INCIDENT RESPONSE 1

Williams Armah

Incident Response

Capella University

IAS5025 - Network and Operating System

Feb 28, 2019

INCIDENT RESPONSE 2

Abstract
The disruptive, deceptive cyberattacks and damaging malicious code which have become

diverse and advanced in affecting information security of the organization. Which is handle with

the preventive security controls from the mitigation risk assessment by reduction in the network

system security incidents, preventable incidents and incident response events for a real-time

detecting network system incident, reducing the impact it will have on the organization

information system, dealing with any network system vulnerabilities in processes and restoration

of organization information system services.

This paper will “evaluate the different elements of incident response framework. this

paper, we will further discuss the roles and duties from the quality incident response in any

organization. The paper will also state the framework for any incident response in an

organization by given detailed attack scenario, there is also further analysis of concepts and ways

of ensuring that first responder in the complaint of chain of custody rules where evidence is

gathered in much-secured way of documentation, collection, and storage of legal evidence for

the civil and criminal proceeding” (Capella, 2019 para 22).

Keywords: incident response framework, quality incident response, detailed attack

scenario, a chain of custody, legal evidence, criminal proceeding.

INCIDENT RESPONSE 3

Table of Content

 Cover Page,

 Abstract.

 Table of Content.

 Introduction/ Body

 Conclusion

 References
INCIDENT RESPONSE 4

Introduction

The information system of an organization is attacked from any potential threats

constantly these threats mitigated by incident response plan. To establish the incident response

plan which will allow any organization corporate effective procedures for their enterprise

information system security. These enterprise information system security workflow for incident

response consist of the organization and the information system technology from a single plan

view. Michelle (2001) states that the incident response concepts are from acting on what we can

manage in the network system to is who responsible for the effective mitigation of incident.

What are our security monitoring of the network system by the incident response? With define

framework for incident response plan is the operation will organization has in dealing with any

security incident and surviving the cyber attack.

The foundation of incident response plan by any organization is to be prepared for a

security incident, detection of malicious cyber attacks to the information system, examination of

gathered malicious security incidents, how to mitigate, eliminate and containment of security

incident and what will be the post-incident events. By preparation, the organization laid downs

the needed foundation for the preparation of incident response procedure. In this foundation of

incident response by stating in the information security governance and compliance procedure

document. Some of the procedure that will be found in the policy document is Tech support for

around the clock support in the organization and by who, establishment network system security

monitoring and technologies for operations. Awareness by continuous training of the employees

in internal or external knowledge development on incident response and equipping first

responders with all the needed equipment’s, network system protocol management skills, having

secure email communication for handling incident response and testing the incident responding
INCIDENT RESPONSE 5

policy and intrusion detection from precursor’s and indicators alerts (Michelle, 2001, p 4-7).

Detection and examination of a security incident and how the employees are notified by

automated alerts system for the operations of employee’s incident hunting incidents and further

analysis of the administrative security tools for detecting and alerting security incidents. Paul,

20012 says that administrator seeks to find any abnormal network system behaviors events from

the incident hunting tools, further review of security incident email alerts on a constant basis.

What are in the alerts reports detailing and further communication the alert communication with

rest of the incident response team. Security incident mitigation, containment and recovery where

any evidence of security incident is collected/approval, containment and storage at a secure

location, using application and malicious software in the containment or rebuilding of the host

network system. Finally, the post-incident response activities are for all responder to review and

discussed the security incident and restructuring and improvement of security incidents. Also, for

the metrics performance updates of incident response. Retainment of evidence by define timeline

(Paul, Tom, Tim, Karen, 2012, p 4-5).

The roles and responsibilities in the incident response team, they are responsible for the

identification and suspects of any security incidents which happens in an organization network

system. Since these incident administrators examine security incident data, what will be the

impacts to organization information system, the employees available for security incident

mitigation, the incident response team structure is made of the Central incident response team is

the main team for the mitigation of security incident, distributed IRT which is multiple IRT duty

charge of logical and physical needs of the organization and Administration team who are

responsible for advisory to the other teams in IRT. The staffing of IRT is made of employees of

the organization, partial or full outsourced members of staff. The incident response personnel are
INCIDENT RESPONSE 6

made of Team manager, assistant manager, technical leads with excellent skills in network

management, programming, technical support, network system protocols administration. This

IRT have dependencies with organization structure such as the organization management,

information assurance, IT support, legal, HR, public affairs and BCP. Who are offering services

of the organization network system intrusion detection, advisory, awareness and information

sharing (Paul, Tom, Tim, Karen, 2012, p 6-9)?

The roadmap for incident response is through the organization information security

governance “incident response life cycle- Preparation, detection and analysis, containment

eradication and recovery, post-incident activity (Paul, Tom, Tim, Karen, 2012, p 18)”.

Preparation is the foundation of a framework for incident response in the organization

such as the preparations to the handling of a security incident from the contact information, on-

call data, incident reports data, incident issues tracking system, an encryption application, war

room, secure storage facility, digital forensic workstation/ secure storage facilities/devices.

Incident examination resources such as any port list, database documentation of network system

infrastructure diagram, network system baseline and application, and OS products. Michelle says

that the procedure (2001) in the preparation consisting of how to prevent security incident, risk

assessments, host and network security, malware and attack vectors security defense, Awareness,

and training.

The incident examination is from the intrusion detection by creating profiles of any

expected and unexpected activities, understanding of the network system normal or abnormal

behavior. Lo retention procedure creation and also, the event correlation. Baseline information

network system maintenance, constant network system monitoring by packet sniffing, filtration

of data. The security incident is prioritized base on its functionality, impact, and recovery. The
INCIDENT RESPONSE 7

notification of security incident to the appropriate employees to respond to the incident such as

CIO, Manager for Information Security, the different incident response teams through media,

calls, direct contact, organization website, paper (Michelle, 2001, p 13-16).

Containment, mitigation, and recovery are where the administrator choose the best

strategy that works for them in the containment, mitigation, and recovery for a security incident,

with containment is the need for legal evidence preservation, network system service availability,

is it full or partial containment, by identification of host attacking, incident database. Eradication

and recovery are where the organization information security managers do away with any

security incident detected malware, disabling any user accounts on user management (Paul, Tom,

Tim, Karen, 2012, p 11-15).

Chain of custody is basis pillars of any digital forensic of how legal evidence were handle

throughout digital forensic when is investigator is conducting investigation chain of custody

show who and who handles this legal evidence throughout investigation days and time from the

evidence from hardware, applications and other media devices are tagged, store and documented

throughout the process.

INCIDENT RESPONSE 8

References

Capella University, 2019, Course room, unit 8, Incident response, Date Retrieved 02/28/ 2019,

https://courserooma.capella.edu/webapps/blackboard/content/listContent.jsp?course_id=_

162482_1&content_id=_7268977_1&mode=reset

ACSC, 2017, Strategies to Mitigate Cyber Security Incidents – Mitigation Details, Date

Retrieved 02/27/ 2019, https://acsc.gov.au/infosec/top-mitigations/mitigations-2017-

details.htm

Michelle Borodkin, (2001), SANS, Computer Incident Response Team, Date retrieved

03/02/2019, https://www.sans.org/reading-room/whitepapers/incident/computer-incident-

response-team-641

Paul Cichonski, Tom Millar, Tim Grance, Karen Scarfone, (2012) Computer Security Incident

Handling Guide, date retrieved 03/02/2019,

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
INCIDENT RESPONSE 9