Module 15: Incident Response & Management (Comprehensive)

Glossary of Terms

Any observable occurrence in a system or network. Most events are normal, routine operations (e.g., a user successfully logging in).

A notification generated when a tool or system detects an event that is abnormal, unexpected, or potentially malicious. An alert signals that something requires further investigation.

An event or alert that, after investigation, is confirmed to be a security breach or violation of security policy with a significant enough impact to warrant an official response.

The technical, hands-on process of investigating what happened during an incident and performing recovery actions. It is focused on the forensic and remediation aspects.

The broader, overarching process of dealing with an incident, which includes communications, media relations, reporting, coordinating support, and making strategic decisions.

A designated team of experts with business, technical, legal, and public relations skills responsible for responding to and managing cybersecurity incidents.

A crucial component of cybersecurity that involves the collection, analysis, and interpretation of digital evidence to investigate and respond to to cyber incidents.

The process of gathering evidence from digital devices in a forensically sound manner, ensuring the original evidence is not altered or contaminated.

Hardware or software used during forensic acquisition to prevent any changes or modifications to the original evidence, thereby preserving its integrity.

The process of preserving relevant electronic or physical evidence related to actual or potential litigation, regulatory investigations, or other legal proceedings.

The chronological documentation of the handling, transfer, and storage of evidence from collection to presentation in court. It establishes a trail of accountability.

Short for electronic discovery, it is the process of collecting, processing, and analyzing electronic data (like emails, documents, databases) for use as evidence in legal cases.

A systematic process used in the post-incident phase to identify the fundamental underlying causes of an incident, with the goal of preventing recurrence.

A proactive cybersecurity practice that involves actively searching through networks and systems to detect and isolate advanced threats that may have evaded existing security controls.

Processes & Techniques

Understanding the Flow: Event to Incident

From Noise to Action

Not every suspicious activity is a full-blown crisis. The process follows a logical escalation path:

Event: Thousands of normal activities happen every second (e.g., a user logs in). Security tools monitor these events.
Alert: An event is flagged as abnormal (e.g., a user logs in from two different countries simultaneously). This generates an alert for an analyst.
Incident: An analyst investigates the alert. If it's a real threat with significant potential impact (not a false positive), it is officially declared an incident, triggering a formal response.

Example: A Phishing Email

An employee receives a phishing email (an event). The email filter blocks it, so no alert is needed. Later, another phishing email gets through and the user clicks a link. The Endpoint Detection and Response (EDR) software blocks the malicious connection and generates an alert. A security analyst sees the alert and confirms a user's credentials were nearly stolen. Because of the potential for data loss, this is escalated to an incident.

The People & The Plan: CSIRT and Documentation

Building Your Defense Team

A Computer Security Incident Response Team (CSIRT) is the core group that manages incidents. It's not just for tech experts.

Key Roles: A good CSIRT includes a Team Leader, Lead Investigator, Analysts, Communications Specialists, Legal Representation, and an Executive Sponsor.
The Plan: The team operates using an Incident Response Plan (IRP). This is a detailed document outlining procedures, roles, communication strategies, and everything needed to handle a crisis smoothly.

The Incident Response Lifecycle (NIST Model)

5 Key Phases of Response

This is the central process for handling an incident from start to finish.

1. Preparation: This is the work you do *before* an incident. It includes forming the CSIRT, writing the IRP, training staff, and deploying security tools. Good preparation is key to a successful response.
2. Detection and Analysis: An incident is detected (via alerts, user reports, etc.). The team analyzes all available data (logs, network traffic) to understand the scope: who, what, when, where, and how.
3. Containment, Eradication, and Recovery: This is a three-stage step:
- Containment: Stop the bleeding. Isolate affected systems to prevent the attacker from moving further. (e.g., disconnect a laptop from the network).
- Eradication: Remove the threat completely. This means deleting malware, disabling stolen accounts, and patching vulnerabilities.
- Recovery: Restore systems to normal operation. This involves restoring from clean backups and monitoring closely to ensure the threat is truly gone.
4. Post-Incident Analysis: Also called "Lessons Learned." The team meets to review the entire incident. The goal is not to assign blame, but to identify what went well, what didn't, and how to improve. This often involves a Root Cause Analysis (RCA) to find the fundamental weakness that allowed the incident to happen.

Handling the Evidence: Digital Forensics Essentials

Preserving the Digital Crime Scene

When an incident might lead to legal action, handling digital evidence correctly is critical.

Forensic Acquisition: Creating a perfect, bit-by-bit copy (a forensic image) of a compromised device's storage without altering the original. This is done using write-blockers.
Chain of Custody: A meticulous log documenting everyone who has handled the evidence, where it's been stored, and what was done to it. This proves the evidence hasn't been tampered with.
Legal Hold: A formal process to preserve all potentially relevant data when litigation is anticipated. This prevents the intentional or accidental destruction of evidence (spoliation).
E-discovery: The formal process of identifying, collecting, and producing electronically stored information (ESI) in response to a legal request.