Академический Документы
Профессиональный Документы
Культура Документы
COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
-1-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation,
detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below:
Root Access
You’ve selected the “Root Access” playbook. On the pages that follow, you will find your incident response
playbook details broken down by the NIST incident handling categories.
-2-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
P R E PA R E - R O O T A C C E S S
Determine Core
Ops Team Vulnerability Threat Risk
& Define Roles Manager Manager Manager
Review &
Maintain
Timeline
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
DETECT - ROOT ACCESS
Suspicious network
traffic being initiated
User is unable to log
into account
Standard
from the internal network Define
Threat
Indicators
Custom Custom Indicators
Categorize
Incident
Unexplained Unexplained
Unexplained emails modifications or
modifications to system
from user accounts settings destruction of user files
Request Packet
Capture
Notification from
Alerting from Firewall
Unauthorized creation outside organizations
and Intrusion Detection
of new user accounts systems
(ISP, business partners,
3rd Party)
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
A N A LY Z E - R O O T A C C E S S
Prev
Step
Ability to control/
Products/goods record/measure/track
/services are affected by any significant amounts Standard Define Risk
Factors
Custom Custom Factors
this compromise of inventory/products/
cash/revenue has been lost
Data Capture
Analysis
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
C O N TA I N - R O O T A C C E S S
Identify systems to be
taken off line due to
compromise
Identify system(s)
locked out due to
repeated login attempts
Incident Threat
Database Database
Identify IT services
impacted
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
E R A D I C AT E - R O O T A C C E S S
Prev
Step
Direct Conference
Phone Call Call
In-Person Intranet
Meeting Meeting Communications
Mobile Internet
Messaging Meeting
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
RECOVER - ROOT ACCESS
Prev
Step
Determine alternate
network ingress &
Recover Systems Reimage IDS/IPS &
Firewall Updates egress solutions if
malware causes DoS
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
POST-INCIDENT - ROOT ACCESS
Prev
Step
Sensitive
Electronic Personal
Incident Review Health Information
Government
Information
(ePHI) Compromised?
Compromised?
Response Workflow
Updated
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
Effective Remediation
Organization and automation are key benefits that result in effective remediation. Automated playbooks help to Risk Management Benefits
organize security processes, mitigation plans and smooth communication between multiple departments. By • Communicate effectively to ensure risk
optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery mitigation methods are applied
with integrity and forensic-quality reporting. • Prioritize resources and activities where
they matter most
• Report and tune based on response
Action Plan learning, reducing risk moving forward
Having a view into what is possible is the first step in taking action. The next step is to bring your team together to
drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. Useful Links:
NIST Risk Management Framework Guide
With this playbook, you will be better prepared to handle the response. To help with the management and automation
Sample Policies and Plans
of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what
they do.
- 10 -
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com