How to understand Incident Response?

What is Cyber Security Incident Response?

Most companies associate cybersecurity indecent with "being hacked" (whatever that catchy phrase means) or if a really major infection occurs in the network.

That's just the tip of the iceberg. If you really look into what's going on in your IT environment, it's not uncommon to see one or more intruders roaming freely, collecting information, leaking it out, and deleting their traces, so another intruder can come in, do whatever he intends to do, leaving after that... this pattern repeats on and on.

Just in case you haven't realized, most of the intruders don't want to advertise their presence and never show up publicly with the report they hacked you. They would not trigger your AV either.

You can implement proper security monitoring on SIEM / IDS / IPS / DLP / storage / analysis / threat intelligence subscription and immediately start noticing many alerts - some of them will be actual incidents.

Better consult it with us before investing in the full monitoring, as it usually costs a lot of money.

Employes break security policies daily, code gets executed without authorization, and if this code is malicious, external parties might get access to your internal network.

People browse often browse not work-related sites. Download things they shouldn't, execute something that shouldn't be executed, send home confidential documents, use not authorized devices, etc... the list goes long.

How to manage it?

Years ago, it was appropriate to let the IT Administrator manage such situations; now, it's truly impossible due to the number and complexity of incidents.

Every organization counting more than 1000 people (management companies), needs a separate digital forensic and incident response team.

Building such a team is a really complicated effort, and if you're starting to consider this option read NIST Computer Security Incident Handling Guide and Cyber Incident handling program (U.S Military Guideline)

You can also take a look at the materials provided by ENISA. They offer a lot of good content.

It's impossible nor desirable to cover such a complex topic in a single blog post, same as any other post posted by the LCS team - its main purpose is to guide in a helpful direction.

Your CSIRT is your organization's immune system – detecting internal and external breaches and isolating any perpetrator before it has done major harm. In the case of an ‘infection,’ your CSIRT will raise the ‘temperature’ of the whole organization, and with the collective intelligence of the whole organism will drive the intruder out.

If all the concepts mentioned above sound new to you, and you would like to learn more, check this repo:

• https://github.com/rshipp/awesome-malware-analysis
  

It contains useful resource you should know and use.

If you're really green and need some "from zero to something" tutorial, read this post:

• https://journeyintoir.blogspot.com/
  

Another interesting source focusing primarily on windows is:

• https://windowsir.blogspot.com/
  

Just remember, you simply can't use blogs as your primary source of knowledge, be better.

Use your English Reading Comprehension and start reading books, research papers, and materials recommended by people already established in the industry.

Or even better, listen to it!

Reading is overrated, but using websites like...

• https://ttsreader.com/
  

It allows you to convert books into audiobooks on the fly and listen to them in the car, gym, etc.