Incident Response – Research Notes (Pt. 1)

Part One of my series on Incident Response Fundamentals.

Inspired by Phil Collins’ famous quote, “In learning you will teach, and in teaching you will learn,” I have decided to take what I have learned, and document it in the form of research notes. In doing so, the primary outcome will result in teaching my audience, and sharpening my own skills at the same time. This article – and future articles marked “Research Notes” – will not always contain in-depth explanations behind every focal point; but rather, identify critical definitions and areas of study, and allow for further exploration into those areas. They are just notes, after all…

This post begins that learning journey for both of us…

What is Incident Response?

Key Definitions

IR – short for “Incident Response.”

DF – short for “Digital Forensics.”

C-I-A – short for “Confidentiality, Integrity, and Availability.” A fundamental Information Security model. Also known as “The CIA Triad.”

So what is IR

Incident Response is a methodical approach to the response, and resolution, of a security incident.

Primary Goals of Incident Response

  • Define the protocols by which an organization will respond to an incident.
  • Determine whether or not an incident has actually occurred.
  • Identify the full scope of the incident, and document it thoroughly.
  • Reduction of downtime for mission critical operations.
  • Resolution of incident, and presentation of documentation to senior management; security awareness training potentially necessary at this point.
  • Cooperation with law enforcement agencies, or other investigative agencies, in regards to digital evidence.

IR Attack Lifecycle 

The following attack lifecycle was designed by (source: FireEye.)

  1. Initial Reconnaissance
  2. Initial Compromise
  3. Establish Foothold
  4. Escalate Privileges
  5. Internal Reconnaissance
  6. Move Laterally
  7. Maintain Presence
  8. Complete Mission

Every attack is different – not every step will be part of every attack. Steps may not be performed in the suggested order above. There are many variations of the above attack lifecycle – variants can be adopted as necessary, for red teams. Each step in the above lifecycle should be considered from an individual point of view; each step may contain unique attack vectors, and vulnerabilities that are exploited. Understanding each individual step, and what goes on at each step, will assist in understanding how the lifecycle functions as a singular unit. The attack lifecycle will be explored in-depth in a future blog post.

Stay tuned for more…

Written by Tyler