THE RESPONDERS layer 9B
THE RESPONDERS OF IP RESOURCES
The Responders Explained: Welcome to Layer 9B: The Responders. This layer examines the critical role of incident response in the aftermath of a cyber event. At Listcrime.com, we outline the essential steps for responding to cyber incidents, including containment, investigation, and reporting. Equip yourself with the knowledge to act swiftly and effectively in the face of a cyber attack.
The following (3) three steps are extremely important:
Step 01
Getting the right people involved and coordinating your efforts is key to any successful response.
A company must identify a central point of contact or leadership team that not only has the responsibility, but also has the authority to act. The leadership role must be established to perform the day-to-day analysis of the situation and make key decisions. A central point of contact should be established and be at the highest level in executive management or have the backing of executive management.
- What are your escalation procedures, such as contacts and notification groups?
- Do you have a response team as part of your response plan?
- Does it involve in-house legal counsel, human resources personnel, corporate security, IT security, technical professionals and someone from your communications group to coordinate messaging?
CHATBOT ON PREVENTING AND REPORTING CYBERCRIME
LET US HELP YOU WITH PREVENTING AND REPORTING CYBERCRIME
THE CYBER ECOSYSTEM OF INTERNET PROTOCOL RESOURCES
Hiring a third-party forensic company: Third-party forensic firms can assist in containing the breach and collecting sensitive electronic data (evidence) in a forensically sound manner. These companies are there for mitigation, remediation and assistance in investigating the internal workings of your network. Law enforcement agencies investigate the breach but do not mitigate damages to your system.
Hiring a third-party notification and monitoring services for notifying impacted employees, clients, customers or general public. Monitoring services for impacted employees, clients, customers or general public information that may be published, used or abused (i.e., Identity theft).
Step 02
Containing the problem while investigating the incident: (Containment Mode)
- A determination of the nature of the incident (what happened). Is the attack ongoing or is it hours/days old?
- Network topology – provide a current and functional understanding of the organization’s network and flow of data.
- Security setup and configuration (Cloud Service Provider logs, IDS, log servers, router configurations, etc.) Brief overview of inventory of computer systems and network components.
- ID - Physical & logical topology of your network, objective of attack, view volatile, flow, stored logs, Data at rest, in use and in motion, capture logs, PCAP, NetFlow.
- Access control – who has access to systems and by what means?
A data breach contains three (3) basic components
- How did they get in? (Has your system been accessed or is it infected modified)?
- How did they move through your network and what did they take or alter? (move, change or alter)
- How did they exit your system?
Strategic Countermeasures for IP Resources
Step 03
Collecting and reporting the facts:
A cybercrime case is no different than any other criminal case when it comes to prosecution. You must have evidence of the crime. The investigation will only go as far as the victim company can take it. To capture and prosecute criminals, trace evidence of the crime must be located, captured, and documented in a forensically sound manner.
Having a sound log management system in place is key to stopping criminals from infiltrating your system, restricting their access within your system, and preventing them from exfiltrating data out of your system. Most importantly, proper log management provides trace evidence if a crime occurred. In the world of computer security, controlling the flow of data in and out of your network includes the authorization, authentication, and auditing of your system.
Firewalls, data-loss prevention systems, intrusion detection systems and access control list all work great if they are configured and managed properly. Logs must be preserved so that any actionable investigative leads or trace evidence can be found and documented.
The response team must:
- Documentation of the incident response: Copies of policies and procedures, Evidence of education and awareness training, Security risk analysis conducted by the organization, Vendor/business associate agreements in place, Evidence of corrective action taken
- Triage or full response: wipe and re-image, re-configure, re-install, reauthenticate, monitor and repair operational, reputational financial and or legal impact
- Control physical access to computers and network components
- Log and report the sequence of events or incidents
- Preserve all evidence and maintain a chain-of-custody