Incident response NISTSANS vs NIST incident responseSANS Incident Response certificationSANS Incident Response cheat SheetSANS Incident Response templateSANS Incident Response ChecklistSANS incident response planSANS Incident Response PosterIncident Response Steps for SANS and NIST - CrowdStrike
文章推薦指數: 80 %
Incident Response Frameworks · Step #1: Preparation · Step #2. Detection & Analysis · Step #3. Containment, Eradication, & Recovery · Step #4. Post- ... Cybersecurity101›IncidentResponse(IR)› IncidentResponseSteps IncidentResponseSteps May6,2021 IncidentResponseFrameworks Thetwomostwell-respectedIRframeworksweredevelopedbyNISTandSANStogiveITteamsafoundationtobuildtheirincidentresponseplanson.Belowarestepsofeachframework: NISTIncidentResponseProcessSANSIncidentResponseProcess Step1.Preparation Step1.Preparation Step2.DetectionandAnalysisStep2.Identification Step3.Containment,Eradication,andRecoveryStep3.Containment Step4.Post-IncidentActivityStep4.Eradication Step5.Recovery Step6.LessonsLearned WhenwecomparetheNISTandSANSframeworksside-by-side,you’llseethecomponentsarealmostidentical,butdifferslightingintheirwordingandgrouping.ThebiggestdifferencelieswithStep3,whereNISTbelievesthatcontainment,eradication,andrecoveryoverlap–meaningyoushouldn’twaittocontainallthreatsbeforebeginningtoeradicatethem. Somedebatewhichframeworkisbetter,butitreallycomesdowntoamatterofpreferenceandyourorganization’sresources.CrowdStrike’sIncidentResponseteamfollowstheNISTframework,thereforethisarticleexpandsuponthefourstepsandbreakdownwhateachmeanforyourincidentresponseplan. Step#1:Preparation Noorganizationcanspinupaneffectiveincidentresponseonamoment’snotice.Aplanmustbeinplacetobothpreventandrespondtoevents. DefinetheCSIRT(ComputerSecurityIncidentResponseTeam) Toactquicklyandcompletelywhileanincidentisunfolding,everyoneontheCSIRTneedstoknowtheirresponsibilitiesandthedecisionsthataretheirstomake. TheCSIRTshouldincludeacrosssectionofbusinessandtechnicalexpertswiththeauthoritytotakeactioninsupportofthebusiness.Membersshouldincluderepresentativesfrommanagement,technical,legal,andcommunicationsdisciplines,aswellassecuritycommitteeliaisons.Alldepartmentsaffectedbyanincidentshouldbeintheloopandeveryoneshouldhaveadecisionmatrixtoguidetheiractionsduringandaftertheincident. Theplanshouldalsodefinewhoisinchargeandwhohastheauthoritytomakecertaincriticaldecisions.Thosearen’tthingstofigureout–letaloneargueover–intheheatofthemoment. Developandupdateaplan Ensureplansandothersupportingdocumentsexistandareupdatedperiodicallytoremaincurrent.Allrelevantpersonnelshouldhaveaccesstothepartsoftheplanthatpertaintotheirresponsibilitiesandshouldbealertedwhentheplanisrevised.Thereshouldbeafeedbackloopthatisenactedaftereverysignificantincidentinordertoimprovetheplancontinuously. AcquireandMaintaintheProperInfrastructureandTools Havethecapabilitiestodetectandinvestigateincidents,aswellastocollectandpreserveevidence.Todetermineifanattackerisinyourenvironment,it’scriticalthatyouhaveendpointsecuritytechnologythatprovidestotalvisibilityintoyourendpointsandcollectsincidentdata. Withouttherighttools,andprocessestoguidetheiruse,you’llbeill-equippedtoinvestigatehowattackersareaccessingyourenvironment,howtomitigateanattacker’sexistingaccess,orhowtopreventfutureaccess. AlwaysImproveSkillsandSupportTraining EnsuretheIRteamhastheappropriateskillsandtraining.ThisincludesexercisingtheIRplanfromtimetotime.ItalsoincludesstaffingtheIRteam,witheitherin-housestafforthroughathird-partyprovider,toaccommodatethetimeawayfromthejobnecessaryinordertomaintaincertificationsandleverageothereducationalopportunities. PossessUp-to-DateThreatIntelligenceCapabilities Threatintelligencecapabilitieshelpanorganizationunderstandthekindsofthreatsitshouldbepreparedtorespondto.Threatintelligenceshouldintegrateseamlesslyintoendpointprotectionanduseautomatedincidentinvestigationstospeedbreachresponse.Automationenablesamorecomprehensiveanalysisofthreatsinjustminutes,nothours,soanorganizationcanoutpaceadvancedpersistentthreats(APTs)withsmarterresponses. ExpertTipDon’tchaseghostsinyourITestate.Learnhowvisibilityintoallassetsisacriticalsuccessfactorineffectivelyrespondingtoacybersecurityincident.ReadBlog Step#2.Detection&Analysis ThesecondphaseofIRistodeterminewhetheranincidentoccurred,itsseverity,anditstype.NISToutlinesfivestepswithinthisoverallphase: Pinpointsignsofanincident(precursorsandindicators):Precursorsandindicatorsarespecificsignalsthatanincidentiseitherabouttooccur,orhasalreadyoccurred. Analyzethediscoveredsigns:Onceidentified,theIRteamhastodetermineifaprecursororindicatorispartofanattackorifitisafalsepositive. Incidentdocumentation:Ifthesignalprovesvalid,theIRteammustbegindocumentingallfactsinrelationtotheincidentandcontinueloggingallactionstakenthroughouttheprocess. Incidentprioritization:NISTdesignatesthisstepasthemostcriticaldecisionpointintheIRprocess.TheIRteamcan’tsimplyprioritizeincidentsonafirstcome,firstservebasis.Instead,theymustscoreincidentsontheimpactitwillhaveonthebusinessfunctionality,theconfidentialityofaffectedinformation,andtherecoverabilityoftheincident. Incidentnotification:Afteranincidenthasbeenanalyzedandprioritized,theIRteamshouldnotifytheappropriatedepartments/individuals.AthoroughIRplanshouldalreadyincludethespecificreportingrequirements. Don’tletthesimplifiedlistabovefoolyou.Thedetectionandanalysisphasecanbeextremelychallenging.Hereareafewreasonswhy: Incidentsmaybedetectedbymanymeans,rangingfromautomateddetectionsystemstouserreports.Theleveloffidelityanddetailwillvaryaccordingtohoworwhomadethereport,andsomeincidentsarenearlyimpossibletodetectnomatterhowtheywerereported. Thevolumeofindicatorsofpotentialcompromise(IOCs)canbeextremelyhigh.Someorganizationsmayevenreceivemillionsperday.Separatingthesignalfromthenoiseisamassivetask. Analyzingincident-relateddatawithaccuracyrequiresdeepandspecializedtechnicalknowledge,aswellasagreatdealofexperience.Automationhelps,butpeoplearetheultimatearbitersofdeterminingwhetheranincidentisoccurringornot.Manyorganizationsstruggletoacquirethelevelofexpertisenecessarytorecognizeincidentsinprogress. CrowdStrike’sFalconplatformisusedextensivelyforincidentresponse–especiallyduringthedetectionandanalysisphase.Itscloud-basedarchitectureenablessignificantlyfasterincidentresponseandremediationtimesandprovidesremotevisibilityacrossendpointsthroughouttheenvironment,enablinginstantaccesstothe“who,what,when,where,andhow”ofanattack.ServiceslikeFalconCompletestreamlinethedetectionandanalysisphasebycombiningCrowdStrike’sendpointsecuritytechnologywiththepeople,expertiseandprocessesnecessarytoremediateanincidentquickly. Step#3.Containment,Eradication,&Recovery Thepurposeofthecontainmentphaseistohalttheeffectsofanincidentbeforeitcancausefurtherdamage.Onceanincidentiscontained,theIRteamcantakethetimenecessarytotailoritsnextsteps.Theseshouldincludetakinganymeasuresnecessarytoaddresstherootcauseoftheincidentandrestoresystemstonormaloperation. Thesedecisionshavethepotentialtoimpactproductivity,andIRteamsmustapproachthemwithcaution.AnIRplanwilleasetheirdecision-makingprocessbyhavingasetofpredeterminedstrategiesandproceduresforcontainmentthatarebasedontheorganization’slevelofacceptablerisk. Developcontainment,eradication,andrecoverystrategiesbasedoncriteriasuchas: thecriticalityoftheaffectedassets thetypeandseverityoftheincident theneedtopreserveevidence theimportanceofanyaffectedsystemstocriticalbusinessprocesses theresourcesrequiredtoimplementthestrategy Atalltimes,theseprocessesshouldbedocumentedandevidenceshouldbecollected.Therearetworeasonsforthis:one,tolearnfromtheattackandincreasethesecurityteam’sexpertise,andtwo,toprepareforpotentiallitigation. FrontLinesReportEveryyearourservicesteambattlesahostofnewadversaries.DownloadtheCyberFrontLinesreportforanalysisandpragmaticstepsrecommendedbyourservicesexperts.DownloadNow Step#4.Post-IncidentActivity Everyincidentshouldbeanopportunitytolearnandimprove,butmanyorganizationsgiveshortshrifttothisstep.Adversariesarealwaysevolving,andIRteamsneedtokeepupwiththelatesttechniques,tactics,andprocedures. Alessonslearnedmeetinginvolvingallrelevantpartiesshouldbemandatoryafteramajorincidentanddesirableafterlesssevereincidentswiththegoalofimprovingsecurityasawholeandincidenthandlinginparticular.Inthecaseofmajorattacks,involvepeoplefromacrosstheorganizationasnecessaryandmakeaparticularefforttoinvitepeoplewhosecooperationwillbeneededduringfutureincidents. Duringthemeeting,review: whathappenedandwhen howwelltheIRteamperformed whetherdocumentedprocedureswerefollowed whetherthoseprocedureswereadequate whatinformationwasmissingwhenitwasneeded whatactionsslowedrecovery whatcouldbedonedifferently whatcanbedonetopreventfutureincidents whatprecursorsorindicatorscanbelookedforinthefuture Documenttheimportantpointsmadeduringthemeeting,assignactionitems,andfollowupwithanemailrecordtothosewhocouldnotattend. Theresultsofthesemeetingscanbecomeanimportanttrainingtoolfornewhires.Theycanalsobeusedtoupdatepoliciesandproceduresandcreateinstitutionalknowledgethatcanbeusefulduringfutureincidents. featuredarticles WhatisaCloudSecurityAssessment? WhatisEndpointDetectionandResponse(EDR)?CrowdStrikeNamedanEDRLeaderbyForrester
延伸文章資訊
- 1Incident Response Steps and Frameworks for SANS and NIST
SANS stands for SysAdmin, Audit, Network, and Security. They're a private organization that, per ...
- 2SANS Digital Forensics and Incident Response - YouTube
- 3Threat Hunting & Digital Forensics Course | SANS FOR508
This in-depth incident response and threat hunting course provides responders and threat hunting ...
- 4Understanding Incident Response Frameworks - NIST & SANS
The term Incident Response refers to the processes and policies an organization utilises in respo...
- 5Graduate Certificate Programs: Incident Response - SANS ...
Designed for working information security and IT professionals, the graduate certificate in Incid...
