Introduction The question becomes less if you have an incident and more when you

No Comments

Photo of author

By admin

Introduction
The question becomes less if you have an incident and more when you will have one. Ignoring this fact will place you and your organization in a precarious position. Proper planning for an incident will indicate to your customers, stakeholders, and key leadership that you take security seriously and will instill confidence in their business systems. Should an incident occur, your preparation will allow you to quickly identify the scope of damage because you will have identified the data that requires special handling and protection, including PII, PHI, intellectual property, corporate confidential information, and financial information about your organization.
However, preparation is more than just an effort for your security team.
It means that you assist organizational leadership in communicating the goals of the security policy and the importance of the employees’ roles in supporting it. Aside from the benefit of smoother recovery, having a comprehensive incident-handling process regarding particular data may protect you from civil or criminal procedures should your organization be brought to court for failing to protect sensitive data. Once you have received buy-in from organization leadership for your incident response plan, you must continue refining and improving it as threats evolve. 
Incident Scenario
For this assignment, you will create an incident response runbook (aka. playbook or “use case”), a written guide for identifying, containing, eradicating, and recovering from cybersecurity incidents. The document is usually the output of the preparation phase of the Incident Response process and is a part of your overall Incident Response Plan.
An end-user receives an email from the help desk stating that there was an irregular activity associated with their email account and that they can only send or receive emails once it is resolved. Several end users click the link in the email, and immediately items on their workstations act strangely. Suddenly, none of the files on the workstation can be opened and now end in ”.crypt.” A message on the end user’s screen demands payment of 1.84 Bitcoins as a ransom for the organization’s now encrypted data. As of May 2021, Bitcoin is approximately $54,301/Bitcoin, making the ransom in this scenario shy of $100,000. 
Soon after that, other employees also report strange notes on their screens. Before long, all computers – workstations and servers – have the popup on their screens and cannot function. This is where the Incident Response process begins.
Create Your Runbook
There are several Runbooks for several types of threats (Malware, DDoS, Botnet, Social Engineering). Make sure the Runbook is the correct Runbook for the scenario. An Incident Response Playbook (Runbook) is designed to provide a step-by-step walk-through for the most probable and impactful cyber threats to your organization. The playbook will ensure that specific steps of the Incident Response Plan are followed appropriately and serve as a reminder if particular steps in the IRP are not in place.
Your Runbook should consist of the following:
1. An overview section of the identified threat details information about the threat.
2. Preparation steps or triage processes are needed to prevent or recover from the threat:
Contact information of the in-house IR team
Communication tree
Escalation & notification procedures and reporting mechanism
3. Detection, Identification, and Analysis of the likely symptoms from the type of threat:
Steps implemented for detection
Identification matrix for High, Medium, and Low threat categories
Incident validation – tools or systems used to confirm and verify the possible delivery vector of the threat
4. Containment, Eradication, and Recovery:
The third phase, containment, is the initial attempt to mitigate the attacker’s actions. It has two major components: stopping the attack’s spread and preventing further system damage. An organization must decide which containment methods to employ early in the response. Organizations should have strategies and procedures for making containment-related decisions that reflect the level of risk acceptable to the organization according to the threat type.
5. Post-Incident Activity/Lessons Learned:
Post-incident refers to identifying lessons to be learned after actions and review. This section needs to address questions such as:
What happened?
Have we done well in protecting the organization’s network?
What could we have done better?
What should we do differently next time?

Leave a Comment