In the field of information security, one of the most important factors is speed. Quickly! Is the way we must respond to each case individually. That’s where Incident Response or IR comes in.
Yes! Your system has been Breached, Attacked, Hacked or whatever name you want to give it.
What would you do in such a case?
That happens! And For that reason we have SOC (Security Operations Center) and IR teams. These teams functions as a front line defense to our systems. From both sides of the “wall”. To Learn about SOC click this link.
Usually, the IR and SOC teams are included as one team called SOC\CIRT which is short for Computer Incident Response Team.
Incident Response (IR in short) describes the process in which this team has to respond to attacks against the organization’s assets and systems. Unlike the SOC teams in the organization, the IR team has a slightly different role. While the SOC team is responsible for active and ongoing monitoring of the systems, the work of the IR team will come at a different, later stage.
Incident Response is a structured and organized approach to correct, efficient treatment and management by a team of information security and cyber experts in cases of cyber attacks. Such as: hacking into databases, information leaks, ransomware (extortion) and other cyber risks.
TL;DR SOC – For Prevention. IR – For the Response after or during the Incident.
A person working in an Incident Response team should be an Expert in :
- Management Perspective – finding solutions to restore the organization back to a work routine. Whether it’s fully or partially, doing that from a management and operational point of view.
- Experience in the field of Information Security – since it involves handling cyber attacks. Performing information and cyber investigations allows for the integration of practical knowledge in handling and managing these incidents.
- In-depth knowledge of the Regulation, IT Infrastructures and Information Systems – each organization has different interfaces for different softwares, servers and third-party providers. Familiarity with diverse system configurations and familiarity with regulatory requirements and legal sensitivities – significantly shortens the time to handle information security incidents. This also reduces exposure to risks in the short and long term.
There are three critical Foundations upon which the Incident Response team’s activity is based on :
- Cooperation with the Response team – connecting the response team to trusted personnel holding the relevant key positions, who have been instructed in transparency and cooperation with the team. That’s essential for analyzing the situation and reducing downtime and associated damages. The relevant key positions will usually be: CEO, Technology Manager (CTO), the company’s public relations office (if there are any) etc. Collaboration is the key to success!
- Regulation – is there a reporting obligation in the event of a cyber attack and information leak? Examining the regulation to which the attacked company is subject and the requirements arising from this regulation:
- Is the Company Private/Public?
- Where is the Company’s HQ? Is it subject to certain government regulations and laws?
- A company that is subject to information security and privacy protection standards in the world, such as GDPR of the European Union Parliament. Or, any American regulations that require reporting of cyber incidents and cases of information leakage, HIPAA regulations, information security standards for an organization that holds medical information and so on.
- Identification, Isolation, Containment, Neutralization, Evidential preservation, Sealing and returning to “Normal” – after quickly processing and understanding the structure of the organization, the information systems, the sensitivity of the information, and the essence of the attack, while creating interfaces with the relevant factors in the organization and its suppliers relevant to the event. Dealing and treating the attack will begin. Starting with a quick investigation, while carefully documenting and gathering evidence of the sources of the security breach. And all of this until the affected areas are isolated, and the attack is stopped. as well as the options for returning the organization to work properly as quickly as possible. All these thing are being Examined.
But Wait…
Let’s go back and emphasize that one of the most important things is Documentation. Since the incident has already happened, it is important to retrieve all the important facts and understand how all of this could have been prevented. Also, if we get a deep understanding of what exactly happened, we will know how to Recover.
A very important part of the role of the Incident Report team is to submit a Report. This report will indicate all stages of the response process:
- Detection
- First Response (“Arriving the Scene”)
- Analysis
- Assessment
- Forensics
- malware analysis / Reverse Engineering (at this point we will try to recreate the attack and thus knowing what we are dealing with).
- Containment
- Eradication
- Recovery
- Conclusions
There are many ways we can handle attacks, but the best one is through Prevention.
If you know what are your Weaknesses, you are always prepared. One way is by performing a Scan on your Web Assets (if you have any). A very good tool for doing this is Kayran Web Application Scanner .
Stay safe, choose Kayran.