Incident Response Framework: Detection Phase

In this phase we will determine if an incident has place, triage it, and notify relevant stakeholders and analyze it.

To understand better we will use the OODA Loop:

 The OODA Loop in Incident Response:

The OODA Loop is a decision-making model created to help responders think clearly during the “fog of war”

• Observe:

• Identify the problem or threat and understand the internal and external environment.

• Avoid analysis paralysis during this phase,

Example: - "An alert in your SIEM has been created due to an employee clicking on a link in an email "

• Orient:

• Reflect on observations and plan subsequent actions.

Example: - "Identify the user’s permissions, any changes identified in the user’s system, and potential goals of attacker "

• Decide:

• Suggest an action plan considering potential outcomes.

Example: - "The user’s system was compromised, malware was installed by the attacker, and we should isolate the system "

• Act:

• Execute decisions and relevant changes, then observe for further indicators.

Example: - "The user’s system is isolated by an incident responder and then begin to observe again for additional indicators "

2. Defensive Capabilities:

Capabilities does your organization have (Question which you have to ask)

• Detect:

• Identify adversary presence and resources.

• Destroy:

• Render adversary resources permanently ineffective.

• Degrade:

• Temporarily reduce adversary capabilities or functionality.

• Disrupt:

• Interrupt adversary communications or confuse their efforts.

• Deny:

• Prevent adversaries from learning about capabilities or accessing assets.

• Deceive:

• Provide false information to distort adversary understanding.

You can create a chart for example

3. Detection and Analysis:

• Identify if an incident occurred, triage it, and inform stakeholders.

• Use SIEM as a central data repository for detection and analysis.

• Known Indicators of Compromise (IOCs) can trigger alerts and categorization

IOCs can be both technical and non-technical

▪ Anti-malware software

▪ NIDS/NIPS

▪ HIDS/HIPS

▪ System logs

▪ Network device logs

▪ SIEM data

▪ Flow control device

▪ Internal personnel

▪ External personnel

▪ Cyber-threat intelligence

Detected indicators must be analyzed and categorized as benign, suspicious, or malicious.

4. Impact Analysis:

• Examples of impacts: data integrity, unauthorized changes, data theft, service interruptions, and system downtime.

Triage and categorize incidents based on impact-based or taxonomy-based approaches.

• Impact-based Approach:

• Focuses on incident severity levels: emergency, significant, moderate, or low.

• Taxonomy-based Approach:

• Defines incident categories such as worm outbreak, phishing attempt, DDoS, external host/account compromise, or internal privilege abuse.

• Using an impact analysis to categorize incidents based on scope and cost.

2. Impact analysis can be done based different Classifications:

• Organizational Impact:

• Incidents affecting mission-critical functions, hindering the organization's normal operations.

• Localized Impact:

• Limited incidents affecting a single department, small user group, or a few systems.

• Warning: Localized impact doesn't inherently imply less importance or cost-effectiveness.

• Immediate Impact:

• Measures direct costs incurred due to incidents, such as downtime, asset damage, penalties, and fees.

• Total Impact:

• Measures both immediate and long-term costs post-incident, including damage to the company's reputation.

5. Incident Classification:

• Differentiate incidents based on data integrity, system process criticality, downtime, economic impact, data correlation, and recovery time.

• Emphasize the significance of understanding incident classification for effective response.

Remaining phases in next post:- Thank you for visiting

Akash Patel