels
Published vulnerability reports and bulletins
Determine "event" versus "security/cybersecurity incident"
Detection accuracy
Following incident resolution, used analyzed data to improve the next incident analysis performed.
Incident Severity
Scope of the incident must be determined to inform the response
System owners should be consulted to understand incident impact
Severity of incident should be assessed based on scoping
OT focus on safety risk
Incident Prioritization
Critical decision point.
Limited resources
Leverage assigned severity and the following criteria to determine priority:
Functional impact
Information impact
Recoverability
Definition
Forensics: The application of science to the identification, collection, examination, and analysis of data while preserving the integrity.
Incident Documentation
Record all facts
Document event
Treat information as evidence
Implement incident issue tracking system
Safeguard information
MItigation
Subcategories
RS.MI-1
RS.MI-2
RS.MI-3
Containment- Choosing a strategy!
Goal is to decrease damage
Goal is to decrease damage
Strategies are situationally dependent
Containment provides time to remediate
Containment considerations
Physical damage
Evidence preservation
Service availability
Duration of solution
Containment - Evidence Gathering
Resolving an incident versus legal implications of the incident
What is the mission?
Evidence collection requires:
Detailed collection information
Evidence collection requires:
Detailed collection information
Information preservation
Chain of custody
Storage
Training
Containment- Attacking Host Identification
Don't focus on identification
Identification can be time-consuming and futile
Common host identification activities include
Validating attacking IP
Researching via search engines
Using Incident databases
Monitoring possible attacker communications channels]
Eradication and Recovery
Use phased approach
Eliminate components of the incident
Delete Malware
Reconcile accounts and privileges
Restore System
Improvements
Lessons Learned:
Incidents and associated responses provide valuable learning opportunities
Reflect on new threats
Improve technology
Update procedures
Asking simple key questions can provide critical information
What occurred?
What was done to intervene?
How well did that work?
Cross-team meeting
Shared perspectives
Future cooperation
Training and reference material
Updated policies and procedures
The end! The final part!! It's all done! :D
Comments
Displaying 0 of 0 comments ( View all | Add Comment )