Please enable JavaScript.
Coggle requires JavaScript to display documents.
Incident Response - Coggle Diagram
Incident Response
Prepare
Ownership
Network (Manager/Director)
Email:
Phone:
Slack Handle:
Systems (Manager/Director)
Email:
Phone:
Slack Handle:
Applications (Manager/Director)
Email:
Phone:
Slack Handle:
Communication
Emergency
Encrypted
WhatsApp
Slack
Encrypted Email
Unencrypted
Phone
Email
Non-Emergency
Encrypted
Slack
Encrypted Email
WhatsApp
Unencrypted
Email
Phone
Points of Contact / Authorities
CEO / Owner
Email:
Phone:
Slack Handle:
CISO
Email:
Phone:
Slack Handle:
CIO
Email:
Phone:
Slack Handle:
Onsite POC
Email:
Phone:
Slack Handle:
Incident Response Team
(People who understand the incident)
Management
1.
2.
Technical
1.
2.
Legal
1.
2.
Incident Response Briefing
Current scope of incident
Future threats
Worst possible outcomes
Best possible outcomes
What's the plan moving forward?
Challenges or Issues
Who needs to be notified?
Public /Media
2.
1.
Ebryx Team
Name:
Contact:
Email:
Slack Handle:
Role: Incident Handler
Name:
Contact:
Email:
Slack Handle:
Role: Digital Forensics & Reverse Engineer
Availability
Work Hours
1.
2.
Off Hours
1.
2.
Funding
Living
Transport
Equipment
Food
Inhouse Capabilities
SIEM
EDR
Sandbox
Threat Intelligence
Authority to respond
Strategy
Watch & Learn
Disconnect
Are all infected systems identified?
When is the cut-off date?
Justify any deviation from the plan
Are all tactics and techniques identified?
Is all malware identified?
Identify
Initial intrusion vector
Patient Zero
Lateral Movement
Deployed malware
Stage-1
Stage-2
Command & Control
IP address
Domain
URL
Certificate
Discoveries during the attack
Communication Channel of attackers
Attacker email address
Attacker's message or Ransom note
Artefacts
Inside Organization
Host
EventLogs
Registry Keys
Prefetch
PerfLogs
ShellBags
ShimCache
Amcache
Residual files from activity
Browser History
Downloaded files
Logged-In accounts
Skype
Outlook files
Unencrypted credentials
Network
Carved Files
IP addresses
Domains
HEX patterns
Certificates
Outside Organization
Breached accounts
Pastebins
News
PII
OSINT about incident
Source
Who informed about incident?
Who escalated incident?
Who initiated incident response?
Attacker Goals
Where did the attacker pivot in the network?
Which segment has the most activity?
Current Success-Rate of Attacker
Notify stakeholders
Upper Management
Middle Management
General Employees
Notification Strategy
Encrypted
Tailored for each type of audience
Need-to-know basis
Updates to the developing story
Declare the severity and impact
Recover
Patch the vulnerability
Close intrusion point
Build detection for future
Drop malicious network traffic
Fill visibility gaps in SIEM/EDR
Restrict the network segment
Identify people
Intentionally helped the attack
Accidentally helped the attack
Need counselling
Lessons
Notes on how Management reacted
Why did this incident happen?
Cost of doing business?
Technical shortcoming?
Managerial shortcomings?
Adversary
Cyber Kill Chain
MITRE ATT&CK MAP
Infrastructure
Capabilities
Intent
What were they after?
Type of Attack
Ransomware/Espionage/CredentialTheft
Shortcomings/Issues in "Watch & Learn"
Where did the detection lack?
Any missed items?
What needs to be enhanced overall?
Contain
Scope the incident
Infected Segments
HR
Helpdesk
Systems
Infected Machines
Windows
10
Ubuntu
3
What is the best way to contain in current scenario?
Characteristics of Adversary
Organization-wide detection signatures
Host
Proceses
Files
Network
Ports
IP Address
Domain
URL
Other artefacts from PCAP
Stolen
Domain user credentials
Impact on Resources
Needs To Be Saved
PII on systems network
Access to server farm
Legal Impact
ISO27001
PCI-DSS
HIPAA
GDPR
Containment Plan
Until when do we watch and learn? (decided in preparation phase)
When do we disconnect?
Execution of Containment
Remote
CrowdStrike
Onsite
Onsite Tools etc.
Public Knowledge
Public advisories by other vendors
US-CERT
Mandiant
FireEye
RedCanary
3rd Party Notification
Client Notification
Eradicate
Full Forensics
(All Machines)
Complete disk images
Memory images
Decryption key of encrypted ex-filtration is often in RAM
Assess the ex-filtration
Preferred method
Preserve the infected storage drive and Replace with new one
Preserve PCAP of the machine
Evidence Handling procedure
Note down the tools you use
Note down the start time
Collect evidence and take Hash preferably SHA256 sum
Maintain the track of people who take care of the evidence
Note the end time
Seal the evidence and mark it with tags
Preserve the chain of custody document and make a copy of it