Since I’m currently studying for my SANS SEC504 course, I’ve decided to make a post about the Incident Handling part of it.
So what exactly is Incident Handling all about?
It is the action, or plan that you will take to deal with an incident that took place.
Examples of Incidents:
- Computer Systems Infection/ being compromised
- Denial of Service
- Basically any events that occurred which causes potential damage or harm.
The six incident handling steps are Preparation, Identification, Containment, Eradication, Recovery and finally, Lessons Learned.
What is preparation all about? The main goal of this step is to get everything ready to handle an incident. Main focus on what to prepare:
- The right people
- Emergency Communication Plan
- Tools (Hardware/Software
So, where does the detection that leads to Identification come from? Mostly from people notifying you, or from firewalls and intrusion detection systems. You can also spot an incident from logs, which is why they are important. The main places which you should look at are:
- Processes, services, scheduled tasks
- Network usage rate
Always remember that you must know what is the norm of an organisation in order to effectively and efficiently detect the anomaly.
After you successfully identify an incident, you will proceed to contain it. As obvious as it sounds, containment is all about preventing the incident from worsening. Containment should include 3 sub-phases. The short-term containment(1), to quickly contain the incident while you create forensics image/back-up for analysis (2), and finally you can deploy the long-term containment(3).
Containment is to allow production to carry on, while you continue to build a clean system during eradication phase.
This is my favorite step out of the six. In this step, you will attempt to get rid of everything which caused the incident in the first place. You will also try to trace the incident back and also investigate how the incident happened. Interesting!
The BEST way for a complete eradication is to wipe the drive, reformat and rebuild the system from the original. This will prevent any re-infection. So what is next?
You will then improve your defense! You deserve to get attacked again if the same trick works twice. True?
Following which you should then do a vulnerability analysis to check for flaws on the systems. This method will ensure that all the neighboring systems does not have the same security flaws that caused the incident.
After eradication you will move on to recovery. In this phase, you will proceed to put the impacted systems back into production! Simple.
You must remember to always validate the system, ask for test plans and baseline documentation. Make sure that everything is working properly before you leave. Get a sign off from the respective management. Cover your own a$$.
Don’t forget to continue monitoring and conduct regular follow-ups!
Lessons Learned Overview
Nice, now you are at your final phase. Lessons Learned phase should consist of 2 parts: Report and Meeting
Lessons Learned Report:
- Start as soon as possible
- Document everything
- Have everyone that is involved to sign off
Lessons Learned Meeting:
- As soon as practical
- Review the report together
- Finalize Executive Summary
- Areas for improvement
Now that I’ve covered the main concept of Incident Handling, does it interest you? If it does, you should probably check out the SANS SEC504 GCIH course for more information! The course also covers interesting topics such as Hacker tools, techniques and exploits. You will be able to perform Reconnaissance, Scanning, Exploitation to gain access, Maintain the access, and also Covering your Tracks! No more being a script kiddie. Hacking 101.
Please note that the information that I’ve covered above is very brief! You should conduct your own research or reading if you are interested in the various topics