The basics

Security incident response plans are critical for organizations of all sizes to have in place. These plans outline the steps that should be taken in the event of a security breach or other cyber incident, and help to ensure that the organization is able to respond quickly and effectively to minimize the damage and recover from the incident.

One of the key reasons why security incident response plans are so important is that they provide a clear and organized framework for dealing with security incidents. Without a plan in place, organizations may find themselves struggling to respond to a security breach in an effective and timely manner. This can lead to delays in responding to the incident, which can allow the attacker to cause even more damage.

Additionally, security incident response plans help to ensure that all relevant stakeholders are aware of their roles and responsibilities in the event of a security incident. This can help to avoid confusion and ensure that everyone is working together towards a common goal.

Another important reason for having a security incident response plan is that it can help to minimize the impact of a security breach on an organization. By following the steps outlined in the plan, organizations can quickly and effectively contain the breach, prevent further damage, and begin the process of recovery. This can help to reduce the financial and reputational impact of the incident on the organization.

In conclusion, security incident response plans are key for organizations of all sizes. They provide a clear and organized framework for responding to security incidents, ensure that all stakeholders are aware of their roles and responsibilities, and help to minimize the impact of a security breach. As such, organizations should prioritize developing and implementing a robust security incident response plan to protect themselves against cyber threats.

NCSC.gov.uk

Aim and Objectives

• Identify the security incident and assess its severity.
• Contain the incident to prevent further damage.
• Collect and preserve evidence for forensic analysis.
• Notify relevant stakeholders, including law enforcement if necessary.
• Conduct a thorough investigation to determine the cause of the incident and the extent of the damage.
• Implement corrective actions to address the root cause of the incident and prevent similar
• incidents from occurring in the future.
• Communicate with affected parties and the public as appropriate.
• Review and update the security incident response plan based on the lessons learned from the incident.

Escalation Matrix

An escalation matrix is an important tool for incident response because it provides a clear and organized plan for addressing and resolving incidents. It is a structured approach that outlines the specific actions that need to be taken by different individuals or teams at different stages of an incident.

The purpose of an escalation matrix is to ensure that incidents are dealt with promptly and effectively, minimizing their impact on the organization. It provides a clear chain of command and a clear set of roles and responsibilities for each member of the incident response team. This helps to prevent confusion and delays, allowing the team to respond quickly and efficiently to the incident.

In addition to providing a clear plan for incident response, an escalation matrix also helps to ensure that the right level of expertise and resources are brought to bear on the incident. It provides a framework for escalating the incident to the appropriate level of support, whether that is a local team or a more specialized group such as a security operations center.

An effective escalation matrix also helps to ensure that incidents are managed in accordance with the organization’s policies and procedures. It provides a clear set of guidelines for how incidents should be reported, documented, and resolved, helping to ensure that the organization is compliant with relevant regulations and standards.

Overall, an escalation matrix is an essential tool for incident response, providing a clear and organized plan for addressing and resolving incidents in a timely and effective manner. It helps to ensure that incidents are managed in accordance with the organization’s policies and procedures, minimizing their impact on the organization and its operations.

How to succeed

You should look to build an escalation matrix for security related incidents. This escalation matrix can be applied to multiple events/alerts and will keep consistency of triage.

Although an alert may need to go directly to your level 3 employees, the incident should at least route via level 1. This is because the level 1 (Often a SOC), will be able to determine how severe the threat actually is. Your level 1 should be your gatekeepers so that the rest can continue securing the environment day-to-day.

The further an investigation is escalated, the more crucial reflection is. In most cases, escalate more delay response, so it’s important to review and see what could have be actioned lower down the matrix.

The Matrix

Below is the overview of your escalation matrix that should be followed for each security event. In most cases, you may choose to run low-level incidents outside of this template, however for those more severe, the template aims to assist until closure.

Level 1: Gatekeepers / Security Operations Center (SOC).

These are your gatekeepers. These members deal with day-to-day operations and should have the majority of knowledge of how you operate as a security operations team. In many cases, this would be a security operation center (SOC) and have a dedicated number.

Level 2: Shift Leads

Shift leads will often have more authority and knowledge about the business. Whilst your level 1s may have turn-overs, your level 2s should be stable (retaining company knowledge for response).

Level 3: Senior Security Operations

Your seniors should be able to handle the incidents themselves. At this stage, the majority of investigations will be done. The event should get to this level if clarity is needed, or higher authorization for a response.

Level 4: The Suits

This level is often managers or tower leads. These members will have higher authorization as the responsibility of security operations sits on their shoulders. They should be contactable at all times.

Outside Contacts:

In this section, you want to fill out important contacts outside of Security that will be able to assist. For example, your security team will not have access or knowledge of the whole organization and everything in it.

The contacts below should be a list of leads, SMEs, or knowledgeable people in different areas / towers that can assist the team during investigations.

The members below should also be aware that they are on the list.

High Authorization

Although level 4 may be the main channel of your escalation matrix, you may need other members. These could sit on the governance side of the org. The members below should be able to declare an incident and make business-affecting decisions if needed for response. This includes taking key services offline or isolating them for containment. They again should be contactable at all times.

Security Playbooks

Overview

Security playbooks are important for incident response because they provide a clear and organized plan for addressing and resolving security incidents. A security playbook is a document that outlines the specific steps that should be taken by the incident response team in response to different types of security incidents.

The purpose of a security playbook is to provide a standardized approach to incident response, ensuring that the team is prepared to handle a wide range of potential incidents. It provides a clear set of guidelines for each member of the team, outlining their roles and responsibilities and the specific actions they should take in response to different types of incidents.

In addition to providing a clear plan for incident response, security playbooks also help to ensure that the right level of expertise and resources are brought to bear on the incident. They provide a framework for escalating the incident to the appropriate level of support, whether that is a local team or a more specialized group such as a security operations center.

Security playbooks are also important for ensuring that incidents are managed in accordance with the organization’s policies and procedures. They provide a clear set of guidelines for how incidents should be reported, documented, and resolved, helping to ensure that the organization is compliant with relevant regulations and standards.

Overall, security playbooks are an essential tool for incident response, providing a clear and organized plan for addressing and resolving security incidents in a timely and effective manner. They help to ensure that the incident response team is prepared to handle a wide range of potential incidents, and that incidents are managed in accordance with the organization’s policies and procedures.

Knowledge Base

Don’t Reinvent the Wheel! Why You Should Utilize a Knowledge Base!

Learning from scratch is a tedious and time consuming task, so why not use the knowledge of others? A knowledge base is a collection of documents, processes, or instructions that allows users to learn from each other. Think of it like an online library that provides you with all the tools you need to get up to speed quickly on any topic. Here’s why having and utilizing a knowledge base is so important for any organization.

Saves Time and Money Organizations can save time and money by having a well-stocked knowledge base. By using existing resources instead of creating them from scratch, organizations can reduce the cost of training new employees or updating existing processes. Additionally, having an organized system for storing information helps organizations save time when searching for specific pieces of data or instructions. This means that employees will be able to find what they need quickly and get back to work faster than if they had to search through unrelated documents or ask multiple people for help.

Increases Efficiency A well-developed knowledge base increases efficiency in many ways. For one thing, it eliminates the need for users to reinvent the wheel when they come across problems they don’t know how to solve. In addition, it helps ensure that everyone has access to accurate information so that tasks are completed correctly and efficiently. Finally, having a central repository for data makes it easier for teams to collaborate on projects since everyone has access to the same information at all times.

Promotes Collaboration In addition to making collaboration easier, a comprehensive knowledge base can also promote collaboration among team members. By providing users with easy access to shared resources, knowledge bases make it easier for teams to share ideas and learn from each other without wasting valuable time searching through multiple sources of information. This increases productivity and encourages workers to think more creatively about their tasks.

Having an effective knowledge base is essential for any organization looking to increase efficiency, reduce costs, and foster collaboration among its employees. It provides users with easy access to shared resources while eliminating the need for them to reinvent the wheel every time they encounter problems they don’t know how to solve. Plus, having an organized system of storing data makes collaborating on projects much simpler since everyone has access to the same information at all times!

Windows Powershell

The specific PowerShell scripts that are most useful for Digital Forensics and Incident Response will depend on the specific needs and requirements of the investigation. Some general scripts that may be helpful in this context include:

• A script to collect and save forensic evidence, such as system logs, system images, and network traffic captures.
• A script to search for specific keywords or patterns in logs or other data sources.
• A script to analyze system and network activity to identify potential indicators of compromise.
• A script to automate common forensic tasks, such as hashing and comparing files, or parsing log files.
• A script to perform basic incident response tasks, such as identifying and isolating affected systems, or preserving evidence for further analysis.

In general, it is important to have a collection of well-written, tested, and documented scripts that can be quickly and easily used in a forensic or incident response investigation. This will help to ensure that the investigation is conducted efficiently and effectively, and can provide valuable evidence and insights into the incident.

Here are some examples:

Export all windows events

Firstly pre-define the saveLocation else if you use the default, it will create the folder.

# Define the location where the event logs will be saved
$saveLocation = "C:\\EventLogs"
# Create the directory where the event logs will be saved, if it doesn't already exist
if (!(Test-Path -Path $saveLocation)) {
New-Item -ItemType Directory -Path $saveLocation
}
# Get a list of all event logs on the system
$eventLogs = Get-EventLog -List
# Copy each event log to the specified save location
foreach ($eventLog in $eventLogs) {
$logName = $eventLog.LogDisplayName
$logPath = $saveLocation + "\\" + $logName + ".evtx"
Export-EventLog -LogName $logName -Path $logPath
}

Copy Networking Logs

To create a copy of networking logs using PowerShell, you can use the following script:

# Define the location where the logs will be saved
$saveLocation = "C:\\NetworkLogs"
# Create the directory where the logs will be saved, if it doesn't already exist
if (!(Test-Path -Path $saveLocation)) {
New-Item -ItemType Directory -Path $saveLocation
}
# Get the network logs
$logs = Get-NetLog -LogType Network | Select-Object -Property Time, EventID, EventType, Source, Description
# Save the network logs to the specified save location
$logs | Export-Csv -Path "$saveLocation\\network_logs.csv" -NoTypeInformation

This script uses the Get-NetLog cmdlet to retrieve the network logs from the system, and then uses the Export-Csv cmdlet to save the logs to a CSV file in the specified save location.

Note: This script assumes that you have the necessary permissions to access and save the network logs. You may need to modify the script depending on your specific needs and environment. For example, you may want to filter the logs based on specific criteria, or change the format of the saved logs.

Last logon all users

To get the last logons and locations for all users on a system using PowerShell, you can use the following script:

# Get the last logons and locations for all users
$logons = Get-WinEvent -LogName Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
Where-Object {$_.ID -eq 21} |
Select-Object -Property TimeCreated, UserName, Computer
# Display the last logons and locations
$logons | Format-Table -Property TimeCreated, UserName, Computer -AutoSize

This script uses the Get-WinEvent cmdlet to retrieve the Terminal Services log from the system, and then filters the events to include only logon events (ID 21). It then uses the Select-Object cmdlet to extract the relevant information from the log, and displays the results using the Format-Table cmdlet.

Note: This script assumes that you have the necessary permissions to access the Terminal Services log on the system. You may need to modify the script depending on your specific needs and environment. For example, you may want to filter the log based on specific criteria, or change the format of the displayed results.

Linux Bash

The specific Bash scripts that are most useful for Digital Forensics and Incident Response will depend on the specific needs and requirements of the investigation. Some general scripts that may be helpful in this context include:

• A script to collect and save forensic evidence, such as system logs, system images, and network traffic captures.
• A script to search for specific keywords or patterns in logs or other data sources.
• A script to analyze system and network activity to identify potential indicators of compromise.
• A script to automate common forensic tasks, such as hashing and comparing files, or parsing log files.
• A script to perform basic incident response tasks, such as identifying and isolating affected systems, or preserving evidence for further analysis.

In general, it is important to have a collection of well-written, tested, and documented scripts that can be quickly and easily used in a forensic or incident response investigation. This will help to ensure that the investigation is conducted efficiently and effectively, and can provide valuable evidence and insights into the incident.

Here are some examples:

Backup /var/logs

This is a straightforward bash script that can be used to backup all logs to your logged-in user’s directory for later investigation. This script can be a valuable tool for investigators, as it allows them to easily access and review log files without having to search through multiple locations or systems.

# Define the location where the logs will be saved
SAVE_LOCATION="~/logs"
# Create the directory where the logs will be saved, if it doesn't already exist
if [ ! -d "$SAVE_LOCATION" ]; then
mkdir "$SAVE_LOCATION"
fi
# Copy all logs in the /var/log directory to the specified save location
cp /var/log/* "$SAVE_LOCATION"

Backup login history

This is a simple script that can be used to help backup all user login history. This can be a valuable resource for investigators, particularly in the case of brute force attacks or other security breaches. By storing login history in a central location, investigators can quickly and easily access this information as needed to help identify potential suspects or anomalies.

# Define the location where the backup will be saved
SAVE_LOCATION="~/login_history"
# Create the directory where the backup will be saved, if it doesn't already exist
if [ ! -d "$SAVE_LOCATION" ]; then
mkdir "$SAVE_LOCATION"
fi
# Get a list of all users on the system
users\=$(cut -d: -f1 /etc/passwd)
# Iterate through each user and save their login history and locations
for user in $users; do
# Get the user's login history and locations
history\=$(last -i $user | awk '{print $1 " " $4}')
# Save the user's login history and locations to a file
echo "$history" > "$SAVE_LOCATION/$user.txt"
done

—

Find Last File Access For User

To see which files a user last touched on a Linux system, you can use the following Bash script:

# Define the username of the user whose files you want to see
USERNAME="user1"
# Use the find command to search for files that were last accessed or modified by the specified user
find / -type f -user $USERNAME -printf "%T@ %p\\n" | sort -nr | head -n 10

This script uses the find command to search for files that were last accessed or modified by the specified user (user1 in this example). It then sorts the results by the timestamp of the last access or modification, and displays the 10 most recently accessed or modified files.

Note: This script assumes that you have the necessary permissions to access the files on the system. You may need to modify the script depending on your specific needs and environment. For example, you may want to search for a different type of file, or change the number of files that are displayed in the results.

Incident Templates

Overview

Incident response is a critical component of any organization’s security strategy. It helps ensure that the right people are notified when a security incident occurs, and that they can respond quickly and effectively. To do this, it’s important to create an incident template and playbook which define how your organization will handle incidents. Let’s take a look at why this is important, and how you can create an effective incident template and playbook.

The Benefits of Creating an Incident Template and Playbook Creating an incident template and playbook provides several benefits for your organization. First, it ensures that all necessary personnel are alerted when a security incident occurs. This allows for rapid response times, something that could be crucial in preventing further damage from occurring. Additionally, having a set process for responding to incidents ensures that all stakeholders follow the same procedures when addressing security issues. This reduces confusion and helps ensure that your organization is following best practices when handling these types of incidents.

Creating Your Incident Template & Playbook Creating an effective incident template and playbook involves two main steps: defining the roles of each stakeholder involved in the incident response process, and outlining the steps each stakeholder should take in the event of a security incident. To begin with, you need to identify who needs to be notified in case of an emergency — this could include IT personnel, legal teams, or third-party vendors — as well as what information they need to provide during the response process. You should also outline clear instructions on how each person should respond (e.g., escalating the issue to management if necessary). Finally, you should define processes for communicating with those outside of your organization (e.g., customers or partners) about any potential data breaches or other incidents affecting them directly.

Defining an incident template and playbook is essential for any organization looking to improve its security posture by responding quickly and effectively to security incidents. By clearly defining roles, outlining steps each stakeholder should take during response processes, and setting clear communication standards with external parties, organizations can mitigate their risk while ensuring proper protocols are followed throughout their entire incident response process. With these best practices in place, organizations can rest assured they have taken proper precautions against potential threats before they occur — ultimately leading to better overall protection from cyberattacks down the road.

Rinse, Repeat and Reflect

The four core stages of incident response would be to analyse, contain, remediate and recover.

As you move through each cycle, lessons learned should be in the back of your mind so that you and the team can benefit from each incident.

An incident that isn’t recorded doesn’t allow knowledge to be shared.

Templates:

For a rinse-and-repeat process, you can duplicate this page (Including subpages) and use per incident. This will create a rinse-and-repeat process.

Templates can be found here: https://www.notion.so/amoranio/The-Security-Incident-Response-Playbook-1ca64a6a540e4dfb8a6e99cdd3e2ea70

Planning to Reflect

Security incidents can be a major cause of stress for organizations and their teams. It’s natural to want to immediately move on and put the incident behind you, but it’s important that organizations take the time to reflect on what happened, why it happened, and how they can prevent similar incidents from occurring in the future. Let’s take a closer look at why reflection is such an important part of incident response.

Understand the Impact of Your Actions When an incident occurs, it can be easy to focus solely on restoring systems back to normal and getting them back online as soon as possible. However, if you don’t take the time to understand what caused the incident in the first place and learn from it, you may find yourself repeating mistakes in the future. By reflecting on what went wrong in the past, you can better understand why certain actions were taken and how those actions led to unintended consequences. This understanding will help you make more informed decisions going forward.

Build Trust With Your Team Reflection is also important because it helps build trust between team members by giving everyone a chance to share their thoughts and experiences without fear of judgement or criticism. When teams are able to openly discuss their experiences with security incidents, they can better understand each other’s perspectives and develop strategies for avoiding similar situations in the future. Without taking the time for reflection, team members may feel like their ideas are not being heard or valued which could lead to resentment or worse — not reporting any potential issues out of fear of backlash or repercussions.

Develop Processes & Procedures Finally, reflection is essential for developing effective processes and procedures that will help prevent similar incidents from occurring again in the future. Reflection forces team members to really think about what went wrong during an incident so they can identify potential areas for improvement and put measures into place that will reduce risk going forward. Having clear processes and procedures will ensure that your organization is prepared when (not if) another security incident arises in the future.

In summary, reflection after a security incident is essential for building trust with your team, understanding the impact of your actions, and developing effective processes & procedures that will help prevent similar incidents from happening again in the future. Taking time for reflection may seem like a daunting task but it’s one that should not be overlooked if you want your organization’s security posture to stay strong over time.

In this section, we focus on lessons learned.

Here we need to consider improvements. What could we have done better, are our security controls working as expected, can we implement new controls to prevent further occurrences?

In most cases, security events will be handled by level 1. Should an event/incident pass this level, a quick review should be done to determine if level 1 has the correct knowledge and access to respond effectively.

Whilst in certain cases, level 1 is driven by lower privilege, it’s important to note that by doing so you hinder the response. Should this be a serious breach, you want your level 1 team to be able to at least contain the situation.

You will also need to consider if any information gathered from this incident can be used to teach, train or inform other members of how we, or should operate going forward.

Although the template is laid out, questions should be asked and engagement from all team members should be encouraged.

A no-repercussion forum should be built as in some cases, it can be hard to present negative findings, for example, sharing how a person/team can improve on an area. The members should all be open as it is a learning experience.

Reflection Template

[Example]

Incident Reference: [ Ticket Reference ]

Todays Date: 01/01/1111

Event Time: [If email: use the mail timestamp of the first email, not when someone looked]

Initial Response Time: [This is where you put the time of when the responder actioned something]

Method of Discovery: [Email Alert, manual, Tool detection, SOC, loss of service]

Affected Resource: [Virtual machine name, App name, solution name, website URL]

Outcome: [False Positive / True Positive]

Summary:

[ Write a brief summary of what occurred. Be sure to include the what, where, and who. You should also look to include the initial response and what was done prior to the escalation.]

The Basics

Was this investigation / incident handled correctly?

What would you do differently if given the chance?

Outstanding Action Items

In a table format, layout: Task, Owner, Expected time to respond.

Questions

Below are some examples of the types of questions you should be asking as you evaluate and seek to improve your current investigative process. These questions can help to identify areas for improvement, and can guide your team as you consider and implement changes to your approach.

Some questions to ask:

• Did the incident follow the esclation matrix?
• Were level 1 able to understand the event?
• Did the understand the risk and what the alert/s or event showed?
• Was it escalated due to lack of knowledge?
• What could you improve on to prevent future gaps.
• Was the escalation due to access issues/restrictions?

Any other comments or relevant actions…

Fill in anything that may be relevant to the findings, or to improve on the process going forward.

Thank you for reading and considering these questions! With a little bit of thought and examination, you can help to optimize your forensic process and ensure that it is as effective and efficient as possible.

Good luck on your journey towards streamlined forensics investigations! If you have any further questions or would like to discuss this further, please do not hesitate to reach out.