SECTION 5 : INCIDENT RESPONSE

(PAHAMI TERMINOLOGINYA, OVERVIEW TIAP SECTION)

1. TOPIC 1 EVENT VS INCIDENT

EVENT : NIST defines event is any change, error, or interruption within an IT infrastructure as a
system crash, a disk error or a user foretting password. (menyebabkan layanan gangguan, tidak
sampai mati)

INCIDENT : NIST defines incident as a violation or imminent threat of violation of computer

security policies, acceptable use policies, or standard security practices (mengakibatkan layanan
mati)

CYBERSECURITY INCIDENT : is an adverse event that negatively impacts the confidentiality,

integrity and availability of data.

Attack Vector Description Example

Unknown Cause of attack is This option is
unidentified acceptable if cause
(vector) is unkown
upon initial report. The
attcak vector may be
updated in a follow-up
report.
Attition AN attack that employs Denial of service
brute force methods to intended to impair or
compromise, degrade, deny access to an
or destroy system, application
networks or services
Web An attack executed Cross site scripting
from a website or web attack used to steal
based application credentials, or redirect
to a site that explotis a
browser vulnerability
and installs malware
CAT 4 Improper Usage A person violates
acceptable computing
use policies
2. TOPIC 2 SECURITY INCIDENT RESPONSE
Incident respones is a formal program that prepares an entity for a incident. Incident respones
phase is
a. Preparation to establish rolses, responsibilities and plans for how an incident will be
handled
b. Detection and Analysis capabilities to identify incidents as early as possible and effectively
assess the nature of the incident
c. Investigation capability if identifying an adversary is required
d. Mitigation and Recovery procedures to contain the incident, reduce losses and return
operations to normal
e. Postincident Analysis to determine corrective actions to prevent similar incidents in the
future

INCIDENT RESPONSE PLAN (IRP)

a. Preparation – Prepares an organization to develop an IRP prior to an incident.

b. Identification- Aims to verify if an incident has happened and to find out more details about
the incident.
c. Containment- Activated and information from incident handler is shared. Conduct detailed
asessment and contact the system owner.
d. Eradication- When containment measures have been deployed, it is time to determine the
root cause of the incident and eradicate it. Eradication can be done in a number of ways:
restoring backups to achieve a clean state of the system, removing the root cause,
improving defenses and performing vulnerability analysis to find further potential damage
from the same root cause.
e. Recovery- This phase ensures that affected systems or services are restored to a condition
specified in the service delivery objectives (SDO) or business continuity plan (BCP).
f. Lessons learned- At the end of the incident response process, a report should always be
developed to share what has happened, what measures were taken and the results after the
plan was executed. Part of the report should contain lessons learned that provide the IMT
and other stakeholders valuable learning points of what could have been done better. These
lessons should be developed into a plan to enhance the incident management capability and
the documentation of the IRP.

3. TOPIC 3 INVETIGATIONS, LEGAL HOLDS AND PRESERVATION

4. TOPIC 4 – FORENSICS
Digital forensics is the “process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable in any legal proceedings.

There are four major considerations in the chain of events in regards to evidence in digital
forensics
a. Identify - Refers to the identification of information that is available and might form the
evidence of an incident.
b. Preserve - Refers to the practice of retrieving identified information and preserving it as
evidence
c. Analyze - Involves extracting, processing and interpreting the evidence. Extracted data could
be unintelligible binary data after it has been processed and converted into human readable
format. Interpreting the data requires an in-depth knowledge of how different pieces of
evidence may fit together. The analysis should be performed using an image of media and
not the original.
d. Present - Involves a presentation to the various audiences such as management, attorneys,
court, etc.

DATA PROTECTION

DATA ACQUISITION
All information and data required should be transferred into a controlled location; this includes
all types of electronic media such as fixed disk drives and removable media. Each device must be
checked to ensure that it is writeprotected. This may be achieved by using a device known as a
write-blocked.

IMAGING
Imaging is a process that allows one to obtain a bit-for-bit copy of data to avoid damage of
original data or information when multiple analyses may be performed. The imaging process is
made to obtain residual data, such as deleted files, fragments of deleted files and other
information present, from the disk for analysis.

EXTRACTION
This process consists of identification and selection of data from the imaged data set. This
process should include standards of quality, integrity and reliability. The extraction process
includes software used and media where an image was made. The extraction process could
include different sources such as system logs, firewall logs, intrusion detection system (IDS)
logs, audit trails and network management information.

INTERVIEWS
Interviews are used to obtain prior indicators or relationships, including telephone numbers, IP
addresses and names of individuals, from extracted data.

INGESTION/NORMALIZATION
This process converts the information extracted to a format that can be understood by
investigators. It includes conversion of hexadecimal or binary data into readable characters or a
format suitable for data analysis tools.

REPORTING
The information obtained from digital forensics has limited value when it is not collected and
reported in the proper way.
 NETWORK TRAFFIC ANALYSIS
Network traffic analysis identifies patterns in network communications. Traffic analysis does not
need to have the actual content of the communication but analyzes where traffic is taking place,
when and for how long communications occur, and the size of information transferred.

LOG FILE ANALYSIS

a. Audit reduction tools
b. Trend/variance-detection tools
c. Attack-signature-detection tools

DIGITAL FORENSIC TOOLS

4 Categories
a. Computer-Examine nonvolatile digital media.
b. Memory-Used to acquire and analyze volatile memory.
c. Mobile Device-Consist of both software and hradware components
d. Network-Monitoring and analysis of network traffice.

TIME LINES
Time lines are chronological graphs where events related to an incident can be mapped to look
for relationships in complex cases. Time lines can provide simplified visualization for
presentation to management and other nontechnical audiences.

ANTI-FORENSICS
Programmers develop anti-forensics tools to make it difficult or impossible for investigators to
retrieve information during an investigation. There are numerous ways people can hide
information

Anti-forensics tactics, techniques and procedures (TTPs) include:

• Securely deleting data
• Overwriting metadata
• Preventing data creation
• Encrypting data • Encrypting network protocols
• Hiding data in slack space or other unallocated locations
• Hiding data or a file within another file (steganography)

5. TOPIC 5 DISASTER RECOVERY AND BUSINESS CONTINUITY PLANS

Disasters are disruptions that cause critical information resources to be inoperative for a period
of time, adversely impacting organizational operations. The disruption could be a few minutes
to several months, depending on the extent of damage to the information resource. Most
important, disasters require recovery efforts to restore operational status.

A disaster may be caused by natural calamities, such as earthquakes, floods, tornadoes and fire,
or a disaster may be caused by events precipitated by humans such as terrorist attacks, hacker
attacks, viruses or human error. Many disruptions start as minor incidents.
BUSINESS CONTINUITY AND DISASTER RECOVERY
Enable a business to continue offering critical services in the event of a disruption and to survive
a disastrous interruption to activities. Rigorous planning and commitment of resources are
necessary to adequately plan for such an event.

BCP is primarily the responsibility of senior management, because they are entrusted with
safeguarding the assets and the viability of the organization, as defined in the BCP/DRP policy.
The BCP is generally followed by the business and supporting units, to provide a reduced but
sufficient level of functionality in the business operations immediately after encountering an
interruption, while recovery is taking place.

BUSINESS IMPACT ANALYSIS

The first step in preparing a new BCP is to identify the business processes of strategic
importance—those key processes that are responsible for both the permanent growth of the
business and for the fulfillment of the business goals. Ideally, the BCP/DRP should be supported
by a formal executive policy that states the organization’s overall target for recovery and
empowers those people involved in developing, testing and maintaining the plans.

Based on the key processes, a business impact analysis (BIA) process should begin to determine
time frames, priorities, resources and interdependencies that support the key processes. Business
risk is directly proportional to the impact on the organization and the probability of occurrence of
the perceived threat.

Thus, the result of the BIA should be the identification of the following:
• The human resources, data, infrastructure elements and other resources (including those
provided by third parties) that support the key processes
• A list of potential vulnerabilities—the dangers or threats to the organization
• The estimated probability of the occurrence of these threats
• The efficiency and effectiveness of existing risk mitigation controls (risk countermeasures)

SUPPLY CHAIN CONSIDERATIONS

IS BUSINESS CONTINUITY PLANNING

RECOVERY CONCEPTS
Data recovery is the process of restoring data that has been lost, accidentally deleted, corrupted
or made inaccessible for any reason. Recovery processes vary depending on the type and
amount of data lost, the backup method employed and the backup media. An organization’s
DRP must provide the strategy for how data will be recovered and assign recovery
responsibilities.
BACKUP PROCEDURES
Backup procedures are used to copy files to a second medium such as a disk, tape or the cloud.
Backup files should be kept at an offsite location. Backups are usually automated using operating
system commands or backup utility programs. Most backup programs compress the data so that
the backups require fewer media.

There are three types of data backups: full, incremental and differential.
a. Full backups - provide a complete copy of every selected file on the system, regardless of
whether it was backed up recently. This is the slowest backup method but the fastest method
for restoring data.

b. Incremental backups - copy all files that have changed since the last backup was made,
regardless of whether the last backup was a full or incremental backup. This is the fastest
backup method but the slowest method for restoring data.

c. Differential backups - copy only the files that have changed since the last full backup. The file
grows until the next full backup is performed.