Incident response or incident managment
Concepts related to Incident Response
A Security Operations Center (SOC) is a team within an organization that focus on incident response.
Monitoring is an important part of Incident Response.
Log management is one important field of IT security operations. You can read more about it on this post.
A Security Information and Event Manager (SIEM) is a tool that agregates logs from different applications and systems, look for security events and send alerts. SIEM would be a subset of log management. You can read more about SIEM on this post.
A security orchestration, automation and response (SOAR) system is a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events with little or no human assistance
It is important to take into account the Indicators of Attack (IoA) and Indicators of Compromise (IoC).
Incident Response Standards
Standards for incident response:
- ISO/IEC 27035
- NIST SP 800-61
- ENISA’s Good Practice Guide for Incident Management
NIST SP 800-61 has the title “Computer Security Incident Handling Guide” You can read more about it on this external link.
“Good Practice Guide for Incident Management” is published by EU agency ENISA. You can read it on this external link.
“Handbook for Computer Security Incident Response” by Carnegie Mellon University SEI. It can be downloaded from this external link.
Incident Response Certifications for Profesionals
CERT Incident Response Process Professional Certificate. You can read more on this post.
Incident Management Course
SANS course “SEC504: Hacker Tools, Techniques, and Incident Handling“. You can read more about it on this post.
Incident Management Steps
Incident Management Steps are different depending on the source.
The incident management steps featured on this post are based on:
- NIST SP 800-61
- CISSP
NIST SP 800-61 IR Steps
NIST SP 800-61 steps:
- Preparation
- Detection and analysis
- Containment, eradication, and recovery
- Post-incident recovery
CISSP IR Steps
CISSP IR steps:
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons Learned
These steps are detailed in book “CISSP Official Study Guide 9th Edition”, pp. 804-809.
Computer Emergency Response Teams
A Computer Emergency Response Team (CERT) is a group of experts that handles computer security incidents. The, term CSIRT, as an acronym for Computer Security Incident Response Team or Cyber Security Incident Response Team is also used.
As computer threads started to appeared after the development of the internet on the late 80s, there was a need to create teams that knew how to handle computer security incidents.
A CERT could belong to a public institution (e.g., CISA-CERT, that belongs to American CISA) or a private organization (e.g., Amazon SIRT, that belongs to Amazon). Some CERTs have an international scope, while some other are more focused on a country.
Many countries have an official CERT, whose goal is to provide cyber security to their citizens and organizations.
The first team called CERT was CERT-CC, created in 1988. It belongs to the Carnegie Mellon University (USA).
At the beginning of the 90s, CSIRT were starting to be created in the European Union under the TERENA program.
In 1989, FIRST (Forum of Incident Response and Security Teams) was founded. It is a global association of CERTs, and some of the most important ones over the world belong to FIRST association.
You can find all CERT teams belonging to FIRST on this link.
You can find a list of CERTs related to Spain on this link.
There is also a full list of CERTs on this link.
List of some of the existing CERTs:
| Name | Country/Org | Organization | Web |
|---|---|---|---|
| DKCERT | Denmark | DKCERT | Link |
| CCN-CERT | Spain | Centro Critológico Nacional (CCN) | Link |
| INCIBE-CERT | Spain | INCIBE | Link |
| ESPDEF-CERT | Spain | Mando Conjunto del Ciberespacio (MCCE) | Link |
| esCERT | Spain | Universidad Politécnica de Cataluña (UPC) | Link |
| IRIS-CERT | Spain | RedIRIS | Link |
| CIRCL.lu | Luxemburg | Computer Incident Response Center Luxembourg (CIRCL) | Link |
| CERT-EU | European Union | European Commission | Link |
| US-CERT | USA | CISA | Link |
| CERT/CC | USA | Carnegie Mellon Software Engineering Institute (SEI) | Link |
Incident Response Tools
Incident Response Tools featured on this post:
- AWS Kill Switch
AWS Kill Switch
AWS Kill Switch is an incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.
It is free and open source software (FOSS).
AWS Kill Switch code repository
Incident Response Regulations
Incident Response Regulation in Spain
There is the Real Decreto 43/2021, de 26 de enero, por el que se desarrolla el Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información. You can read it on this link.