Key Takeaways
- Preparation is 90% of successful incident response
- Containment first - stop the bleeding before investigation
- Document everything for legal and improvement purposes
- Average breach detection time: 197 days
Contents
1. Incident Response Fundamentals
Incident Response (IR) is the organized approach to addressing and managing security breaches or cyberattacks. The goal is to handle the situation in a way that limits damage, reduces recovery time and costs, and prevents future incidents.
The Cost of Poor IR
- Average cost of a data breach: $4.45 million (IBM, 2023)
- Breaches identified in <60 days cost $1M less
- Organizations with IR teams save $2.66M on average
2. NIST Incident Response Framework
1
Preparation
Build capabilities before incidents occur
2
Detection & Analysis
Identify and investigate the incident
3
Containment, Eradication & Recovery
Stop, remove, and restore
4
Post-Incident Activity
Learn and improve
3. Preparation Phase
Essential Preparations
- IR Team: Defined roles, contact info, escalation paths
- IR Plan: Documented procedures for common incident types
- Communication Plan: Internal, legal, PR, regulatory contacts
- Tools Ready: Forensic toolkits, jump bags, backup systems
- Logging: Centralized logging with adequate retention
- Baselines: Know what "normal" looks like
# Jump Bag Essentials (Physical IR Kit)
- Forensic laptop with write blockers
- USB drives with forensic tools
- Network cables and adapters
- External hard drives
- Faraday bags (for mobile devices)
- Documentation forms
- Chain of custody forms4. Detection & Analysis
Common Detection Sources
- SIEM alerts: Splunk, Elastic, Sentinel
- EDR alerts: CrowdStrike, SentinelOne, Defender
- IDS/IPS: Snort, Suricata, Zeek
- User reports: Phishing emails, suspicious activity
- External notification: Law enforcement, security researchers
Initial Triage
# Key questions to answer:
# 1. What type of incident is this?
# 2. What systems are affected?
# 3. Is it ongoing or past?
# 4. What's the potential impact?
# 5. Who needs to be notified?
# Severity classification:
# Critical: Active data exfiltration, ransomware executing
# High: Confirmed compromise, lateral movement detected
# Medium: Suspected compromise, anomalous behavior
# Low: Policy violation, minor malware5. Containment Strategies
Short-term Containment
# Network isolation
# - Disable switch port
# - Move to quarantine VLAN
# - Block at firewall
# Windows: Disable network adapter
netsh interface set interface "Ethernet" disable
# Block C2 at firewall
iptables -A OUTPUT -d malicious-ip -j DROP
# Disable compromised account
net user compromised_user /active:no
# Azure AD
Set-AzureADUser -ObjectId USER_ID -AccountEnabled $falseLong-term Containment
# Patch vulnerable systems
# Rebuild compromised systems from known-good images
# Change all potentially compromised credentials
# Implement additional monitoring
# Password reset (all users after major breach)
Set-ADAccountPassword -Identity USER -Reset
# Force password change at next logon
Set-ADUser -Identity USER -ChangePasswordAtLogon $true6. Eradication & Recovery
Eradication Steps
- Remove malware from all affected systems
- Close attack vectors (patch, firewall rules)
- Remove persistence mechanisms
- Verify eradication across all systems
Recovery
# Recovery priority order:
# 1. Critical business systems
# 2. Authentication systems (AD, SSO)
# 3. Communication systems (email)
# 4. Other business systems
# 5. User workstations
# Restore from clean backups
# Rebuild if backup integrity uncertain
# Enhanced monitoring during recovery
# Phased return to production7. Digital Forensics Basics
Evidence Collection
# Memory acquisition (before shutdown!)
winpmem_mini_x64.exe memory.raw
# Disk imaging
dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M
# Or use FTK Imager on Windows
# Network traffic capture
tcpdump -i eth0 -w capture.pcap
# Log collection
# Windows Event Logs: Security, System, Application
# Linux: /var/log/auth.log, /var/log/syslog
# Web server logs, firewall logs, proxy logsAnalysis Tools
- Volatility: Memory forensics
- Autopsy: Disk forensics
- Wireshark: Network analysis
- Timeline Explorer: Timeline analysis
- KAPE: Evidence collection
8. IR Playbooks
Ransomware Playbook
# IMMEDIATE ACTIONS (First 30 minutes)
1. Isolate affected systems from network
2. Identify ransomware variant (ransom note, extensions)
3. Check for available decryptors (NoMoreRansom.org)
4. Preserve evidence (memory dump before shutdown)
5. Notify IR lead and management
# DO NOT:
- Pay ransom (fuels criminal enterprise)
- Negotiate without legal/FBI guidance
- Wipe systems (destroys evidence)
- Restore from potentially infected backupsPhishing Playbook
# If user clicked link:
1. Isolate user's system
2. Check what credentials were entered
3. Reset affected passwords immediately
4. Check for malware on system
5. Review user's recent email activity
# If user opened attachment:
1. Isolate system immediately
2. Memory and disk acquisition
3. Scan for indicators of compromise
4. Check for lateral movement
5. Block similar attachments at email gatewayFAQ
Should we involve law enforcement?
For significant breaches, yes. FBI Cyber Division, CISA, and local law enforcement can provide resources and intelligence. They won't "take over" your investigation unless requested.
How long should we retain logs?
Minimum 90 days for security logs, ideally 1 year. Some regulations (PCI DSS) require specific retention periods. More logs = better investigation capability.