## Week 16: Incident Response


An incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.



### The Stages of Incident Response (IR Lifecycle)
This is a continuous loop, not a linear process.
1. Preparation
    - Goal: To establish the necessary tools, policies, and training before an incident occurs.
    
    Key Activities:
    - Developing clear IR Policies and Procedures.
    - Building the Incident Response Team (IRT) and defining roles/responsibilities.
    - Training and conducting drills (e.g., tabletop exercises).
    - Ensuring systems have proper logging, monitoring, and backups.
    - Maintaining current contact lists (internal and external).


2. Detection & Analysis
    - Goal: To determine if an incident has occurred and, if so, its scope, nature, and severity.
    
    Key Activities:
    - Monitoring/Alerting: Reviewing logs, SIEM alerts, and IDS/IPS detections.
    - Validation: Confirming that an alert is a genuine incident, not a false positive.
    - Triage: Prioritizing incidents based on business impact and severity.
    - Documentation: Recording initial observations, timelines, and impact assessments.


3. Containment
    - Goal: To limit the scope and magnitude of the incident and prevent further damage.

    Key Activities (in order of priority):
    - Short-Term Containment: Isolating the affected systems (e.g., firewall rule, network segmentation).
    - System Acquisition (Forensics): Creating forensic images of compromised systems for evidence.
    - Long-Term Containment: Implementing temporary fixes or patches to allow business continuity while planning eradication.


4. Eradication & Recovery
    - Goal: To remove the threat and restore systems to a secure, pre-incident state.

    Key Activities:
    - Eradication: Removing all traces of the attacker, malware, backdoors, and malicious user accounts. This requires root-cause analysis (what was the initial vulnerability?).
    - Validation: Ensuring the threat is fully gone before recovery.
    - Recovery: Restoring systems from clean backups, rebuilding infected systems, and ensuring all services are functional and monitored.


5. Post-Incident Activity (Lessons Learned)
    - Goal: To use the incident as a learning opportunity to improve future security and response.
    
    Key Activities:
    - Lessons Learned Meeting: Reviewing the entire process—what worked, what failed, and what can be improved.
    - Incident Report: Creating a final, detailed report on the incident, costs, and findings.
    - Policy/Control Updates: Implementing new security controls, updating policies, and re-training staff based on the report.

For incident response, the goal is to master the lifecycle—the structured, repeatable process that guides all actions during and after a breach.

The IR Lifecycle (The 5 Stages)
|Stage|Goal|Key Activity to Understand|
|:--|:--|:--|
|1. Preparation|To be ready before an event.|Establishing the IR Team, Policies, and Logging/Monitoring infrastructure.|
|2. Detection & Analysis|To confirm a breach and assess its scope.|Validating alerts (was it a real breach or a false alarm?) and determining the initial root cause and impact.|
|3. Containment|To stop the bleeding and prevent further damage.|Isolation (segmenting the network) and Forensic Imaging (preserving evidence) are crucial actions.|
|4. Eradication & Recovery|To remove the threat and restore systems securely.|Removing the root cause (vulnerability) and ensuring systems are rebuilt from trusted sources (not just patched).|
|5. Post-Incident Activity|To learn and improve.|Holding a Lessons Learned Meeting and updating policies/controls to prevent recurrence.|


![alt text](image.png)




#### Key Principles in IR
- Chain of Custody: The importance of properly documenting all actions and evidence to maintain the integrity of the data for potential legal action.
- Root Cause vs. Symptom: A key goal of Eradication is not just deleting malware (the symptom) but fixing the vulnerability (the root cause) that allowed the attacker in.
- Prioritization (Triage): Incidents must be prioritized based on severity (impact on the business) and scope (how many systems are affected).

---

### Server Breach Summary

Goal: Outline the structured steps an Incident Response Team (IRT) would take immediately after a high-severity alert indicates a breach.

|IR Phase|Action Steps|Rationale|
|:--|:--|:--|
|Detection & Analysis|1. Validate the Alert: Confirm the suspicious activity is genuine, not a false positive, by reviewing logs and configuration changes.|Avoid wasting resources on non-existent threats.|
||2. Determine Scope: Identify all affected systems, user accounts, and the initial point of compromise (the entry vector).|Understand the extent of the infection for effective containment.|
||3. Preserve Evidence: Take a forensic image (snapshot of disk and memory) of the compromised host.|This is non-destructive and preserves the state for later, in-depth analysis.|
|Containment|4. Isolate the Host: Immediately disconnect or segment the affected server from the rest of the production network.|Stops the attacker from moving laterally (lateral movement) or exfiltrating data.|
||5. Revoke Access: Immediately reset or revoke all credentials (passwords, API keys) that were used or potentially compromised on the isolated host.|Cuts off the attacker's ability to maintain persistence.|

### Eradication & Recovery

Goal: Research a real-world incident and summarize the two key cleanup phases. (You will need to quickly research a well-known incident, like Colonial Pipeline or a major data breach, for the most relevant details.)

|IR Phase|Focus Points|Example/Detail|
|:--|:--|:--|
|Eradication (Removing the Cause)|Identify and Fix the Root Cause: The primary goal is to find the initial vulnerability that allowed the breach and remove it permanently.|Example: If the cause was an unpatched VPN, all similar systems are patched immediately. All attacker-left malware, backdoors, and persistence mechanisms are deleted.|
||Sanitation: All compromised components and user accounts must be thoroughly cleaned or rebuilt.|If a configuration file was altered, it must be restored to a known-good state.|
|Recovery (Restoring Normal Operations)|Validate and Restore: Systems are brought back online only after they are confirmed to be clean.|Critical services are restored from clean, verified backups taken before the breach occurred.|
||Monitoring & Hardening: Enforce stricter security controls.|Implement mandatory Multi-Factor Authentication (MFA) across the board. Monitor the restored systems intensely to ensure the attacker is truly gone.|

---

### Reflection

How can a sequence model help automate an incident response plan by identifying malicious command patterns?

|Section|Explanation|
|:--|:--|
|The Problem|Traditional security tools often flag suspicious commands based on single events. This creates a high volume of false positives that overwhelm security analysts, slowing down the Incident Response (IR) process.|
|The LSTM Solution|The LSTM model excels because it automates the Detection & Analysis phase by recognizing the pattern or sequence of events over time.|
|Mechanism|It learns that a benign pattern might be $\text{`open`} \rightarrow \text{`read`} \rightarrow \text{`close`}$, but flags a malicious pattern like $\text{`open`} \rightarrow \text{`write`} \rightarrow \text{`fork`} \rightarrow \text{`execve`}$ (accessing a file, modifying it, then executing a shell command).|
|IR Impact|By providing a high-confidence signal that a known malicious sequence is occurring, the LSTM significantly reduces triage time. This allows the IR team to skip manual analysis and move directly and rapidly into the Containment phase, minimizing the attacker's dwell time and the overall impact of the incident.|