m o h t i g b u c . 5 welcome, earthling! Navigate Your Journey 1 The Introduction 3 The Art of Triage: Types of Security Incidents 2 c . 5 b u Arming & Aiming Your Incident Response Team h t i g m o Incident Response Process & Procedures 4 5 Incident Reponse Training Incident Response Tools 2 the Introduction m o The fight to protect your company’s data isn’t for the faint of heart. As an embattled IT warrior, with more systems, apps, and users to support than ever c . 5 before, keeping everything up and running is a battle in itself. When it comes to preventing the worst-case scenario from happening, you need all the help b u you can get, despite your super-hero status. h t i g That’s why we’ve developed this incident response guide. We’ve collected and curated decades of infosec war stories and intelligence — from across the galaxy — so that you’re better armed in the fight against cybercrime. You’ll have an insider’s perspective on how to build an incident response plan and team, and what tools and training you can use to arm those team members. 3 what exactly is Incident Response? We’re not Wikipedia or Webster’s, so if you’re looking for a dictionary definition, this isn’t the right place. But if a five year old asked us, we might just say, incident response is sort of like a fire drill for the IT guy. When the worst-case scenario becomes reality, it’s essential to have the right plan in place, the right people on the job, and the right tools and training to remain vigilant. And m o that’s what reading this incident response guide can give you. c . 5 b u h t i g Preparation  Eradication Preparing users and IT to handle potential Finding and eliminating the root cause incidents in case they happen (and let’s (removing face it, we know they will) production) Identification  Recovery  Figuring out what we mean by a “security Permitting affected systems back into the incident” (which events can we ignore vs. production environment (and watching which we must act on right now?) them closely) Containment Lessons Learned Isolating affected systems to prevent Writing everything down and reviewing further damage (automated quarantines and analyzing with all team members so are our favorite) affected systems from you can improve future incident response efforts 4 tell me, why... Do I Need an Incident Response Plan? The problem with plans is that they are designed to sit on the shelf until the day when the proverbial oxygen masks drop from the ceiling. Otherwise, they just gather dust except for the occasional auditor visits or executive reviews. In this guide, we take the active approach because we know that the investment of time and resources spent enhancing incident response will have immediate and ongoing benefits to IT operations. After all, security is a subset of reliability – and everyone wants their systems to be more reliable. m o We will walk you through building a basic incident response plan and security monitoring process, covering skills to acquire and helpful resources along the way. c . 5 h t i g b u 5 3 examples of insider wisdom... Straight from the Incident Response Front Lines m o Don’t Panic.  Stay Focused. “There are many levels of success in “Execution is key — the range of ways defensive work… the common wisdom to attack a target can seem limitless is that the attacker only has to be — expecting to be an expert on all of right once, but the defender has to be h t i g right every time, but that’s not always true. Attacks are not all-or-nothing affairs — they happen over time, with multiple stages before final success. To remain undetected against an attentive defender, it is the attacker who must make every move correctly; if an astute defender detects them even once, they c . 5 Start with Simple Steps. On Defining Incident Response Success. Attackers are Lazy. b u them is pointlessly unrealistic. The most “Attackers have technical and economic imperatives to use the minimum amount of effort and resources to breach their targets — the more you remove the low- important part of incident response is hanging fruit on your network, the more to handle every situation in a way that you raise the actual level of work an limits damage, and reduces recovery attacker has to expend to successfully time and costs. At the end of the infiltrate it.” day, that’s how you’ll be measured on a job well d