The Incident Handling Life Cycle
Incident Handler/SOC Analysts aim to know attackers’ tactics, techniques, and procedures (TTPs). By seeking to understand attackers’ TTPs, they can work to stop/defend/prevent attacks in better ways. The Incident Handling process is something all Incident Handlers/SOC analysts should be aware of and know how to work through. It is divided into four different phases:
1. Preparation:
a. The preparation phases aim to cover the overall readiness of an organization’s posture against an attack. This includes documenting the requirements, defining policies, incorporating security controls such as EDR / SIEM / IDS /IPS, and training staff.
2. Detection and Analysis
a. The detection phase is designed to cover everything involving detecting incidents and the analysis process of the incident. This phase includes getting alerts from security controls implemented in phase #1, such as SIEM / EDR, which investigate the alert to find the root cause. This phase can also include hunting for the unknown threat within the organization.
3. Containment, Eradication, and Recovery
a. For organizations to prevent incidents from spreading and securing their networks, this phase has to be implemented. It involves all the necessary steps for organizations to take to avoid an attack from spreading into the network, isolating the infected host, clearing the network from any infection traces, and gaining control back from the attack.
4. Post-Incident Activity / Lesson Learnt
a. Probably considered the most crucial phase within the Incident Handling process. This phase includes organizations identifying the loopholes in the organization’s security posture, which initially led to an intrusion, and ensuring to improve these so that the attack does not happen again. As it is said, you must learn from your mistakes.
b. The steps in this process typically involve:
i. Identifying weaknesses that led to the attack
ii. Adding detection rules so that similar breaches do not happen again
iii. Most importantly – ensuring that staff is adequately trained moving forward
Cyber Kill Chain
Understanding and following these four phases makes a great Incident Handler/SOC analyst. These four phases can help organizations stop, defend, and prevent attacks on their network and infrastructure. Along with understanding the four phases within the Incident Handling process, it is essential for security analysts to know the Cyber Kill Chain.
The cyber kill chain is a series of steps that trace the stages of a cyberattack. It is essential to know that the cyber kill chain does not have to be followed in sequence, as one finding in one phase will lead to another discovery that may be mapped into another stage.
The cyber kill chain, also known as the cyberattack lifecycle, is a model developed by Lockheed Martin that describes the phases of a targeted cyberattack. It is designed to break down each stage of a malware attack and where defenders can identify and stop it. It includes seven stages:
1. Reconnaissance
a. The attacker collects data about the target and the tactics for the attack. This may include harvesting email addresses and gathering other information.
2. Weaponization
a. Attackers develop malware by leveraging security vulnerabilities. This process also involves attackers trying to reduce the chances of getting detected by security solutions the organization has.
3. Delivery
a. The attacker delivers the weaponized malware via a phishing email or some other form. The most common delivery vectors for weaponized payloads include:
i. Websites
ii. Removable disks
iii. Emails
b. This is the most crucial stage where security teams can stop the attack.
4. Exploitation
a. The malicious code or malware is delivered into the organization’s system. The organization is breached here, and the attacker has the chance to exploit the organization’s systems by installing tools, running scripts, and modifying security certificates.
5. Installation
a. A backdoor or remote access trojan is installed by the malware the attacker developed. This backdoor provides access to the attacker to revisit the organization in the future.
b. This is also another critical stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention Systems).
6. Command & Control
a. The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organization’s environment.
7. Actions on Objectives
a. The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organization’s environment.
b. Based on these stages, the following layers of control implementation are provided:
i. Detect: Determine the attempts to penetrate an organization
ii. Deny: Stopping the attacks when they are happening
iii. Disrupt: Intervene is the data communication done by the attacker and stops it, then
iv. Degrade: This is to limit the effectiveness of a cybersecurity attack to minimize its ill effects
v. Deceive: Mislead the attacker by providing them with misinformation or misdirecting them
vi. Contain: Contain and limit the scope of the attack so that it is restricted to only some part of the organization
Conclusion:
The incident handling life cycle and the cyber kill chain are two crucial frameworks that have become essential to the cybersecurity industry. Security analysts and SOC analysts can use these frameworks to understand cyber-attacks and be better prepared for them. The NIST states that not every attack can be prevented, so it is best to be prepared for them, and understanding these two frameworks is a great way to lay the groundwork for being prepared.
After writing this post and understanding the stages of both the cyber kill chain and the incident handling life cycle, I believe that I will be able to use this knowledge once I land a cybersecurity position.