The six stages of post-security incident grief avoidance

Uni security manager offers his best half-dozen breach responses

5 Reg comments Got Tips?

AusCERT Audio Security and forensics man Ashley Deuble has outlined the six stages of good incident response that if followed could bring an enterprise in line with Fortune 50 best practice.

The Griffith University security manager says the steps of preparation; identification; containment; eradication; recovery, and lessons learned are core to help organisations successfully recover from data breaches.

Deuble says these six steps allow the extent of a breach to be determined, including the systems and data that is possibly compromised, while also helping to preserve chains of evidence and identify possible actors for later legal action.

"The state of incident response (IR) is not good," Deuble told the AusCERT security conference on the Gold Coast yesterday.

"Other places, especially Australian-based companies, operate on a best-effort approach.

"But it's not all about IR - it's about detection, understanding what security means, and having budget, so you're local fish and chips shop is not going to have this."

Griffiths University security manager Ashley Deuble. Image: Darren Pauli / The Register.

Griffiths University security manager Ashley Deuble. Image: Darren Pauli / The Register.

Throughout the incident response process, documentation is king; Deuble says security types should "document everything", answering questions of who, what, when, and how.

The preparation phase is the first step, and involves people, policy, and tools part of a jump bag. The latter should include live operating systems, net access, and forensics tools.

Identification requires security systems to be consulted in order to tell an event aberration from a true security incident. One a breach is confirmed it should be reported immediately so that evidence collection can begin.

Podcast download: The six stages of incident response. (nb: audio is a phone recording, and not El Reg's usual high quality).

With full identification done, containment begins. System images are snapped, systems isolated, and as part of long term containment patches pushed and servers rebuilt.

Eradication follows where defences are bolstered ahead of the recovery phase.

"At the end of this incident response process we gather all the information from the 'lessons learned' section and feed this back into the preparation phase," Deuble says.

Many internal security teams bork incident response. Documentation is insufficient, digital evidence is trampled by ad-hoc remediation efforts, and systems are not sufficiently cleansed of malware and backdoors.

It is for this reason Mandiant forensics boffins and others may punt security teams during data breach investigation and take full command of incident response. ®


Keep Reading

Oracle staffers in Europe weather cloudy job cuts: As many as 1,300 workers face chop after sales slide

Database giant needs 'adapt its spending to its revenue situation'

$2.07bn? That's one Dell of a deal to offload infosec biz RSA

Texan tech giant hacks off part of security real estate, sells to consortium

Roses are red, IBM is Big Blue. It's out of RSA Conference after coronavirus review: IBMers will not attend infosec event over 'health concerns'

Updated Who will join the IT giant in staying away from San Francisco?

RSA Conference loses one more abbreviated tech giant after AT&T disconnects over novel coronavirus fears

RSA Alternative headline: Killer bio-nasty linked to former alien vault and cyber-hacker gathering

Yo, sysadmins! Thought Patch Tuesday was big? Oracle says 'hold my Java' with huge 334 security flaw fix bundle

House of Larry delivers massive update for 93 products

Keen to check for 'abnormal' user behaviours? Microsoft talks insider risk, AWS imports and compliance at infosec shindig RSA

RSA Before you remove the mote from thy hacker's eye, remove the beam from the eyes of your, er, Teams

'I give fusion power a higher chance of succeeding than quantum computing' says the R in the RSA crypto-algorithm

RSA Expert panel sesh turns heated on infosec conference's opening day

Oracle leaves its heart in San Francisco – or it would do if, you know, Oracle had a heart

OpenWorld moving to Vegas, baby: SF now too expensive not to mention the filthy streets, open drug use...

Biting the hand that feeds IT © 1998–2020