{"id":279,"date":"2024-01-13T00:09:21","date_gmt":"2024-01-13T00:09:21","guid":{"rendered":"https:\/\/vasanthselvaraj.com\/?p=279"},"modified":"2025-02-16T02:15:41","modified_gmt":"2025-02-16T02:15:41","slug":"cyber-security-incident-response","status":"publish","type":"post","link":"https:\/\/vasanthselvaraj.com\/?p=279","title":{"rendered":"Cyber Security Incident Response"},"content":{"rendered":"\n

Introduction<\/h3>\n\n\n\n

Cyber Security Incident response is set of capability with set of purpose responding to computer security related problems.<\/p>\n\n\n\n

Cyber Security Incident response team (CIRT) \/ Computer security incident response (CSIRT) is a group of skilled professionals assess the cyber security events and provide guidance or response to the events. Incident response is one of security pillar to protect the organisation’s from cyber security incidents. In this blog post, we discuss about the foundations of successful incident response and different activities around incident response.<\/p>\n\n\n\n

What is incident Response?<\/h3>\n\n\n\n

Incident response is a combination of people, process and technology to effectively assess the cyber security events and recover from suspected cyber security compromise. <\/p>\n\n\n\n

People – Incident Responders , Threat Intelligence Folks , Senior management and Employees.<\/p>\n\n\n\n

Process – Playbooks and Runbooks<\/p>\n\n\n\n

Technology – Security Incident and event management tool , Detection and analysis mechanism<\/p>\n\n\n\n

Foundations of incident Response<\/h3>\n\n\n\n

As per NIST computer security incident Handling guide, incident respond contains four phase. Let’s explore each of the phases<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\nhttps:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-61r2.pdf\n<\/div><\/figure>\n\n\n\n

Preparation <\/h4>\n\n\n\n

In preparation phase, you prepare the people, process and technology to successfully respond to cyber security incidents. You will identify the people needs to be on-call, hands on keyboard and take actions. Create playbooks and runbooks for the each scenario. And designing emergency or break-glass access to the environment.<\/p>\n\n\n\n

Playbooks \/ Runbooks is a documented set of procedures and automation to address specific scenario. For e.g. Playbook for ransomware, bit coin mining and DDOS attacks<\/p>\n\n\n\n

Operations<\/h4>\n\n\n\n

Operations phase encompasses Detection & Analysis, Containment, Eradication & Recovery phases. In this phase, you act on active security incident meaning you detected security event on your favourite SIEM tool and determining whether the security incident is false or true positive. If its true positive<\/code> then executing series of steps as pre-defined playbook to address the incident. And also in this phase you have to contain the incident as quickly and eradicate \/ restore the system to good working condition.<\/p>\n\n\n\n

Post incident activity<\/h4>\n\n\n\n

Security incident response is not an one-time activity and goal is to learn from the past incidents and improve your preparations and operations phase if you find gaps. For example, if you identified some steps are missing to resolve the security incident then update the playbook with necessary steps.<\/p>\n\n\n\n

Regularly conduct security game day, red team exercise and threat simulation activity to test your playbooks, run books, people and process.<\/p>\n\n\n\n

Conclusion<\/h4>\n\n\n\n

There is a difference between seeing an alert and not seeing an alert. In order to successfully respond to security event then you or your team have mechanism to see an alert. So first step is to turn ON logging for all resources whether its cloud or on-premise or container or serverless workloads. Next step is to aggregate logs into central repository to run detection logic and also helpful to investigate actual security incident. <\/p>\n\n\n\n

Reference from NISThttps:\/\/nvlpubs.nist.gov\/nistpubs\/specialpublications\/nist.sp.800-61r2.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Introduction Cyber Security Incident response is set of capability with set of purpose responding to computer security related problems. Cyber Security Incident response team (CIRT) \/ Computer security incident response (CSIRT) is a group of skilled professionals assess the cyber security events and provide guidance or response to the events. Incident response is one of…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0},"categories":[4],"tags":[],"yoast_head":"\nCyber Security Incident Response - Vasanth Selvaraj<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/vasanthselvaraj.com\/?p=279\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Security Incident Response - Vasanth Selvaraj\" \/>\n<meta property=\"og:description\" content=\"Introduction Cyber Security Incident response is set of capability with set of purpose responding to computer security related problems. Cyber Security Incident response team (CIRT) \/ Computer security incident response (CSIRT) is a group of skilled professionals assess the cyber security events and provide guidance or response to the events. Incident response is one of...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/vasanthselvaraj.com\/?p=279\" \/>\n<meta property=\"og:site_name\" content=\"Vasanth Selvaraj\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-13T00:09:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-16T02:15:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2023\/07\/image-1024x509.png\" \/>\n<meta name=\"author\" content=\"Vasanth Selvaraj\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vasanth Selvaraj\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=279\",\"url\":\"https:\/\/vasanthselvaraj.com\/?p=279\",\"name\":\"Cyber Security Incident Response - Vasanth Selvaraj\",\"isPartOf\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\"},\"datePublished\":\"2024-01-13T00:09:21+00:00\",\"dateModified\":\"2025-02-16T02:15:41+00:00\",\"author\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/7670db7c899a52f9bfcbcb38f64a839b\"},\"breadcrumb\":{\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=279#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/vasanthselvaraj.com\/?p=279\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=279#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/box2411.temp.domains\/~vasselva\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber Security Incident Response\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\",\"url\":\"https:\/\/box2411.temp.domains\/~vasselva\/\",\"name\":\"Vasanth Selvaraj\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/7670db7c899a52f9bfcbcb38f64a839b\",\"name\":\"Vasanth Selvaraj\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3f7ece2700fb273646de53abfa0d9947?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3f7ece2700fb273646de53abfa0d9947?s=96&d=mm&r=g\",\"caption\":\"Vasanth Selvaraj\"},\"sameAs\":[\"https:\/\/vasanthselvaraj.com\"],\"url\":\"https:\/\/vasanthselvaraj.com\/?author=2\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber Security Incident Response - Vasanth Selvaraj","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/vasanthselvaraj.com\/?p=279","og_locale":"en_US","og_type":"article","og_title":"Cyber Security Incident Response - Vasanth Selvaraj","og_description":"Introduction Cyber Security Incident response is set of capability with set of purpose responding to computer security related problems. Cyber Security Incident response team (CIRT) \/ Computer security incident response (CSIRT) is a group of skilled professionals assess the cyber security events and provide guidance or response to the events. Incident response is one of...","og_url":"https:\/\/vasanthselvaraj.com\/?p=279","og_site_name":"Vasanth Selvaraj","article_published_time":"2024-01-13T00:09:21+00:00","article_modified_time":"2025-02-16T02:15:41+00:00","og_image":[{"url":"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2023\/07\/image-1024x509.png"}],"author":"Vasanth Selvaraj","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Vasanth Selvaraj","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/vasanthselvaraj.com\/?p=279","url":"https:\/\/vasanthselvaraj.com\/?p=279","name":"Cyber Security Incident Response - Vasanth Selvaraj","isPartOf":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website"},"datePublished":"2024-01-13T00:09:21+00:00","dateModified":"2025-02-16T02:15:41+00:00","author":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/7670db7c899a52f9bfcbcb38f64a839b"},"breadcrumb":{"@id":"https:\/\/vasanthselvaraj.com\/?p=279#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/vasanthselvaraj.com\/?p=279"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/vasanthselvaraj.com\/?p=279#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/box2411.temp.domains\/~vasselva"},{"@type":"ListItem","position":2,"name":"Cyber Security Incident Response"}]},{"@type":"WebSite","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website","url":"https:\/\/box2411.temp.domains\/~vasselva\/","name":"Vasanth Selvaraj","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/7670db7c899a52f9bfcbcb38f64a839b","name":"Vasanth Selvaraj","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3f7ece2700fb273646de53abfa0d9947?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3f7ece2700fb273646de53abfa0d9947?s=96&d=mm&r=g","caption":"Vasanth Selvaraj"},"sameAs":["https:\/\/vasanthselvaraj.com"],"url":"https:\/\/vasanthselvaraj.com\/?author=2"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/279"}],"collection":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=279"}],"version-history":[{"count":3,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/279\/revisions"}],"predecessor-version":[{"id":287,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/279\/revisions\/287"}],"wp:attachment":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}