What are the Six Steps of Incident Response
1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned
Describe the NTP activity of the preparation step.
Enable NTP for all devices that can use it. Ensure Windows Clients are synchronized with via Active Directory. Decide on GMT offset or a consistent time zone across the organization.
Describe the process of deciding on critical policy issues.
Implement a Logon warning banner, agreed to by Legal and Human Resources. Determine how the IR team will engage with Law Enforcement: the process, who will engage, and how to engage. A media liaison also often needed. Survey Human resources for policies that support IR. Establish policy so that the Incident Response Team (IRT) has the "right to access and monitor". the IRT should establish elevated access accounts, kept in secured storage, for emergencies. Ensure the IRT is connected with the compliance hotline and "abuse" email handle for all registered domains.
Establish central logging capability (syslog, syslog-ng, Snare, etc.)
Establish a protected logging aggregation point (likely a Linux server) which has multiple terabytes storage.
Ensure systems are instrumented to detect an incident, and they report both locally and to the central server.
IRT's are strongly encouraged to use syslog-ng because of its filtering options. In particular, there are many Windows events such as a machine logon that can reasonably be discarded. Syslog-ng provides a filtering syntax that can accommodate discarding low-value log data.
Identity and User account management issues
It is preferable to use the "One user, One account"
Standardized names across many systems aren't always implemented, though. Most organizations have central directories, but there are often system specific accounts whose account names may not agree with the main directory but are assigned to the same person. Beware of inconsistent naming conventions. It may be possible to add an account attribute, such as employee ID to accounts - this would help.
Service or system account management issues
Establish generic, shared, service and system account ownership. If possible, update the description or comment field with the responsible person's account name (or real name). Decide early if, and how, the IRT can access these accounts if it becomes necessary. Document who has knowledge of these accounts and passwords.
Establish procedures for password rotation process and where service/system account credentials are stored. Always rotate them when and account holder terminates employment.
Jump bag contents
(Never cannibalize your jump bag -- YOU HAVE BEEN WARNED!)
- Sanitized Drives (per NIST 800-88).
- Incident forms, bound notebooks, pens.
- Printed copy of the IRT call tree.
- Common and tools (and Leatherman or Gerber)
- Linux Distros of note include SIFT and Kali Linux on CD AND USB.
- Include flashlight
- Checklists for memory/drive image tools usage. Network tap and "snagless" LAN Cables
- Ear Pro
Out of band notification capability
IR teams need a secure communication capability that cannot be monitored by an attacker or insider. For example, everyone on the IR team should have a cell phone and a secondary email account.
Helpdesk or Servicedesk
Continual training on first call initial incident data collection.
These folks are "human sensors", and can be valuable eyes and ears for an IR team.
Define an intranet incident form or incident specific ticket which the ServiceDesk (or an end user) can use to better document and gather initial incident information.
Work out IR team issues
Determine iR team membership and rotation. Budget to conduct continual training.
Decide on response process, initial triage Service Level Agreement (SLA).
Periodically conduct some form of IR drill.
Provide a secured analysis room with locking cabinets to secure evidence and tools.
- Decide on the "Watch and Learn" or "Pull the Plug" decision criteria and time box.
- Decide on the "Contain and Clean" stance with the desired evidence preservation level.
- Understand applicable data breach requirements (regulatory/legal) - discussed below.
- Determine a process for handling and reporting criminal activity.
- Understand the organization's stakeholders, the shareholder, supporters, adversaries, and participants or partners in the organization's value chain.
- Ensure that the IRT understand and support the organization's priorities.
- Fully understand the IR operating model, roles, front-line responders, and forensics capability.
Preparation step exit criteria
Preparation is a continual process. For example, ensure each new system is prepared for incident response. Review preparation activities periodically.