Skip to main content
Version: Next

Incident management

  • 📝 Process of identifying, prioritizing and solving security incidents.
  • Goal: Restore the system back to normal, trigger alerts to prevent any potential risks.
  • 📝 Steps (flexible, not a strict rule):
    1. Preparation for incident handling and response
      • You know how you'll handle it when it happens.
      • Policies, trainings, tools, guidelines...
    2. Detection and analysis
      • Conduct in-depth analysis to what has happened: why, how, where, what
    3. Categorization and prioritization
    4. Notification
      • Notify proper people who are affected and who can act on it.
    5. Containment
      • Prevent the occurring incident from causing more damage.
      • E.g. put them in quarantine then we'll figure out what to do
    6. Forensic investigation
      • What happened, why?
    7. Eradication
      • Wipe the threat completely
    8. Recovery
      • Restore the system to working state
    9. Post-incident activities (lessons learnt)
      • Record what happened with final review.
      • Have discussion about how to avoid it in future.
  • 🤗 E.g. a developer in Dropbox miscoded authentication function to always return true.
    • Anyone could login as whichever you user you want by just typing their e-mail.
    • They had review policy but no one paid attention.
    • They had protocols against major breach.
    • Realized that it was critical and then they brought down the service to prevent huge damage (containment)
    • Conducted investigation to see what has happened and started recovery process
    • It was recorded and documented for current and future employees

Emergency response plan

  • Help companies address various emergency situations that could occur within their organization.
  • Should include who to contact, how to act in an emergency, how to mitigate risk and what resources to use to minimize loss

Security incident and event management (SIEM)

  • Real-time analysis of security alerts generated by network hardware and applications.
  • Helps SOC to perform its functions
  • 📝 Combines SIM and SEM
    • SIM (Security information management)
      • Long-term storage as well as analysis and reporting of log data.
    • SEM (Security event manager)
      • Real-time monitoring
      • Correlation of events
      • Notifications and console views.
  • E.g. Splunk is the most popular SIEM.

SIEM use-cases

  • Anomaly detection could help detect zero-days, misconfigurations, cyberwarfare
  • Automatic parsing, log normalization and categorization
  • Visualization to help with pattern detection
  • Detection of covert, malicious communications and encrypted channels.

SIEM components

  • Aggregation: Combining different log data
  • Correlation: Using e.g. AI to bundle events with common attributes
  • Alerting: Automated analysis of correlated events
  • Dashboards: Helps to see anomalies
  • Compliance: Can gather compliance data to produce reports that adopt to existing processes
  • Retention: Critical in forensic investigations as network breach is high likely discovered after it happens.
  • Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria.

Security teams

Security Operations Center (SOC)

  • Centralized function within an organization
  • Continuously monitors and improves an organization's security posture
  • Prevents, detects, analyzes, and responds to cybersecurity incidents.
  • Uses SIEM tool to perform its function

Security Incident Response Team (SIRT)

  • Also known as CSIRT (Computer Security Incident Response Team) or Computer Emergency Response Team (CERT)
  • Focuses on effective and quick incident response.
  • Develops and refines the incident response plan.
  • Typically receive threat intelligence from the SOC
  • 💡 SIRT should first check effort and potential impact of the incident when begin investigation and response process.
  • There are also national CERT teams such as US-CERT in USA, CERT-SE in Sweden and TR-CERT in Turkey.

User Behavior Analytics (UBA)

  • Monitoring user behavior in attempt to discover potential threats and attacks.
  • When patterns are observed and normal is established, an admin can take a look at deviations.
  • E.g. monitoring employee behavior against insider threats
  • E.g. login attempts based on the location, monitoring access to privileged accounts.