Incident Management is lumped with Incident Response in the 2021 CBK.  It also became a bit more complicated.  Several approaches are mentioned, but first, we need to define two terms:

Event = a change in system state. 

Incident = the possibility of harm.

Two minor approaches are mentioned below.

NIST 800-61 has a four phase lifecycle:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

ISO/IEC 27035 has a five phase approach:

  1. Planning and Preparation
  2. Detection and Reporting
  3. Assessment and Decision
  4. Response
  5. Lessons Learned

Keep in mind that these won’t need to be fully memorized, as the exam could combine phases from different frameworks.  It’s important to memorize the ones that the CBK emphasizes and to be aware of others and have the ability to match activities with phases based on the question itself. 

The primary steps presented in the CBK for incident management are as follows:

  1. Preparation
  2. Detection
  3. Analysis
  4. Response
  5. Review & Improvement

PREPARATION:

Preparation includes the following activities…

  • Policy
  • Planning
  • Procedures for escalation, communication, reporting, checklists, etc.
  • Training for individuals responsible for incident response
  • Software adequate for IR activities (ticketing systems, forensic investigations, etc.)
  • Resources (storage, supplies, tools)
  • Integration with SETA activities (formerly SATE), including posters and notices.

DETECTION:

This phase is obviously the initial input or discovery that an incident is happening.  Note that detecting an event is different than detecting an incident (incident = harm).  Detection technologies including IDS/IPS systems, firewalls, and logging systems.  These need to be implemented to fire alerts using specific rules (e.g. detection of unauthorized software, deletion of audit logs), but note that this phase can also include things like employees reporting a suspected incident to their manager, observing another employee committing fraud, or leads submitted through a web form or an 800 number. 

Kill chain: a sequence of actions that results in a successful attack. Detecting signs of a kill chain is part of incident response.

Some additional activities in this phase:

  • Reducing the likelihood of false positives
  • Update signature files
  • Keep event thresholds current and relevant
  • Consideration for detecting attacker behavioral changes

ANALYSIS:

This phase includes the following activities:

  • Review information captured in the detection phase
  • Correlation of related or relevant events
  • Prioritize incident
  • Compile documentation in standardized reporting format
  • Notification to responders
  • Initiate the tracking of the incident
  • Forensic analysis (NIST 800-86) via Forensic Readiness (being prepared to conduct the analysis; note: preparing for forensic readiness would occur in the Preparation phase).  It consists of four broad sub-phases:
    • Evidence collection: secure crime/incident scene, identify relevant data/evidence, label evidence, record evidence, collect evidence, and preserve its integrity.
    • Examine data: use forensic tools and techniques in order to preserve the data/evidence integrity.
    • Analysis: inspect results, address questions around the investigation.
    • Reporting: communicate results of the analysis, determine what additional actions are needed, and recommend improvements to the forensic process.

RESPONSE

This phase is how you respond to the incident.  It contains the following activities:

  • Mitigation:
    • Containment – isolate damage, quarantine affected systems
    • Eradication – eliminate the cause (root cause analysis)

RECOVERY/REMEDIATION

  • Re-establishment of operations
  • Must include changes to prevent recurrence

REPORTING

Includes the following activities:

  • Telling everyone that recovery is complete
  • Management makes decision

REVIEW AND IMPROVEMENT

Includes the following activities:

  • Lessons learned meeting
  • Reviewing artifacts and documentation of the incident
    • Artifacts are defined as a piece of hardware, software, or documentation.
    • Improving the IR process

Investigations are different than triage and analysis because they are not necessarily part of incident management.  Investigations are more formal and the outcomes are much more severe. Here are the types:

Administrative – related to insider threats.  Typically results in termination/firing of the employee, however can be escalated to:

Criminal – involvement of law enforcement.  Typically evidence at this point is handed over to law enforcement officials.  The organization at this point must follow the directions of law enforcement, however law enforcement must also follow due process and not exceed the bounds of their authority.  Both parties must be cognizant and cooperative with each other so as not to impede an investigation and not exceed the bounds of regional law. Evidence for criminal cases are required to prove “beyond a reasonable doubt” that the crime occurred.  Forensics would be required for criminal cases, for example, printed emails would not suffice, but rather the email server that was preserved using write-block technology and a well-documented chain of custody.

Civil – evidence requirements are much more loose than criminal – these only require “preponderance of evidence” or the majority of evidence that points to the crime.  Civil crimes are typically party-to-party, or one person prosecuting another with little to no law enforcement involvement (may involve LE officials testifying as experts on a particular subject, or if they were involved at an earlier phase and deemed the issue to be civil and handed the case back to an organization).  Forensics would not be required for civil cases. For example, email printouts can be used as evidence.

Regulatory – regulating government agencies can conduct investigations, which are different than audits in that a specific allegation is investigated (which can be something that happens as a result of an audit finding).

Industry standards – this does not seem to be an investigation into business practices that align with industry standards, but rather investigative standards – i.e. methods of investigation that are considered “investigation” industry, or a standardized method of investigating something.  

Elements of an investigation:

  • Evidence collection – there is a broad scope of things to include as evidence that includes: data, systems, components, software, information from witnesses.  Chain of custody is important. Bit-level copies must be made with write-block technology and analysis should be done on the copies, not originals.  Ensure that trained and certified or licensed professionals are designated to collect evidence.
  • Evidence custodian – the individual designated as the chain of custody manager who oversees access, use, and disposition of the evidence.  
  • Evidence – must be:
    • Admissible – the court (judge) will decide if a piece of evidence is admissible in court.
      • Tampering/modification – if evidence is tampered with, it can be dismissed from court.  This is why write-blocking technology is so important when dealing with digital evidence.
      • Documentation – any changes to evidence must be recorded to ensure that it continues to be admissible.  Chain of custody applies here as well. This sub bullet can be applied to all aspects of evidence.
    • Accurate – the evidence must be true and clear.
    • Comprehensible – the evidence must be complete or comprehensive, inclusive of all its factors.
    • Objective – can stand alone without subjectivity.

Investigation methods:

Automated capture – things that can be gleaned from automated monitoring tools, such as system logs.

Interviewing – soliciting information from witnesses.  Should not be done by a single or inexperienced interviewer, and be sure to preserve the witness’ rights.  Typically done in private.

Manual capture – involves making copies of evidence such photo IDs or documents available, and includes capturing photographic/video evidence from the incident/crime scene.  Audio recordings in this context would be open, at the scene, and not private as indicated in the “interview” bullet above.  

External request – this includes gathering evidence from an external source.  For example, some investigations might require copies of a tax return or phone log records, which can only be obtained by contacting the entities who own that data (and usually would require a subpoena or search warrant).  Informal requests may be honored in some cases, especially depending on the relationship between law enforcement and the entity.

Remember to “AIME” for the target when doing investigations.

Security orchestration, automation, and response (SOAR) involves three main processes: 

Orchestration brings all the components of security automation together into one platform.  Disparate systems and incompatible technologies can create issues in the stack.

Automation performs tasks such as log analysis, event analysis, scanning, and follow-on tasks based on playbooks and runbooks, which are simply automated tasks.  Automation uses AI to assist in the process.

Response provides a singular view into the incident detection, management, monitoring, and reporting of potential security incidents in order to automate IR capabilities.