UNIT-1

Incident Response Process

[Link] Detection and Identification: This is the first step in the incident
response process. It involves identifying and classifying the incident. This can be
done through a variety of methods, such as monitoring logs, intrusion detection
systems, and user reports.
2. Initial Response: Once an incident has been detected, the next step is to take
immediate action to contain the damage and prevent the incident from spreading.
This may involve isolating infected systems, shutting down services, and
implementing emergency procedures.
3. Incident Investigation: This step involves gathering and analyzing evidence to
determine the cause of the incident, the extent of the damage, and the
responsible parties.
4. Incident Containment: This step involves taking steps to stop the incident and
prevent it from happening again. This may involve patching vulnerabilities,
updating software, and implementing security controls.
5. Incident Eradication: This step involves removing any remaining traces of the
incident from the affected systems. This may involve deleting infected files,
restoring systems from backups, and reimaging systems.
6. Incident Recovery: This step involves restoring the affected systems to their
normal state and resuming operations. This may involve restoring data from
backups, reconfiguring systems, and retraining staff.
7. Incident Lessons Learned: This step involves reviewing the incident and
identifying lessons learned that can be used to prevent future incidents. This may
involve documenting the incident, conducting a root cause analysis, and
implementing new security controls.

Computer Security Incident

A computer security incident is any event that negatively impacts the confidentiality,
integrity, or availability of an organization's information systems. This can include a
wide range of activities, such as:

● Unauthorized access: Gaining access to systems or data without proper

authorization. This can be done through various methods, such as brute
force attacks, social engineering, or exploiting vulnerabilities.
● Data breaches: Unauthorized disclosure of sensitive or confidential
information. This can lead to financial loss, reputational damage, and legal
consequences.
● Malware attacks: Introducing malicious software into systems to steal data,
disrupt operations, or gain control. This can include viruses, worms, trojans,
ransomware, and spyware.
 ● Phishing scams: Deceiving individuals into revealing sensitive information by
pretending to be a trusted entity. This can be done through emails, phone
calls, or other means.
● Denial-of-service (DoS) attacks: Overwhelming a system or network with
traffic to prevent legitimate users from accessing it. This can disrupt
operations and cause financial loss.
● Social engineering attacks: Manipulating individuals into performing actions
that benefit the attacker. This can include tricking employees into revealing
passwords or clicking on malicious links.
● Insider threats: Malicious actions by authorized users, such as employees,
contractors, or partners. This can include theft of data, sabotage, or
unauthorized access.
● Supply chain attacks: Targeting third-party vendors or suppliers to gain
access to an organization's systems or data. This can be done through
compromised software, hardware, or services.

Computer security incidents can have a variety of consequences, including:

● Financial loss: Costs associated with remediation, recovery, and legal

expenses.
● Reputational damage: Loss of trust and credibility among customers,
partners, and investors.
● Legal consequences: Fines, penalties, and lawsuits.
● Disruption of operations: Interruption of business processes and services.
● Loss of productivity: Time and resources spent on incident response and
recovery.

Goals of Incident Response

The primary goals of incident response are to:

● Contain the damage: Prevent the incident from spreading and causing
further harm. This involves isolating affected systems, shutting down
services, and implementing emergency procedures.
● Investigate the incident: Determine the cause of the incident, the extent of
the damage, and the responsible parties. This involves gathering evidence,
analyzing logs, and interviewing witnesses.
● Eradicate the threat: Remove any remaining traces of the incident from the
affected systems. This may involve deleting infected files, restoring systems
from backups, and reimaging systems.
● Recover from the incident: Restore the affected systems to their normal
state and resume operations. This may involve restoring data from backups,
reconfiguring systems, and retraining staff.
● Prevent future incidents: Learn from the incident and implement new
security controls to prevent similar incidents from happening again. This
 involves conducting a post-mortem analysis, identifying root causes, and
updating the incident response plan.

Who is Involved in Incident Response

The specific individuals involved in incident response can vary depending on the
size and complexity of the organization, but typically include:

● Incident response team (IRT): A dedicated group of individuals responsible

for coordinating and executing incident response activities. This team may
include:
o Security analysts: Responsible for monitoring systems and networks
for anomalies, detecting incidents, and analyzing evidence.
o System administrators: Responsible for managing and maintaining the
organization's information systems.
o Network engineers: Responsible for designing, implementing, and
maintaining the organization's network infrastructure.
o Forensics experts: Responsible for collecting, preserving, and
analyzing digital evidence.
o Legal counsel: Responsible for providing legal advice and guidance on
incident response matters.
o Public relations: Responsible for communicating with the public and
media about the incident.
● Other stakeholders: Individuals who may be involved in incident response
activities, such as:
o Management: Responsible for providing overall direction and support.
o IT staff: Responsible for technical support and assistance.
o End-users: Responsible for reporting incidents and following incident
response procedures.
o Law enforcement: May be involved in investigating criminal activities
related to the incident.
o Insurance providers: May be involved in assessing damages and
providing coverage.

Incidence Response Methodology

There are a number of different incident response methodologies, but they all
generally follow the same basic steps:

1. Preparation: This step involves developing an incident response plan, training

staff, and implementing security controls.
2. Detection and Identification: This step involves identifying and classifying
incidents.
3. Initial Response: This step involves taking immediate action to contain the
damage and prevent the incident from spreading.
4. Incident Investigation: This step involves gathering and analyzing evidence to
determine the cause of the incident, the extent of the damage, and the
responsible parties.
5. Incident Containment: This step involves taking steps to stop the incident and
prevent it from happening again.
6. Incident Eradication: This step involves removing any remaining traces of the
incident from the affected systems.
7. Incident Recovery: This step involves restoring the affected systems to their
normal state and resuming operations.
8. Incident Lessons Learned: This step involves reviewing the incident and
identifying lessons learned that can be used to prevent future incidents.

Pre Incident Preparation

Pre-incident preparation is a critical step in the incident response process. It

involves planning, training, and implementing security controls to ensure that the
organization is prepared to respond effectively to security incidents.

Here are some key activities that should be included in pre-incident preparation:

● Develop an incident response plan: This plan should outline the steps that
will be taken in the event of a security incident. It should include procedures
for detecting, containing, investigating, eradicating, and recovering from
incidents.
● Train staff: All staff members should be trained on the incident response
plan and their roles and responsibilities. This training should cover topics
such as how to identify and report suspicious activity, how to follow incident
response procedures, and how to communicate effectively with the incident
response team.
● Conduct tabletop exercises: Tabletop exercises are simulations of security
incidents that can be used to test the incident response plan and identify
areas for improvement. These exercises can be conducted internally or with
external consultants.
● Implement security controls: Security controls are measures that can be
taken to reduce the risk of security incidents. These controls may include
firewalls, intrusion detection systems, encryption, access controls, and
security awareness training.
● Establish communication channels: It is important to have clear
communication channels in place so that the incident response team can
communicate effectively with each other and with other stakeholders. This
may involve establishing a dedicated incident response hotline or using a
collaboration tool such as Slack or Teams.

Detection of Incidents
Detecting security incidents is a critical component of a comprehensive incident
response program. Early detection can help to minimize the damage caused by an
incident and improve the chances of a successful recovery.

There are a variety of methods that can be used to detect security incidents,
including:

● Monitoring logs and alerts: Logs and alerts can provide valuable information
about system activity and can be used to identify suspicious or anomalous
behavior. Organizations should implement a robust logging and monitoring
strategy, and staff should be trained on how to interpret and respond to
alerts.
● Using intrusion detection systems (IDS): IDS can be used to detect
malicious activity on networks and systems. IDS can be either
network-based or host-based, and they can be configured to detect a
variety of threats, such as unauthorized access, malware, and
denial-of-service attacks.
● Implementing security awareness training: Security awareness training can
help to educate employees about the risks of security incidents and how to
prevent them. Employees should be trained on how to identify and report
suspicious activity, and they should be encouraged to be vigilant and report
any unusual activity that they observe.
● Encouraging employees to report suspicious activity: Employees should be
encouraged to report any suspicious activity that they observe, regardless of
how small or insignificant it may seem. This includes suspicious emails,
unusual system behavior, or unauthorized access attempts. Organizations
should create a safe and supportive environment where employees feel
comfortable reporting incidents without fear of retaliation.

Initial Response

The initial response to a security incident is critical in mitigating its impact and
preventing further damage. Here's a breakdown of the key steps:

1. Detection:

● Monitoring systems: Implement tools to continuously monitor networks,

systems, and applications for unusual activity or anomalies.
● Alerting mechanisms: Set up alerts to notify relevant personnel of potential
incidents.
● Regular reviews: Conduct periodic security reviews to identify vulnerabilities
and potential threats.

2. Containment:
 ● Isolate affected systems: Quickly isolate compromised systems to prevent
the spread of malware or unauthorized access.
● Disable network access: Cut off network connectivity to the affected
systems to contain the breach.
● Implement temporary measures: Employ temporary security measures,
such as disabling unnecessary services, to mitigate risks.

3. Notification:

● Internal communication: Notify relevant stakeholders within the organization,

including management, IT staff, and legal counsel.
● External communication: Determine if external parties, such as law
enforcement or customers, need to be informed.
● Follow communication plan: Adhere to the organization's incident response
communication plan to ensure consistent messaging.

4. Evidence preservation:

● Secure evidence: Collect and preserve digital evidence to support

investigations and legal proceedings.
● Use forensic tools: Employ specialized forensic tools to capture and analyze
data from affected systems.
● Chain of custody: Maintain a chain of custody for all collected evidence to
ensure its integrity.

Formulate a Response Strategy

Once the initial response is underway, it's essential to develop a comprehensive

response strategy. This involves:

1. Incident assessment:

● Determine scope and severity: Assess the extent of the incident, including
the systems affected, data compromised, and potential impact on business
operations.
● Identify root cause: Investigate the underlying cause of the incident to
prevent recurrence.
● Evaluate risks: Evaluate the potential risks associated with the incident, such
as financial loss, reputational damage, and legal liabilities.

2. Develop response plan:

● Leverage incident response plan: Refer to the organization's pre-existing

incident response plan for guidance.
● Tailor to specific incident: Adapt the plan to address the unique
characteristics of the current incident.
 ● Assign roles and responsibilities: Clearly define the roles and responsibilities
of different teams and individuals involved in the response.

3. Communicate with stakeholders:

● Keep stakeholders informed: Regularly update stakeholders, including

management, employees, and external parties, on the progress of the
response.
● Provide transparency: Be transparent about the incident and its potential
consequences.
● Address concerns: Address any concerns or questions from stakeholders in
a timely and informative manner.

Investigate the Incident

A thorough investigation is crucial to understand the root cause of the incident,

identify vulnerabilities, and prevent future occurrences. Key steps include:

1. Forensic analysis:

● Examine digital evidence: Analyze collected evidence to identify the source

of the attack, the methods used, and the extent of the damage.
● Reconstruct timeline: Create a timeline of events to understand the
sequence of actions that led to the incident.
● Identify vulnerabilities: Determine any system vulnerabilities or weaknesses
that may have contributed to the incident.

2. Root cause analysis:

● Determine underlying causes: Identify the fundamental reasons for the

incident, beyond the immediate trigger.
● Analyze security controls: Evaluate the effectiveness of existing security
controls and identify areas for improvement.
● Assess risk factors: Assess external factors or threats that may have
contributed to the incident.

3. Document findings:

● Create detailed report: Prepare a comprehensive report summarizing the

investigation findings, including the root cause, impact, and
recommendations.
● Share with stakeholders: Share the report with relevant stakeholders to
inform decision-making and improve security measures.
Reporting and Resolution

1. Report to relevant authorities:

● Comply with regulations: Report the incident to any relevant regulatory

bodies or law enforcement agencies as required by law.
● Provide necessary information: Provide the authorities with all necessary
information and evidence to support their investigation.

2. Implement corrective measures:

● Address vulnerabilities: Implement security patches, updates, and

configuration changes to address identified vulnerabilities.
● Strengthen security controls: Enhance existing security measures to prevent
similar incidents in the future.
● Review incident response plan: Update the incident response plan based on
the lessons learned from the investigation.

3. Restore systems and data:

● Recover data: Restore data from backups or other recovery methods, if

possible.
● Rebuild systems: Rebuild affected systems and applications as necessary.
● Verify functionality: Test systems and applications to ensure they are
functioning properly.

4. Conduct post-incident review:

● Evaluate response effectiveness: Assess the effectiveness of the incident

response process and identify areas for improvement.
● Document lessons learned: Document key lessons learned from the
incident to inform future response efforts.
● Share best practices: Share best practices and recommendations with other
teams or organizations to enhance their security posture.

UNIT-2

Preparing Individual Hosts

● Patch management: Keep operating systems, applications, and firmware up-

to-date with the latest security patches to address known vulnerabilities. This
includes regularly scanning for updates and applying them promptly.
● Antivirus and antimalware: Install and regularly update antivirus and
antimalware software to detect and remove malicious threats. Choose
reputable security solutions and configure them to scan files, emails, and
web traffic for potential threats.
 ● Application hardening: Configure applications to use secure settings, disable
unnecessary features, and restrict access to sensitive data. This involves
reviewing application settings, removing default accounts, and disabling
unnecessary services.
● User account management: Implement strong password policies, enforce
multi-factor authentication, and regularly review user privileges. Require
users to create complex passwords, change them regularly, and avoid using
easily guessable information. Consider using multi-factor authentication
(MFA) to add an extra layer of security, such as requiring a code from a
mobile app or security token in addition to a password. Regularly review user
privileges and ensure that employees only have access to the information
and resources they need to perform their jobs.
● Data encryption: Encrypt sensitive data at rest and in transit to protect it
from unauthorized access. Use strong encryption algorithms and secure
protocols to protect data both when it's stored on devices and when it's
transmitted over networks. Consider using encryption at rest for files,
databases, and other sensitive data, and encryption in transit for network
communications.

Recording of Cryptographic Checksum of Critical Files

● Calculate checksums: Generate cryptographic checksums (e.g., MD5,

SHA-256) for critical files to verify their integrity. Use a reliable checksum
utility to calculate the checksums of important files, such as configuration
files, databases, and backups.
● Store checksums: Store the checksums in a secure location, separate from
the files themselves. This helps prevent tampering with the checksums
themselves. Consider using a secure hash function like SHA-256 to generate
the checksums and storing them in a protected location, such as a separate
server or cloud storage.
● Compare checksums: Periodically compare the stored checksums with the
checksums of the current files to detect any unauthorized modifications.
Regularly compare the stored checksums with the checksums of the current
files to identify any changes that may indicate unauthorized access or
tampering. This can help detect data breaches and other security incidents.

Enabling Secure Audit Logging

● Configure logging: Enable detailed logging on servers, network devices, and

applications to record system activities and security events. Configure
logging to capture relevant information, such as user actions, network traffic,
and system errors. This provides a valuable record of system activity that
can be used to investigate security incidents and identify potential threats.
● Centralize logs: Centralize logs in a secure location for analysis and
correlation. Centralizing logs makes it easier to analyze and correlate events
 across different systems and devices. Consider using a centralized log
management solution to collect and store logs from various sources.
● Protect logs: Implement measures to protect logs from tampering or
deletion, such as using tamper-evident storage or encryption. Protect logs
from unauthorized access and modification to ensure their integrity. This can
involve using encryption, access controls, and tamper-evident storage.

Building Up Your Hosts Defense

● Firewall configuration: Configure firewalls to block unauthorized network

traffic and allow only necessary connections. Implement rules to block
unwanted traffic and allow only authorized connections. Consider using a
stateful firewall that can track the state of connections and block suspicious
traffic.
● Intrusion detection systems (IDS): Deploy IDS to monitor network traffic for
suspicious activity and generate alerts. Use IDS to detect potential attacks
and generate alerts that can be investigated further. Consider using a
combination of network-based and host-based IDS to provide
comprehensive protection.
● Host-based intrusion prevention systems (HIPS): Use HIPS to detect and
block malicious activity on individual hosts. HIPS can provide an additional
layer of protection by monitoring activity on individual systems and blocking
malicious attempts. Consider using a HIPS solution that integrates with your
existing security tools.
● Security hardening: Implement security hardening techniques to reduce the
attack surface of individual hosts, such as disabling unnecessary services,
removing default accounts, and applying security patches. This involves
configuring systems to minimize the risk of exploitation. Consider using tools
like security configuration management tools to automate the hardening
process.

Preparing a Network

● Installing firewalls and IDS: Deploy firewalls at network boundaries and

internal network segments to control traffic flow and detect unauthorized
access. Use firewalls to filter traffic and prevent unauthorized access to your
network. Consider using a combination of hardware and software firewalls to
provide robust protection.
● User access control lists (ACLs): Implement ACLs to restrict network
access based on user identity, group membership, and IP address. Use ACLs
to control who can access different network resources. Consider using
granular ACLs to allow only necessary access.
● Establishing appropriate policies and procedures: Develop and implement
clear policies and procedures for network access, password management,
and incident response. Create policies and procedures that define
 acceptable network usage, password requirements, and incident response
procedures. Ensure that employees are aware of and follow these policies.
● Creating a response tool kit: Assemble a toolkit of essential tools and
resources for incident response, including forensic tools, network analysis
tools, and documentation templates. Prepare a toolkit of tools and resources
that can be used to investigate and respond to security incidents. This may
include forensic tools to analyze digital evidence, network analysis tools to
monitor network traffic, and documentation templates to document the
incident response process.

Establishing an Incident Response Team

● Identify team members: Select individuals with appropriate skills and

experience to form the incident response team. Choose team members with
expertise in security, IT operations, and other relevant areas. Consider
involving representatives from different departments to ensure a coordinated
response.
● Define roles and responsibilities: Clearly define the roles and responsibilities
of each team member. Assign specific roles and responsibilities to each
team member to ensure a clear division of labor and efficient response.
Consider creating a job aid or playbook that outlines the steps to be taken
during an incident.
● Develop response plan: Create a detailed incident response plan outlining
the steps to be taken in case of an incident. Develop a plan that outlines the
steps to be taken in case of a security incident, including containment,
investigation, and recovery. Regularly review and update the plan to ensure it
remains relevant and effective.
● Conduct training: Provide training to team members on incident response
procedures, forensic techniques, and relevant technologies. Train team
members on incident response procedures, forensic techniques, and
relevant technologies. Consider conducting regular training sessions to keep
team members up-to-date on the latest threats and best practices.

Incident Handling After Detection of an Incident

● Contain the incident: Isolate affected systems and prevent the spread of
malware or unauthorized access. Quickly isolate affected systems to prevent
further damage. This may involve disconnecting systems from the network
or disabling services.
● Collect evidence: Gather and preserve digital evidence to support the
investigation. Collect and preserve digital evidence that can be used to
investigate the incident. This may include system logs, network traffic, and
forensic images of affected systems.
● Analyze the incident: Conduct a thorough analysis to determine the root
cause and extent of the damage. Analyze the incident to understand how it
 happened and the impact it had. This may involve forensic analysis, network
traffic analysis, and interviews with affected users.
● Implement corrective measures: Take steps to address vulnerabilities and
prevent future incidents. Implement measures to address the root cause of
the incident and prevent similar incidents from happening in the future. This
may involve patching systems, updating security controls, and providing
employee training.
● Report the incident: Notify relevant authorities and stakeholders as required.
Report the incident to any relevant authorities, such as law enforcement or
regulatory bodies. Also, notify affected stakeholders, such as customers or
partners.
● Document the incident: Document the incident response process and
lessons learned for future reference. Document the incident response
process to capture key details and lessons learned. This can be used to
improve future response efforts and enhance the organization's overall
security posture.