Preparation in Incident Handling.

Preparation in Incident Handling.

The goal of the preparation phase is to get ready to handle incidents.

Security professionals will spend most of their time in the preparation and identification phases of the incident handling process. I'll be covering People, policy, data, software, communications, supplies, environment, and documentation of the preparation phase.


The most overlooked aspects of security and attackers know this and target your people. Attackers use anything from social engineering to phishing campaigns, and training can be a big help in preventing these types of attacks. Annual training tends to be ineffective, and while it may be common sense not to click the link in the email or give sensitive information over the phone, we all tend to want/need to help people, and unfortunately, attackers use this against us. Imagine getting a call from someone who has a baby crying in the background, and they are saying their significant other has requested they call and update the billing or personal information on their account. They give you valid email, phone number, or even call from the phone number on the account and they seem to be who they say they are. Although you shouldn't change these without a two-factor authentication method like a text message you see they called from their number and knew some details of the account you make the changes so they can get on with their lives and attend to the baby. The call was spoofed, and the baby was actually a youtube video, and you are now a victim of social engineering. While this sounds silly, it happens more often than you would believe. At a minimum, your organization should undergo quarterly training and testing. Call your employee's via social engineering or utilize a phishing campaign. Tools like spottlkit and phishme are excellent ways to create phishing campaigns with the ability to track the results. Find more information at Sucuring the Human


Your organization should establish policy and warning banners. Having these in place will support your monitoring activities and back you up in a court case. You'll need to consult a local legal counsel if you are in Europe or in a country that implements similar policies on data monitoring you'll need to ask a local legal counsel to advise you on such matters because the European Data Privacy Directives forbid you from monitoring your data. Have a legal team review this banner and approve it in writing.

Your banner must advise users of the following.

  • Access to the system is limited to company-authorized activity.
  • Any attempt at or unauthorized access use, or modification is prohibited.
  • Unauthorized users may face criminal or civil penalties.
  • The purpose of the system may be monitored and recorded.
  • If the monitoring reveals possible evidence of criminal activity, the company can provide the records to law enforcement.

When to involve law enforcement:
Most organizations maintain secrecy until they must notify law enforcement; however, that's not always the best policy. There are times when you must notify law enforcement, times you need to inform the public, and times when you have the option.

Reasons you must notify law enforcement

  • Threat to public health or safety
  • Substantial impact on third-party contracts
  • Legal requirements based on industry
    • FDIC, OCC, or fed reserve for finacial companies

You need to notify the public of breaches concerning PII or PHI

  • Over 45 states have breach disclosure legislation
  • Even if you don't operate in a state that enforces this policy if you have a customer who resides in a state that does then you must notify them of a breach.
  • The US Federal Government and other countries are working on similar legislation

Optional Reasons

  • Beneficial to the criminal discovery process
  • To be a good corporate citizen

Reasons not to involve law enforcement

Some might want to resume business after an incident, and by requiring law enforcement, this might have an adverse effect. Law enforcement may request to keep the system open and let the hacking continue to gain more evidence, or they may seize your equipment that is crucial for business. For more information concerning law enforcement visit SANS's Interfacing with the Law FAQ.

Outside Policy

Your organization should establish a policy for outsiders notifying and for dealing with incidents involving remote computers belonging to business partners, your company, employees, contractors, or other employees that are not full-time. These policies are essential to have in place in the event of a compromised device containing business data of an employee who works from home. Some things you should think about are how will you decide to back up the data and of a compromised system. How will you resolve the issue? The employee may have sensitive personal data such as photos or tax records. You should also have a VPN usage policy that includes a banner notifying the employee that systems connected to the VPN services are subject to remote search.


Even during a mild security incident times can be stressful, and this leads to mistakes. Practice communicating and note-taking under stress. When you are testing your organization, don't always inform your SOC analyst it's a test. This idea is an excellent way to evaluate their performance during the trial and allows for better communication and documentation during a real security incident. Documenting the events during a security incident is vital for incident handlers. Remember to slow down and take notes on everything even make a reminder that you are moving to fast to take notes. This reminder will allow you to slow down and begin documenting what's taking place. Handwritten notes are best in most cases as these are hard copies and convenient. Handlers can create digital copies at a later time. Handwritten notes can be handy in court cases, and attackers cannot steal or destroy them. Remember if you are going to fast to take notes, your going to fast.

Tips for great documentation

  • Using a bounded notebook with page numbers
  • Answer the who, what, when, where, why, and how
  • Record all of your actions
  • Date and timestamp each entry
  • small audio or camera can be used to your advantage

Environment & Communication

Communication and a healthy environment are critical in any department of an organization and are no different in security. If we as security professionals do not invest in contact with our managers and directors the only time incident handling is appreciated is when there is an incident that scares management, and the team handled the incident well. Getting and keeping management and system administrators support is an uphill battle in most cases but here are some tips to improve communication with your managers and administrators. At the minimum develop monthly, quarterly, and yearly reports on brightly colored paper with eye candy graphics. Management loves colorful, easy to follow, statistical reports. Managers will generally inform directors who only care about numbers, and the high lights so don't over complicate the story with technical details. If you have a quiet month, then focus your report on recent events in security and how your team is working diligently on preventing similar threats from happening in your company. You want to be able to sell your team in a way that gains support from your executive leaders. Selling your squad well can increase funding and awareness of security threats and your efforts to protect the company and who knows you may even become the department of the month.

Building a team

Hand selecting a team of individuals is the best approach here. Don't let other managers, employees, or other factors influence your decision on deciding the best fit for your team. Raw technical skills alone may not always be the best determining factor. I would suggest building a core team of individuals who have the technical skills needed to be the first incident handlers and a larger group comprising of different skill sets. Make sure to include subject matter experts in legal and public affairs. These guys may not be very technical, but they know their way around regulations, policies, and compliance.

Tips for a solid team

Security both physical and computer
Highly technical individuals with experience in forensics and malware analysis
System Administrators
Network management
Legal counsel
Human resources
Public relations
Disaster Recovery professionals
Union rep -if you are a union shop

It's wise to keep a close relationship with help desk, network team, and system administrators.

Software & Supplies

If you have ever attended a sporting event, you've probably noticed how many support personnel are there on standby with supplies and tools to aid a player who may get injured during the game. In information security, we practice the same concepts just different tools and supplies. One highlight here is the GRR Rapid Response tool maintained by Google Inc. GRR is a free tool that runs on any operating system. The software contains the following features

GRR Features

  • Remote memory analysis
  • Python-based agent
  • Powerful backend
  • Detailed monitoring of clients
  • Pull in-depth forensic artifacts from multiple systems
  • Async functions

Aside from GRR its useful to keep on hand Binary images of tools and Forensic software.

useful tools


Forensic Software

Sleuth kit - Free
Autopsy - Free
Guidance EnCase
AccessData Forensics Toolkit

It's suggested to keep USB binaries or CD-ROMs because a rootkit installed on the OS changes the integrity of the tools and therefore cannot be trusted. You also don't want ISO packages because an attacker could manipulate the libraries used. Always use a binary image and keep live bootable images of Linux for forensics. Windows tends to alter the hard-drive contents and could corrupt or destroy critical evidence. The SANS investigative Forensics Toolkit better known as SIFT can be helpful to jumpstart your toolkit.

SIFT includes

  • Sleuth kit
  • log2timeline
  • wireshark
  • volatilty
  • ssdeep and md5deep
  • etc

Additional supplies

  • USB 16gb
  • External Hard drives with USB2/3
  • Ethernet Tap
  • Ethernet (cross-over straight-through)
  • USB and serial cables
  • laptop with multiple OS
    • Windows and Linux
  • SSD and additional Ram
  • call list
  • cell phone
  • notebooks
  • incident forms
  • change of clothes, deodorant, aspirin & antacid (never know how long an investigation may take)
  • jumpers
  • flashlight
  • screwdrivers
  • RJ-45 connectors
  • Tweezers
  • business cards

Remember always be ready and alert for when an incident occurs you won't have time to prepare!

Next step in the Incident Handling process is Identification.

Identify Threats

If this has been helpful to you, please support this blog by buying a coffee