Incident Response 101 – The Background

In the previous post, I gave an introduction to my planned set of blog posts around incident response.

But…

The first question is, how have I made it to this stage in my understanding of the incident response process. Which materials, courses, books etc have lead me to develop my current knowledge level in this field. I will try to give a short description of each resource and why it is important…

All authors start with some background about them, so the audience trusts them a little more when they begin reading, “oh this guy has read alot, and is certified in xx and xx, they must know what they are talking about”.

This is a list of resources, that I turn to at least once a week in my work within incident response.

Materials:-

FIRST CSIRT Services Framework 2.0

https://www.first.org/standards/frameworks/csirts/FIRST_CSIRT_Services_Framework_v2.1.0.pdf

It took me quite some time to find this document, and it was quite a way into my journey of discovery within building a Cyber Defence Center before I found it. But once I did, it answered so many of the outstanding questions I had. This document lays it out flat, what you need to do to deliver a large selection of services within the CSIRT world. It opened up a door to a large community for me too, as I found the authors to be very interesting and the FIRST group a very welcome aid in my service architecture. I treat this book like the bible for the services I needed to build.

Just like any religious text, there is always room for intepretation and this resource is very good, but it does not answer every single question. In some areas it raises more questions, which require deeper research and more technically focused answers. But this we will touch in on later in the blog posts on this subject.

SIM3 – Security Incident Management Maturity Model

http://opencsirt.org/wp-content/uploads/2019/12/SIM3-mkXVIIIc.pdf

I started learning about the SIM3 Model whilst beginning research into joining the TF-CSIRT community (something we will look into in later blog posts). This model lays out the perfect foundation for the building blocks you need to assemble an international class incident response team. Attaining a good maturity rating within this model, enables you to join the TF-CSIRT community and know that you have a very well oiled incident response process. The SIM3 Model is written by Don Stikvoort, who has also been highly influential in the FIRST CSIRT Services Framework.

This model is the golden standard for creating an incident response service, and I will reference it alot throughout the blog posts coming up. It gives you some of the backbone structure that you need to then build upon, to create your own service.

Books:-

Intelligence-Driven Incident Response

http://shop.oreilly.com/product/0636920043614.do

I bought this book after attending the SANS FOR578 course that I mention above. I wanted a supplmental resource to aid my studies in Cyber Threat Inteligence, and this book went beyond my expectations. It really breaks down the incident response process in detail and shows where you can begin to look at it as a driver for gaining threat intelligence. This book really helped solved the problem I will later discuss, around “incident recording” language.

I recommend this book to everyone who I meet within the incident response world.

MITRE – Ten Strategies of a World-Class Cybersecurity Operations Center

https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

This book is available for free from the link above. I was lucky enough to recieve a printed copy from someone I met at the FOR578 training course. This book goes into a lot of great details on how to build a SOC and which resources you should look at to do it. Although the book was written back in 2014 and a lot has changed since then, it still holds alot of relevancy today. The section called “Strategy 4” is very useful in determining which functions should an incident response team have, and how can they be developed if needed.

Courses:-

SANS SEC401 – GSEC

https://www.sans.org/course/security-essentials-bootcamp-style

This course was the first “none vendor” focused training course I ever took, before this I was heavily focused on studying Network Security through the CCNA books. This course helped me understand that the security world was bigger than specific vendors offerings and opened up the gates to my eventual drive into cyber security and incident response. For anyone starting out in this field, this course is very useful as it is very broad and tries to get around most of the important topics in cyber security.

SANS FOR578 – Cyber Threat Intelligence

https://www.sans.org/course/cyber-threat-intelligence

If I look back at any course, or anyhing I have ever studied in general. This course holds the top honours for how much I learned. I went into this course with an understanding of how I thought cyber security worked, and then came out the other side with an entirely deeper knowledge and thought process. This course really helped me understand that data can be so powerful when absorbed from the incident response process. Providing that the data is organized into structures and frameworks to present it in a clear way. I also had the added bonus that the course was being taught by Jake Williams (@malwarejake), and his anecdotes helped to further the understanding of the materials. I would say that this course was the straw which broke the camels back and changed me from being a purely technical orientated person to being much more focused on process and structure. I do not have enough great words in my dictionary for this course!

Other resources:-

Don’t ever underestimate the value you can get from just talking to people, whether they are in the incident response field, or in other fields. A great example is the crossover between incident response and incident management in an ITIL sense. Essentially they are the same process and flow, just that incident response has the “cyber” tag.

Closing words…

This is just a list of the resources that I have used, and they are not complete, you need to find the bits you need from each of them and use it to define your own process.

I have also had the massive benefit of learning from some great people and spending time with organizations like CIRCL, Mandiant, Red Canary to name a few… I just try to absorb as much from the experts as possible…

Leave a Reply

Your email address will not be published. Required fields are marked *