Incydent Response Playbook

10 December 2017

Incident source

  • Any attacks affecting critical assets
  • Denial-of-Service attacks that isolate or impede critical service or network performance
  • Malicious logic (virus) attacks that isolate enclaves
  • Administrator/root-level access obtained by unauthorized personnel

 

  • Significant trends suspected in incidents or events
  • Indication of multiple suspected systems
  • Suspected e-mail spoofing
  • Unauthorized probes or scans of the network

 

  • Unusual system performance or behavior
  • Unplanned system crashes, outages, or configurationchanges
  • Suspicious files identified on a server Missing data, files, or programs
  • Unexplained access privilege changes Poor security practices
  • Unusual after-hours system activity Simultaneous logins by the same user from differentIP addresses
  • Unauthorized activity by privileged users

 

  • System compromise internal
  • System compromise cloud
  • Theft of confidential information
  • Theft or loss of mobile device/media
  • Malware
  • Phishing

 

Incydent Responder playbook with flow

  • https://www.incidentresponse.com/playbooks/malware-outbreak
  • https://www.incidentresponse.com/playbooks/phishing
  • https://www.incidentresponse.com/playbooks/data-theft
  • https://www.incidentresponse.com/playbooks/virus-outbreak
  • https://www.incidentresponse.com/playbooks/ddos
  • https://www.incidentresponse.com/playbooks/unauthorized-access
  • https://www.incidentresponse.com/playbooks/elevation-of-privilege
  • https://www.incidentresponse.com/playbooks/root-access
  • https://www.incidentresponse.com/playbooks/improper-computer-usage

Handbook

  • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  • https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
  • https://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_14102.pdf
  • https://www.nasa.gov/pdf/589502main_ITS-HBK-2810.09-02%20%5BNASA%20Information%20Security%20Incident%20Management%5D.pdf
  • https://www.cybersecuritycoalition.be/content/uploads/cybersecurity-incident-management-guide-EN.pdf

Other resources

  • https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf
  • https://www.it-cube.net/wp-content/uploads/2017/09/Exabeam_Incident_Response_for_Top_3_Security_Scenarios.pdf
  •