CYBER INCIDENT MANAGEMENT

Cybersecurity Bureau-CERT-PH
WHOAMI: ALWELL MULSID
• Bachelor Degree in Computer Information Science
• L e a d t h e I n c i d e n t R e s p o n s e S e c t i o n o f C E R T- P H ,
DICT

• Alumnus of
- Japan International Cooperation Agency (JICA) in Japan
-J a k a r t a Cent re For Law Enforcement Cooperat ion(JC LEC) in
Indonesia
-I n t e r n a t i o n a l V i s i to r L e a d e rs h i p P rog ra m ( IV LP ) by US
State Department

• Had an experience in presenting digital evidence

and stood as an expert witness in court.
• Presented Incident Management lecture at the Asia
Pa c i f i c C E R T
• Fo u n d e d a n a d v o c a c y g r o u p “ P H C Y B E R U N I T S ”
• Introduction to Cybersecurity Standards and
Framework
• Introduction to Cyber Incident Management
• Escalation Procedures
• Triage Activities
 INTRODUCTION TO
CYBERSECURITY STANDARDS AND
FRAMEWORK
NIST CYBER SECURITY FRAMEWORK (CSF)
NIST CYBER SECURITY FRAMEWORK (CSF)

• Identify - focus on the identifying and knowing what should be protected

• Protect - implementation of necessary level of protection for the identified assets
• Detect - capability to recognize if there is any cyber security incident impacting the
protected assets
• Respond - capability to handle the detected cyber security incidents
• Recover - restore business operation
 NIST CYBER SECURITY FRAMEWORK (CSF)

IDENTIFY – PROTECT – DETECT – RESPOND – RECOVER

INCIDENT
MANAGEMENT

TRIAGE - ANALYSIS IR LIFE CYCLE

 INTRODUCTION TO
CYBER INCIDENT MANAGEMENT
INCIDENT MANAGEMENT

• Helps cybersecurity workforce and CERT the benefits of having a structured

approach on how to manage events and incidents properly, defining process flow,
transforming data to information and its implementation.
INCIDENT MANAGEMENT

• To accomplish the goal of Incident Management

• detect and identify events
• triage and analyze events
• respond and recover from an incident
• improve the organization’s capabilities for responding to a future incident
• focuses on how to manage incidents effectively throughout the Incident Response
Life Cycle.
INCIDENT RESPONSE LIFECYCLE
Incident Response (IR)

• IR is a structured methodology for handling security incidents, breaches, and

cyber threats.

• The methodology can effectively identify, minimize the damage, and reduce
the cost of a cyber attack, while finding and fixing the cause to prevent
future attacks.
Goal of Incident Response (IR)

to limit as much as possible the disruptions to the network

and to the business operation
Incident Response Lifecycle
Incident Response Lifecycle
1. Preparation
Steps taken before any incident occurs. These includes guidelines, plans, tools
and other information in place that can support your team in preventing and
responding to cyber attacks faster and more effective.

It will help your organization to ensure that your team can act before, during and
after a cyber attacks.
Incident Response Lifecycle
1. Preparation
• Preparedness Program
• Policies and security documents
• Create the Incident Response Team
• Understand your organization’s operations and business environment;
• Identification and inventory of the assets that need to be protected and
prioritized;
• Establish systems for recording, monitoring and ticketing of incidents
• The use of equipment and technology to detect and address a cyber security
incident;
Incident Response Lifecycle
1. Preparation
• Outline the roles, responsibilities, and procedures of your team
• Incident response kit and tools
• Establish clear communication channels
• Telecommuting
• In-house capabilities or contracts with external experts for incident response
and/or forensic investigation in case of an actual cyber security incident;
• Develop common incident playbooks
Incident Response Lifecycle
2. Detection and Analysis
Detect and analyze events in order to determine if these events are considered
security incidents. It requires to use tools, systems and skills of incident response
personnel in monitoring and identifying any unusual activity or events that may
compromise the confidentiality, integrity and availability of the organization
information and systems.
Incident Response Lifecycle
2. Detection and Analysis
Focus on : Unusual Activities and Events
• Alerts and reports about potential malicious activity or vulnerabilities. This
can include alerts from your technology or network provider.

• loss or breach of a device, including personal mobiles that staff use to access
work emails. Staff may feel uncomfortable about reporting such incidents so
it's important to encourage people to speak up proactively.

• General day-to-day indicators, such as unusual email activity, incident reports, or being
informed by staff or customers that a breach has already occurred.
Incident Response Lifecycle
2. Detection and Analysis
Focus on : Detection Methods
• Detected by security controls
(Intrusion Detection System, Firewall)
• Monitored by security personnel
(Internal IT, SOC , CERTs using tools)
• Reported by end-users / Victims
(Traditional anti-virus, anti-malware, computer users and victims)
• Detected by external security teams and Researchers
• (Dark web, specialized search engine, social media, vendors, other CERTs)
Incident Response Lifecycle
3.1. Containment
The goal is to check the affected system or digital assets and to limit the damage
from the current incident. It is also important to prevent the destruction of
evidence that may be needed for legal proceedings.
Incident Response Lifecycle
1. Containment
Focus on : Applying different strategies
• Removing the system from the network by disconnecting it
• Isolating the systems by way of network segmentation
• Utilize virtual local area network
• Utilize firewall rule sets
• Monitoring the attacker communication channels and activities on the
system
• Carefully gathering of information and evidences for legal proceedings
• Redirecting Traffic
• Whitelisting of IPs to boot out attackers
Incident Response Lifecycle
1. Containment
• Focus on : Documentation / Management Decision / Other activities
• Approval in accessing the victim machines and related applications. Possibly
stores sensitive data
• Ensures contaminated machines and equipment is protected from
unauthorized access by non-incident responder or owner of the system
• Communications to IR lead and higher ups is necessary so that they are well
informed and can come up with decisions.
Incident Response Lifecycle
3.2. Eradication
Involves the process of understanding the cause of the incident for the affected
entity to be able to reliably recover from the incident by removing the malicious
files or other artifacts included in the attacks.
Incident Response Lifecycle
2. Eradication
• Wipe out content and re-image of affected system hard drives to ensure any
malicious content is removed.
• Preventing the root cause - understanding what caused the incident
preventing future compromise, for example by patching a vulnerability
exploited by the attacker.
• Applying basic security best practices—for example, upgrading old software
versions and disabling unused services.

• Scan for malware—use anti-malware software to scan affected systems and

ensure all malicious content is removed.
Incident Response Lifecycle
3.3. Recovery
Involves cautiously bringing back all systems affected to full operation after
verifying systems are clean, and the threats removed. Close monitoring of
systems are necessary as for the possibility that infection, attacker, or threat
agent might be persisted through the eradication.
Incident Response Lifecycle
3. Recovery
• Defining time and date to restore operations—system owners should make
the final decision on when to restore services, based on information from
the CERT.
• Test and verifying—ensuring systems are clean and fully functional as they go
live.
• Monitoring—ongoing monitoring for some time after the incident to observe
operations and check for abnormal behaviors.
• Do everything to prevent another incident—considering what can be done
on the restored systems to protect them from recurrence of the same
incident.
Incident Response Lifecycle
4. Post Incident Activity
This is where the final report will be created and delivered to the management
or the affected entity. Important considerations are the detailing how the attack
can be detected and identified sooner including any observed gaps in the
incident response processes.
Incident Response Lifecycle
4. Post Incident Activity
• Completing documentation—it is never possible to document all aspects of
an incident while it is going on, and achieving comprehensive documentation
is very important to identify lessons for next time.

• Identify ways to improve CERT performance—extract items from the incident

report that were not handled correctly and can be improved for next time.

• Establish a benchmark for comparison—derive metrics from the incident

report that you can use to guide you in future incidents.
Incident Response Lifecycle
4. Post Incident Activity
• Lessons learned meeting—conduct a meeting with the CERT team and other
stakeholders to discuss the incident and document lessons learned that can
be implemented immediately.
• When was the problem first detected and by whom
• The scope of the incident
• How it was contained and eradicated
• Worked performed during recovery
• Can anything done to prevent it ?
• Areas where the CERT team were effective
• Areas that need improvement
 CERT/CSIRT
ESCALATION PROCEDURES
• Document from which
sector or specific
Critical Infostructure
the victim came from
• Is the reported
incident a cyberattack
or cybercrime ?
• Document how the
cyber incident
reached your CERT
• Completeness of the
notification
• How recent is the
cyber incident ?
• Responder skills set
to handle the reported
incident
• Workload of Incident
Responder
• Response Process for
Major Incident especially
data breach. Increase
CERT engagement
• Get as much as details
from the victim
organization
• Level of cooperation of
the victim. This should
be documented
• Properly documented all steps made by the analyst and digital forensic personnel
• Use Playbook if available
• Entry point of cyber attack is important
• Document challenges that was encountered during investigation
• What kind of incident that needs to be forwarded to law enforcement agencies ?
• Average Remediation Time
• Close Ticket with no response from the victim
• Close Ticket and Remediated
UTILIZING THE DATA FOR BETTER
INCIDENT MANAGEMENT
• Better Report
• Identify and understand the challenges organization are facing
• Information on the common cyber attacks per sector and from
critical information Infrastructure (CII)
• Produce better training modules
• Increase the effectiveness of processes in providing assistance
UTILIZING THE DATA FOR BETTER
INCIDENT MANAGEMENT

• Good Data Statistics

• Increase collaboration effort to specific organization
• Program development for identified gaps
TRIAGE ACTIVITIES
TRIAGE

Is post-detection incident response process with various

preliminary actions that will help any responder to declare
an incident or label it as false positive. Triage is utilizing
different resources and querying activities to understand
and accurately evaluated the detected incident.
TRIAGE

Important activities in the triage and analysis include

• event categorization
• event prioritization
• event data correlation and analysis
• recognizing an incident and activation of a complete incident response
procedures
TRIAGE
Categorization
• Ty p e s o f At t a c k
• C o m p l ex i t y
TRIAGE
Categorization
• Ty p s o f At t a c k
• C o m p l ex i t y
TRIAGE
Prioritization
TRIAGE
Prioritization
TRIAGE
Prioritization
TRIAGE

Recognizing an • Analyst can declare that there is an

incident & activation incident. This can happen both internal and
of response external.
procedures
• Engagement to affected system’s owner or
entity is initiated.
TRIAGE

Assess the Incident and Prioritize

• Reach to agreement regarding the
preservation digital artifacts that will
be forwarded to the law
enforcement agencies.
TRIAGE
Initial Analysis on the Possible techniques Description
following :

Malicious USB / Other Use of tools such as IR team can use the
External HDD autopsy, imager and device to do digital
other tools available forensics and analysis
on the content of the
device.

Linux Systems that If possible, conduct It is important to

needs analysis, digital image of the affected assess the machine
forensics and machine. Download not on the affected
investigation all relevant logs and machine. Decision to
do a hash on the be made if the
downloaded files machine to be contain
or IR team can do live
digital forensics.
TRIAGE
Initial Analysis on the Possible techniques Description
following :

Infection on Live Memory Dump and Assuming this is not a

Machines perform security ransomware and
check on live machine is still
connection and C2. working during
Check for Rootkits infection. IR team
needs to do
immediate memory
dump and check for
connection both
ingress and egress.
TRIAGE
Initial Analysis on the Possible approach Description
following :

Security violation of Check which network It is important IR team

network policies policies is impacted, has visibility on
focus on hidden network traffic. Any
network connections. anomalies should be
Observe live traffic. investigated without
Utilize firewall logs delay.
and run packet
capturing software
 Cybersecurity Habits for Incident Responders

Habits of ….
• changing the default passwords
• thinking twice before clicking unknown links or
opening email from unknown senders
• allowing a week without updating your backup
 Cybersecurity Habits for Incident Responders

Habits of ….
• verifying request of your private information.
• not to use work computers for personal activities
• securing your area and locking your computer screen
before leaving them unattended – even just for a
second
 Cybersecurity Habits for Incident Responders

Habits of ….
• not using company email address in registering to
non-office related websites and services.
• using passwords for different social media account
 THANK YOU
alwell.mulsid@dict.gov.ph
https://www.ncert.gov.ph
https://www.facebook.com/ncertgovph