Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Incident Response Playbooks

Published byJulian Collin Montgomery Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyber Security Incident Response Playbooks"— Presentation transcript:

1 Cyber Security Incident Response Playbooks
V1.0 Can be used in conjunction with the Standard Categories for Incident Response v2.1. andrews.ac.uk/itsupport/security/standardcategoriesforincidentresponse/ Can be used with the Standard Categories ‘TheHive’ templates v1.0 To be released For questions and comments, please All playbooks are designed to be a template which can be filled out with more specific local steps and measures. Example flows (from:to) are included in the ‘block applied’ playbook.

2 External Investigation
Step Action From To 1 Notification 2 Identify affected users / systems 3 Categorize incident 4 Determine severity 5 Investigate with playbook 6 Report, considering external

3 Malicious code Step Action From To 1 Notification of malicious code 2
Submit sample to malware analysis / AV vendor 3 Determine IoCs 4 Create IDS rules 5 Historical log search 6 Block relevant IoCs 7 Identify previous infections 8 Block machines from network 9 Inform service desk / user 10 Close when ‘clean’

4 Internal Investigation
Step Action From To 1 Notification / Requirement 2 Identify any investigation requirements 3 Categorize Incident 4 Investigate with playbook

5 Copyright Infringement
Step Action From To 1 Notification 2 Identify user 3 Inform user, with regulations 4 Follow regulation process

6 Denial of Service Step Action From To 1 Identification 2
Identify target (s) 3 Get packet dump 4 Initiate out of band comms if required 5 Report to upstream service provider 6 Check for extortion messages 7 Consider mitigation techniques

7 Unauthorised Access Step Action From To 1 Notification 2
Identify affected systems 3 Isolate system 4 Determine severity 5 Identify IoCs 6 Identify spread 7 Update IDS 8 Isolate as required 9 Recover systems (rebuild)

8 APT Step Action From To 1 Notification 2 Identify IoCs 3
Historical search 4 Determine severity / internal spread 5 Escalate 6 Update IDS

9 Social Step Action From To 1 Notification of compromised account 2
Secure the account 3 Refresh logins 4 Determine IoCs 5 Check historical records 6 Determine severity of information 7 Escalate

10 Vulnerability notification
Step Action From To 1 Notification of vulnerability 2 Research relevant sites 3 Calculate CVSS score 4 Write up report 5 Release

11 Block applied (with example flows)
Step Action From To 1 Get source Internal / External CSIRT 2 Extract URLs 3 Check current status of sites DNS 4 Report to block provider/technology Block provider / RPZ 5 Put into IDS rules IDS 6 Check historical records Networks - DNS 7 Follow relevant playbook for detections Playbooks

12 Threat / Extortion / Blackmail
Step Action From To 1 Notification 2 Determine severity 3 Check with externals for cases (real or hoax) 4 Escalate

Download ppt "Cyber Security Incident Response Playbooks"

Similar presentations

PayPal Phishing Example. Can you tell which is real? 1. 2.

PayPal Phishing Example. Can you tell which is real? 1. 2.
Recruitment Booster.

Recruitment Booster.
The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
ISO 29147 How to leverage Dick Hacking Cornerstones of Trust 2014.

ISO How to leverage Dick Hacking Cornerstones of Trust 2014.
Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.

Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.

Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Cyber Security Issues in South Korea and CSIRTs Cooperation September 17, 2014 Eunju Pak

Cyber Security Issues in South Korea and CSIRTs Cooperation September 17, 2014 Eunju Pak
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Comprehensive Training for Distributor on Help Desk Application

Comprehensive Training for Distributor on Help Desk Application
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™

Similar presentations

Ads by Google