Abstract
Incident response is a critical component of security operations. When events are escalated to incident status, the team needs to act as quickly as possible without jeopardizing the quality of the response. The details of building and maintaining a program are detailed in Cybersecurity Incident Response so an in-depth discussion will not take place here. What this chapter focuses on are the processes the security operations team or program should conduct to understand the incident and prepare for engaging forensic specialists if necessary. The starting point is going to vary based on how the event is detected. If an endpoint is acting suspicious, then the analysis starts there. If an alert is generated by an IDS or some other network monitoring tool, then the analysis starts with network artifacts. What the security operations team wants to understand is what endpoints are affected and what the characteristics of the infection are. It also wants to understand where the suspect malware came from. This necessitates investigation logs and packets from the network, logs from the endpoint, assessing network connections and running services on the endpoint, and if the endpoint is still powered on, collecting the memory. The ability to pull memory from a suspect endpoint and saving it for analysis later is an intermediate skill that can be learned with practice. Some argue that capturing memory can corrupt some of the data because the process itself causes some of the memory to be lost. In the end, having this data for later analysis outweighs this risk as it holds the details of the infection. Sophisticated infections are easier to understand with these artifacts, and law enforcement or forensic experts will appreciate the availability of this evidence. Analyzing and investigating endpoints may not fall into the traditional role of a SOC, but most healthcare organizations again have small staffs. If a separate SOC is not practical, unless outsourced to a managed service provider, a separate incident response team also will not exist. Having the capabilities outlined in this chapter speeds up investigation and leaves experts to conducting deeper and more complex investigative processes vs. rudimentary collection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Eric Thompson, Cybersecurity Incident Response (Apress, 2018); www.apress.com/us/book/9781484238691
- 2.
Eric Thompson, Cybersecurity Incident Response (Apress, 2018); www.apress.com/us/book/9781484238691
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2020 Eric C. Thompson
About this chapter
Cite this chapter
Thompson, E.C. (2020). Incident Response. In: Designing a HIPAA-Compliant Security Operations Center. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-5608-4_6
Download citation
DOI: https://doi.org/10.1007/978-1-4842-5608-4_6
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-5607-7
Online ISBN: 978-1-4842-5608-4
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books