Incident Response Process Best Practices and AWS Forensic Procedures
Incident Response Process Best Practices and AWS Forensic Procedures
Topic or Question
There are so many methods and best practices for handling incidents. Outline what an incident response process based on what is in the text. What is the process order, what may be missing, and how could the process be improved?
Introduction to Incident Response and Management
Incident response (IR) and Incident Management (IM) are similar when a disaster of any type occurs as described by Peltier (2013). IR and IM concepts document and developed and get utilized no matter why type of disaster that happened. The disaster could occur by computer security breach, a physical security attack or a natural disaster such as an earthquake.
The Seven-Step Incident Response Process
There are many processes for handling incident response(IR). Peltier (2013) describes the typical incident response process as preparation, detection, incident analysis, incident containment, eradication, recovery, post-incident activity. Normally an internal team is identified and trained.
Preparation - As described by Peltier (2013), is have a IR team in the organization ready and perform internal IR tests so that the team easily handles a real incident when it occurs.
Detection - Understanding signs of an incident before it occurs. Using monitoring tools is one way to detect.
Incident Analysis - Understanding what normal patterns are in the environment or network to identify if an event is occurring.
Incident Containment - Identifying an issue and understanding how best to surround the issue, so no other residual damage occurs.
Eradication - As described by Peltier (2013), is how one recovers or cleans up from once the incident is contained. Sanitizing or rebuilding servers to eradicate the issue.
Recovery - Restoring the system or network back to its original state. An example of a recovery is putting a database system to a point and time to remove data integrity issues.
Post-Incident Activity - The last step as discussed by Peltier (2013) is to hold a retrospective or post-incident analysis so that the process can be improved for the next response.
AWS Forensic Security Workshop Insights
I am not a security professional but a database person, so I have been learning about containment of a breached server in our class readings. Recently Amazon Web Services (AWS) came on site to present an AWS Security workshop. During the class they described having that part of planning for IR is to create an Elastic Compute (EC2) instance and load forensic tools on it. EC2 is a virtual machine in the AWS environment. This EC2 instance should be placed in a security group that has no access to any other machines other than the EC2 instance with the forensic tools. The EC2 instances should not be shut down. Collect details of the instance by using describe-instances command via the Amazon API. Snapshots should be then be created of the volumes on the instances. Backup the system logs (API command get-console-output) backed up and finally remove the instance from the auto scaling group.
AWS EC2 Forensic Containment Steps
- EC2 Instances with forensic toolkit on it
- Isolate the EC2 instance to forensic security group to isolate it from the other EC2 Instances in the environment
- Snapshot the volumes of the hacked EC2 instance
- Get more details of the instance by using describe-instances command
- Create a snapshot of the volume of the EC2 Instance
- Replace the current security group with the forensics security group that doesn't have any access to anything
- Get the system logs (get-console-output)
- Remove the instance from the auto scaling group
Key Security Event Definitions
Event - Observable occurrence in a system or network
Adverse Event - Negative consequence event, i.e., system crash
Computer Security Event - Violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices, i.e., DoS, worm (Peltier, 2013, p. 259)
References
- Information Security Fundamentals, Second Edition by Thomas R. Peltier - Foundational text covering layered security approaches, physical security principles, and comprehensive security management strategies.