Incident Handling and Response in Computer Security
Introduction
Incident handling and response (IHR) is the process of identifying, managing, and
mitigating security incidents in an organization. A security incident is any event
that compromises the confidentiality, integrity, or availability of an information
system.
Computer security incident response has become an important component of
information technology (IT) programs. Cybersecurity-related attacks have become
not only more numerous and diverse but also more damaging and disruptive.
New types of security-related incidents emerge frequently. Preventive activities
based on the results of risk assessments can lower the number of incidents, but
not all incidents can be prevented.
An incident response capability is therefore necessary for rapidly detecting
incidents, minimizing loss and destruction, mitigating the weaknesses that were
exploited, and restoring IT services.
Because performing incident response effectively is a complex undertaking,
establishing a successful incident response capability requires substantial
planning and resources.
Continually monitoring for attacks is essential.
Establishing clear procedures for prioritizing the handling of incidents is critical, as
is implementing effective methods of collecting, analyzing, and reporting data.
It is also vital to build relationships and establish suitable means of
communication with other internal groups (e.g., human resources, legal) and with
external groups (e.g., other incident response teams, law enforcement).
Establishing an incident response capability should include the following
actions:
Creating an incident response policy and plan
Developing procedures for performing incident handling and reporting
Setting guidelines for communicating with outside parties regarding incidents
Selecting a team structure and staffing model
Establishing relationships and lines of communication between the incident
response team and other groups, both internal (e.g., legal department) and
external (e.g., law enforcement agencies).
<Determining what services the incident response team should provide Staffing
and training the incident response team.
Organizations should reduce the frequency of incidents by effectively securing
networks, systems, and applications. Preventing problems is often less costly and
more effective than reacting to them after they occur.
Thus, incident prevention is an important complement to an incident response
capability.
Organizations should be generally prepared to handle any incident but should
focus on being prepared to handle incidents that use common attack vectors.
Incidents can occur in countless ways, so it is infeasible to develop step-by-step
instructions for handling every incident.
Different types of incidents merit different response strategies. The attack vectors
are:
External/Removable Media: An attack executed from removable media (e.g.,
flash drive, CD) or a peripheral device.
Attrition: An attack that employs brute force methods to compromise, degrade,
or destroy systems, networks, or services.
Web: An attack executed from a website or web-based application.
Email: An attack executed via an email message or attachment.
Improper Usage: Any incident resulting from violation of an organization’s
acceptable usage policies by an authorized user, excluding the above categories.
Loss or Theft of Equipment: The loss or theft of a computing device or media
used by the organization, such as a laptop or smartphone.
Other: An attack that does not fit into any of the other categories.
Key Components of IHR:
Incident Identification: Recognizing and classifying security incidents in a
timely manner.
Incident Preparation: Establishing tools, policies, and resources to deal
with incidents.
Incident Handling: The steps taken once an incident is identified, such as
containment, eradication, and recovery.
Incident Reporting: Documenting and communicating the incident to
relevant stakeholders.
The goal of IHR is to minimize the damage caused by an incident, restore normal
operations, and prevent future incidents.
Identification of Security Incidents
Identifying security incidents involves monitoring and detecting potential threats
in real-time. This can be done through:
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS),
which monitor network traffic for suspicious activities.
Log Analysis: Reviewing system logs to identify abnormal patterns.
Anomalous Behavior Detection: Monitoring user and system behaviors
that deviate from normal operations.
Types of Security Incidents:
Malware infections: Viruses, worms, ransomware.
Unauthorized access: Hacking, insider threats.
Data breaches: Theft or leakage of sensitive data.
Denial of Service (DoS): Attacks aimed at disrupting services.
Preparation for Incident Handling
Preparation is crucial for effective incident response. This involves:
Developing an Incident Response Plan (IRP): A predefined set of steps that
outlines how to detect, respond to, and recover from incidents.
Setting Up Tools and Resources: Ensuring the availability of detection tools
(such as IDS/IPS), forensic tools, and secure backups.
Training Personnel: Regular training for staff on security policies,
awareness, and incident response procedures.
Establishing Communication Channels: Clear internal and external
communication strategies for informing stakeholders about security
incidents.
Incident Handling Phases
Once an incident is identified, the following steps are taken:
1. Containment
Short-term Containment: Immediate actions to limit the impact of the
incident, such as isolating affected systems.
Long-term Containment: Deploying patches, removing malware, and
securing vulnerable systems.
2. Eradication
Removing the root cause of the incident, such as deleting malware or
closing unauthorized access points.
3. Recovery
Restoring affected systems to their normal state after the incident. This
may involve restoring data from backups, testing systems, and monitoring
for any lingering threats.
4. Post-Incident Analysis
Conducting a detailed review of the incident to identify weaknesses in
security and improve future incident response. This phase often includes
updating the IRP and educating staff on lessons learned.
Computer Incident Response Team (CIRT) and Computer Emergency Response
Team (CERT)
A Computer Incident Response Team (CIRT) or Computer Emergency Response
Team (CERT) is a specialized group tasked with handling and responding to
security incidents in an organization. This team is responsible for more than
simply responding to incidents. It has a role in all risk management, incident
prevention, and incident preparation activities. Consequently, the team makeup
must include representatives from all technical teams, organization operations
teams, and other relevant stakeholders.
5.1. Set-Up and Composition
(a) Computer Security Incident Response Team (CSIRT) Membership The following
list of team members is general. Each organization is unique, and the makeup of
the team depends on whom must be involved to ensure effective incident
management.
• Incident manager • Security analyst • Computer forensics investigator
• Server engineer • Network engineer • Server administrator
• Network administrator • Business analyst for each
department/line of business • Software developer • Data center operator
• Inside legal counsel • Human resources • Public relations
Depending on the organization, some of these members might be outside support
vendors. All CSIRT members should participate in preparation and planning. These
team members serve as team leads in their respective areas.
Key CIRT/CERT teams are typically composed of:
Incident Response Specialists: Trained personnel to handle and mitigate
incidents.
IT and Security Professionals: Experts in systems, networks, and
cybersecurity.
Legal and Compliance Experts: Ensures that the incident response adheres
to legal and regulatory requirements.
Public Relations: Manages communications with external stakeholders and
the public, especially during data breaches.
Once an incident response policy creates the CSIRT, the team begins creating
plans and procedures to meet its responsibilities.
Roles of CIRT/CERT
Incident Detection: Monitoring and identifying potential incidents using
tools like IDS/IPS. This also includes new threat and vulnerability advisory
distribution as threat intelligence and vulnerability research daily reveal
new ways of attack. The CSIRT is responsible for identifying new threats and
vulnerabilities, performing analysis to determine associated risk to the
organization, and distributing this information to appropriate IT and
business teams.
Incident Response: Taking immediate actions to contain and mitigate
incidents.
Forensic Investigation: Collecting and preserving evidence for legal or
compliance purposes.
Coordination with External Teams: Collaborating with law enforcement,
regulators, and third-party cybersecurity firms when necessary.
Risk management. CSIRT is either directly responsible for managing
information resource risk or provides support for those who are.
Incident prevention and preparation. Conducting or participating in
penetration tests and vulnerability management is a good start. The CSIRT
should also be involved in the change management process. This ensures
the risk management controls and procedures identified in the SDLC and
risk assessments are maintained in a way that supports incident
management.
Education and awareness. Educating employees about the importance of
safe use of information resources, policy compliance and regulatory
compliance. The CSIRT should manage security training and awareness or
be directly involved in content and delivery, including how to report
anomalous behavior.
Information sharing. Whether an attack is successful or not, consider
sharing all information gathered during initial and incident response
analysis with both internal and external entities, including; Stakeholders,
Regional and state law enforcement agencies, Federal agencies, Interest
and industry groups
share incident management findings about threats, risks and other
incident related. This allows a broad defense against threat agents.
Importance of CIRT/CERT in Advanced Technology Environments
In today’s technology-driven world, organizations face increasingly sophisticated
and targeted cyber threats. CIRT/CERT teams play a critical role by:
Minimizing Downtime: Swift response to incidents ensures that business
operations are minimally affected.
Preventing Data Breaches: Proactive threat detection and response protect
sensitive data.
Ensuring Compliance: By handling incidents in accordance with regulations
(e.g., GDPR, HIPAA), CIRT/CERT teams help avoid penalties and reputational
damage.
Importance of Incident Response in the Current Advanced Technology
Environment
In a world of cloud computing, IoT, and mobile devices, the risk landscape for
organizations has expanded, making incident response even more vital. Advanced
technologies bring about:
Increased Attack Surfaces: Cloud-based infrastructure and IoT devices can
be more vulnerable to cyberattacks if not properly secured.
Sophisticated Threats: Cybercriminals use advanced tools such as AI and
machine learning to carry out targeted and complex attacks.
Compliance Requirements: Regulatory frameworks such as the General
Data Protection Regulation (GDPR) require organizations to have effective
incident response strategies in place.
As a result, robust incident handling and response mechanisms are essential to
safeguard data and maintain operational integrity.
Conclusion
Incident handling and response is a critical function in modern organizations,
enabling them to identify, manage, and mitigate security incidents swiftly. The
establishment of CIRT/CERT teams, coupled with a well-defined incident response
plan, ensures that organizations are prepared to handle the ever-evolving threat
landscape. In advanced technology environments, incident response plays a key
role in ensuring business continuity, data protection, and regulatory compliance.
(b) CSIRT Responsibilities The incident response team is responsible for
(c) CSIRT Response Tools and Resources Part of planning and preparing is putting
together a set of tools and supporting resources that enable the CSIRT when an
incident occurs, including a command center; jump kit; forensics lab (commonly
outsourced); incident response forms with documented procedures and
checklists; and external resource contacts.
(i) Command center
When an incident occurs requiring more than quick eradication and recovery, the
CSIRT will gather in a central location for analysis, information sharing, and
leadership. This command center is usually a previously designated conference
room or training facility with minimally • Whiteboards and markers • Speaker
phones • Multiple tables for team and sub-team coordination and information
sharing • Hardwired connection to the internal network • Isolated access path to
the Internet for research, support, and reporting
The command center is the central point of response communication and
operations. It is where the team and others will find the incident manager. It is
also where all incident activity coordination and logging take place.
(ii) Jump kit
A jump kit is a forensics bag of tools a responder can quickly grab and head out
the door. It should contain everything necessary for at least initial response
evidence preservation
1. Journal for taking notes (who, what, when, where, how, and why) about every
facet of the incident, including physical access
2. Contact list for all CSIRT members and external support
3. Up-to-date antimalware on USB drive or CD
4. Crime scene tape (http://amzn.to/2qgV1Nu)
5. Duct tape or other adhesive
6. Evidence bags (http://amzn.to/2rUBqTE)
7. Faraday bags for immediate collection of cell phones, tablets, and other
wireless mobile devices (http://amzn.to/2qkFuuZ)
8. Evidence tags (http://amzn.to/2rAhwAK)
9. Chain of custody forms (http://bit.ly/2qkzr9K)
10. Digital camera with extra batteries
11. Sketch book with pencils and pencil sharpener
12. A laptop with an industry and judicially acceptable (stands up in court)
forensics solution, such as EnCase (http://bit.ly/1SRrdxM)
13. Hard drive duplicator with write-block capabilities (http://amzn.to/2rAAJSX)
14. Miscellaneous cables, connectors, adaptors, etc.
The contents of your jump kit will vary from this list depending on whether your
in-house team performs detailed forensics activities or whether you outsource
them. At the very least, your kit should contain items 1 through 11 in the list
above. (iii) Forensics lab Not every organization needs a forensics lab.
You can also use this list when assessing the credibility and effectiveness of a
potential forensics vendor.
• Strong access control to the lab that minimally includes logging authorized
personnel who enter and when
• A server for organizing and retaining investigation results (not connected to the
Internet)
• A lab network isolated (preferably air gapped) from the organization’s network
with an Internet connection separate from the rest of the organization and the
lab administrative network (Internet connection should be only for administrative
systems, never for systems used for evidence analysis or that are evidence
themselves)
• Administrative systems for Internet access and lab management functions,
connected to a network isolated from analysis systems
• Systems for analysis (virtual is a good idea) running various operating systems: o
Windows desktop o Windows Server o Mac OS o Linux
• Drive duplicators with write blockers
• Readers for various types of media (e.g., SIMs and flash memory)
• Media wiping equipment
• Assortment of drive cables
• Miscellaneous cables and adapters
• Variety of drives of different types
• Accepted forensics software, such as EnCase and Forensics Tool Kit
(http://bit.ly/2qnSYX6) running on non-admin lab systems
• Securable physical storage for separating and maintaining evidence chain of
custody
• Video or audio equipment for recording findings, evidence, etc.
• Jump Kit (see Jump kit above)
• Certified computer forensics investigators