├── LICENSE.md
└── README.md


/LICENSE.md:
--------------------------------------------------------------------------------
 1 | Creative Commons Attribution 4.0 International Public License
 2 | 
 3 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
 4 | 
 5 | Section 1 – Definitions.
 6 | 
 7 | Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
 8 | Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.
 9 | Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
10 | Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
11 | Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
12 | Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
13 | Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
14 | Licensor means the individual(s) or entity(ies) granting rights under this Public License.
15 | Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
16 | Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
17 | You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
18 | Section 2 – Scope.
19 | 
20 | License grant.
21 | Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
22 | reproduce and Share the Licensed Material, in whole or in part; and
23 | produce, reproduce, and Share Adapted Material.
24 | Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
25 | Term. The term of this Public License is specified in Section 6(a).
26 | Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
27 | Downstream recipients.
28 | Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
29 | No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
30 | No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
31 | Other rights.
32 | 
33 | Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
34 | Patent and trademark rights are not licensed under this Public License.
35 | To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.
36 | Section 3 – License Conditions.
37 | 
38 | Your exercise of the Licensed Rights is expressly made subject to the following conditions.
39 | 
40 | Attribution.
41 | 
42 | If You Share the Licensed Material (including in modified form), You must:
43 | 
44 | retain the following if it is supplied by the Licensor with the Licensed Material:
45 | identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
46 | a copyright notice;
47 | a notice that refers to this Public License;
48 | a notice that refers to the disclaimer of warranties;
49 | a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
50 | indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
51 | indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
52 | You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
53 | If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
54 | If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License.
55 | Section 4 – Sui Generis Database Rights.
56 | 
57 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
58 | 
59 | for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;
60 | if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
61 | You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
62 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
63 | Section 5 – Disclaimer of Warranties and Limitation of Liability.
64 | 
65 | Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
66 | To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
67 | The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
68 | Section 6 – Term and Termination.
69 | 
70 | This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
71 | Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
72 | 
73 | automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
74 | upon express reinstatement by the Licensor.
75 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
76 | For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
77 | Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
78 | Section 7 – Other Terms and Conditions.
79 | 
80 | The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
81 | Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
82 | Section 8 – Interpretation.
83 | 
84 | For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
85 | To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
86 | No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
87 | Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
88 | Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
89 | 
90 | Creative Commons may be contacted at creativecommons.org.
91 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | Hi, my name is [Will Oram](https://willoram.com/). I’m a cyber security consultant living in London. You can follow me on [Twitter](https://twitter.com/willoram). I help companies respond to cyber security breaches and prevent cyber attacks. I also tweet and blog about cyber security, and maintain this collection of resources for [managing](https://github.com/WillOram/cyber-incident-management) and [remediating](https://github.com/WillOram/cyber-remediation) from cyber security breaches. 
  2 | 
  3 | # Managing major cyber incidents 
  4 | 
  5 | Quick-reference notes I use when responding to major cyber incidents. Loosely organised into four sections. 
  6 | 
  7 | ## Arriving on scene
  8 | 
  9 | [The basics of incident management](#The-basics-of-incident-management)  
 10 | [Top priorities when arriving at an incident](#top-priorities-when-arriving-at-an-incident)  
 11 | [Gaining situational awareness](#gaining-situational-awareness)  
 12 | [Immediate priority checklist](#immediate-priority-checklist)   
 13 | [Common platform for secure communication and collaboration](#Common-platform-for-secure-communication-and-collaboration)  
 14 | 
 15 | ## Understanding capabilities 
 16 | 
 17 | [Understanding the environment](#understanding-the-environment)  
 18 | [Key logs to consider](#key-logs-to-consider)  
 19 | [Detection capabilities](#Detection-capabilities)  
 20 | 
 21 | ## Building a response strategy 
 22 | 
 23 | [The basics of a response strategy](#the-basics-of-a-response-strategy)  
 24 | [Building workstreams](#building-workstreams)  
 25 | [Focusing on key investigative questions](#focusing-on-key-investigative-questions)  
 26 | [Remediation objectives](#remediation-objectives)  
 27 | [Focusing on the attacker](#Focusing-on-the-attacker)  
 28 | [Data breach impacts](#Data-breach-impacts)  
 29 | [Key issues managing and coordinating response efforts](#key-issues-managing-and-coordinating-response-efforts)  
 30 | 
 31 | ## Delivering the response 
 32 | 
 33 | [Building an action plan](#building-an-action-plan)  
 34 | [Driving forward delivery](#driving-forward-delivery)  
 35 | [Providing status updates](#providing-status-updates)  
 36 | [Defining a watch out criteria](#defining-a-watch-out-criteria)  
 37 | [Managing an interrupted remediation](#Managing-an-interrupted-remediation)  
 38 | [Delivering the response to an incident](#delivering-the-technical-response-to-an-incident)  
 39 | [Key response documents](#key-response-documents)  
 40 | [Communicating on data breaches](#Communicating-on-data-breaches)  
 41 | 
 42 | # Arriving on scene
 43 | 
 44 | ## The basics of incident management
 45 | 
 46 | 1. What has happened?
 47 | 
 48 | 2. What is the plan? 
 49 | 
 50 | 3. Who is in charge? 
 51 | 
 52 | Organisations time and time again struggle to clearly answer these questions during major cyber incidents. 
 53 | 
 54 | ## Top priorities when arriving at an incident 
 55 | 
 56 | 1. Understand organisational priorities
 57 | 
 58 | 2. Ensure [immediate priorities](#immediate-priority-checklist) are being actioned
 59 | 
 60 | 3. [Gain situational awareness](#gaining-situational-awareness)  
 61 | 
 62 | 4. Assess risks and issues
 63 | 
 64 | 5. Stand up / integrate with the business-wide strategic response
 65 | 
 66 | 6. Define ways of working and build response tempo 
 67 | 
 68 | 7. Stand up common platforms for [secure communication and collaboration](#Common-platform-for-secure-communication-and-collaboration)
 69 | 
 70 | 8. Establish measurable incident objectives
 71 | 
 72 | 9. Select appropriate strategies to achieve objectives 
 73 | 
 74 | 10. Define and mobilise workstreams to deliver on strategies / tasks (define and document workstream processes)
 75 | 
 76 | 11. Identify and resolve resourcing gaps 
 77 | 
 78 | 12. Perform tactical direction and provide necessary follow-up
 79 | 
 80 | (Document everything)
 81 | 
 82 | ## Gaining situational awareness
 83 | 
 84 | 1. What has happened? 
 85 | 
 86 | 2. How have you responded? 
 87 | 
 88 | 3. What is unknown at this point?  
 89 | 
 90 | 4. Have you considered the legal and regulatory implications?  
 91 | 
 92 | 5. Has senior leadership been briefed? 
 93 | 
 94 | 6. Who has been notified?  
 95 | 
 96 | 7. What are you concerned about? (risks / issues)
 97 | 
 98 | 8. What are your priorities? 
 99 | 
100 | 9. What is your plan? 
101 | 
102 | 10. Who is in charge? (of the response and individual workstreams)
103 | 
104 | 11. Have you thought about how the incident could escalate?  
105 | 
106 | 11. What is your plan if the incident escalates? (and how will you identify this?)
107 | 
108 | 13. Do you have a reactive press statement prepared?  
109 | 
110 | 12. Are you in a crisis? 
111 | 
112 | ## Immediate priority checklist 
113 | 
114 | 1. Senior management are being briefed on the incident, risks and issues
115 | 
116 | 2. Action is being taken to mitigate any unacceptable risks to the business 
117 | 
118 | 3. Evidence is being collected and preserved
119 | 
120 | 4. Legal & regulatory obligations are being assessed
121 | 
122 | 4. Gaps in technical visibility have been identified and are being resolved 
123 | 
124 | 5. Incident response and crisis management plans have been initiated
125 | 
126 | ## Common platform for secure communication and collaboration 
127 | 
128 | Examples Teams, JIRA, Slack, Google Drive
129 | 
130 | Need to have a way to: 
131 | 
132 | 1. Share documents / collaborate on document writing 
133 | 
134 | 2. Communicate both with all teams working on the incident (often from multiple companies)
135 | 
136 | 3. Track issues and projects with workflows
137 | 
138 | 4. Centrally store key information 
139 | 
140 | # Understanding capabilities 
141 | 
142 | ## Understanding the environment 
143 | 
144 | * Workstations
145 | * Email and Web 
146 | * Servers
147 | * Cloud
148 | * Networks / Data centers
149 | * Applications
150 | * Identity 
151 | * Data
152 | 
153 | For each: 
154 | 
155 | * What do you have? 
156 | * What capabilities do you have to prevent attackers? Coverage, features, constraints, limitations 
157 | * What capabilities do you have to detect attackers? Coverage, features, constraints, limitations  
158 | * What people and processes do you have to support this? 
159 | 
160 | Other questions:
161 | 
162 | * How quickly can new tech be deployed? (e.g. endpoint detection and response agents) 
163 | * Who are the key contacts/SMEs?
164 | 
165 | ## Key logs to consider 
166 | 
167 | * Server and workstation operating system logs
168 | * Authentication logs (e.g. login, remote access, VPN)
169 | * Application logs (e.g. web logs, database logs)
170 | * Network logs (e.g. web proxy logs, firewall logs, DNS, NetFlow)
171 | * Security Tool logs (e.g. EDR, AV, mail filtering logs)
172 | 
173 | ## Detection capabilities
174 | 
175 | 1. What are your roll-out plans and deployment statistics for endpoint agents? 
176 | 
177 | 2. What are your roll-out plans and deployment statistics for network appliances? 
178 | 
179 | 3. What is your availability of logging covering other sources of visibility? 
180 | 
181 | 4. What visibility gaps do you have of the environment? 
182 | 
183 | 5. What monitoring and detection tools are built on top of these sources of visibility?
184 | 
185 | 6. How are these tools configured to detect attacker activity? 
186 | 
187 | 7. How are detection alerts tracked? 
188 | 
189 | 8. What processes are there to triage, investigate and respond to detection alerts?
190 | 
191 | Do you need to stand-up a tool e.g. JIRA to track and manage new detection alerts?
192 | 
193 | Key that all detection alerts are tracked centrally and moved through a single process. 
194 | 
195 | # Building a response strategy 
196 | 
197 | ## The basics of a response strategy
198 | 
199 | A response strategy needs to be proportionate to respond to sophistication of the threat actor and the scale/complexity of the incident.
200 | 
201 | Encompasses "how" we are going to respond. Activities should then be grouped / organised into workstreams. 
202 | 
203 | Considering:
204 | 
205 | * Priorities and objectives
206 | * Risks and issues 
207 | * Understanding of the environment
208 | * Visibility of the environment 
209 | * Organisational and technical capability / capacity to respond 
210 | * Investigative findings so far, including knowledge of the adversary
211 | 
212 | ## Building workstreams
213 | 
214 | Workstreams should map to objectives / strategies, not aligned to any pre-existing business units / organisational hierarchies. 
215 | 
216 | Each workstream should have a lead responsible and accountable for the workstream's activities. 
217 | 
218 | Where possible the team working on a workstream should work and sit together.
219 | 
220 | Processes used by each workstream should be mapped out and communicated. 
221 | 
222 | Need to ensure response efforts have the capacity and speed to scale to the size of the incident.
223 | 
224 | Example workstreams for the strategic organization-wide response
225 | 
226 | * Communications
227 | * Legal
228 | * IT Operations
229 | * Technical Incident Management
230 | * Business Operations
231 | * Strategic Improvements
232 | * Finance / Administration
233 | 
234 | ## Focusing on key investigative questions 
235 | 
236 | 1. When was the window of compromise?
237 | 
238 | 2. How did the attacker initially gain access to the environment?
239 | 
240 | 3. What systems did the attacker access and/or compromise?
241 | 
242 | 4. How did the attacker access and/or compromise these systems?
243 | 
244 | 5. What accounts did the attacker compromise?
245 | 
246 | 6. What activity was carried out by the attacker within the environment?
247 | 
248 | 7. What data did the attacker access and how did the attacker do this?
249 | 
250 | 8. What evidence is there of data exfiltration?
251 | 
252 | 9. Does the attacker still have access to the environment?
253 | 
254 | 10. Has the attack concluded?
255 | 
256 | ## Remediation objectives
257 | 
258 | Remediation has four key objectives: 
259 | 
260 | 1. Remove attacker access to the environment.
261 | 
262 | 2. Prevent the attacker from re-gaining access to the environment.
263 | 
264 | 3. Detect the attacker if they re-gain access to the environment. 
265 | 
266 | 4. Limit the attacker’s ability to achieve any objectives if access to the environment is reacquired.
267 | 
268 | These four objectives are achieved by carrying out posturing, eradication and hardening. 
269 | 
270 | Against a motivated and targeted attacker, failure to identify all attacker access, improve detection capabilities and carry out improvements to prevent the attacker from immediately re-gaining access to the environment, will likely result in the eradication not being successful (with the attacker maintaining access and embedding deeper in the network). 
271 | 
272 | See my other GitHub repo [here](https://github.com/WillOram/cyber-remediation) for more information.
273 | 
274 | ## Focusing on the attacker
275 | 
276 | 1. What activity was carried out by the attacker within the environment?
277 | 
278 | 2. What access does the attacker have into the environment? 
279 | 
280 | 3. Has the attacker gained access to any data that will make it easier for them to re-compromise the environment? 
281 | 
282 | 4. What are the likely motivations of the attacker? 
283 | 
284 | 5. What are the assessed capabilities of the attacker? 
285 | 
286 | 6. Has the attacker adapted their behaviour as a result of remediation activities undertaken?
287 | 
288 | ## Data breach impacts 
289 | 
290 | * Reputational 
291 | * Legal
292 | * Technical
293 | * Operational
294 | * Financial 
295 | 
296 | ## Key issues managing and coordinating response efforts
297 | 
298 | 1. No clear or suitable incident management structures 
299 | 
300 |     Structures are formed ad-hoc, teams fail to interoperate, existing businesses structures are used 
301 | 
302 | 2. Lack of "operational rhythm" and programme management 
303 | 
304 |     Response is not as quick as leadership desires, delays in recognising a crisis, lack of accountability and action tracking
305 | 
306 | 3. No clear strategy and objectives driving response efforts
307 | 
308 |     Response is tactical not strategic, conflicting priorities/strategies, reactive decision making
309 | 
310 | 4. Poor communication and collaboration
311 | 
312 |     Disjoined uses of tooling, conflicting terminology, poor interoperability and missed/delayed escalations 
313 | 
314 | 5. Lack of leadership and accountability
315 | 
316 |     Unclear chains of command, blurred lines of responsibility, fragmented teams, lack of trust reduces collaboration
317 | 
318 | 6. No clear understanding of the facts which matter 
319 | 
320 |     Risks and issues are missed, leadership inundated with noise, remediation efforts repeatedly fail
321 |     
322 | # Delivering the response  
323 | 
324 | ## Building an action plan
325 | 
326 | 1. What do we want to do? Priorities and objectives
327 | 
328 | 2. How are we going to do it? Strategy, workstreams  
329 | 
330 | 2. Who is responsible for doing it? Roles and responsibilities 
331 | 
332 | 3. How do we communicate with each other? Daily rhythm and tempo
333 | 
334 | 4. What is the procedure if the incident escalates? 
335 | 
336 | 5. What are the expectations of team members working on the response? 
337 | 
338 | 6. How will decisions be made? 
339 | 
340 | ## Driving forward delivery 
341 | 
342 | * Break the organisation out of a business as usual mindset - removing pre-existing structures, expectations and assumptions
343 | * Build and follow a planning process 
344 | * Group tactical and tasks into workstreams with leads
345 | * Communicate strategy and plans, roles and responsibilities to all involved 
346 | * Track and hold teams to account to deliver on actions 
347 | * Get teams to report on the delivery and effectiveness of plans in measurable ways
348 | * Run effective meetings with defined outcomes
349 | * Ensure situational awareness and document 
350 | * Track risks and issues 
351 | 
352 | ## Providing status updates
353 | 
354 | 1. When was the first identified evidence of compromise? + delta
355 | 
356 | 2. When was the last identified evidence of compromise? + delta
357 | 
358 | 3. How many systems have been assessed as compromised? + delta
359 | 
360 | 4. How many systems have been assessed as accessed? + delta
361 | 
362 | 5. How many accounts have been assessed as compromised? + delta
363 | 
364 | 6. How many privileged accounts have been assessed as compromised? + delta
365 | 
366 | 7. Endpoing agent coverage + delta
367 | 
368 | 8. What has been done over the status update period? 
369 | 
370 | 9. What is planned for the next status update period? 
371 | 
372 | 10. Risks and issues being tracked + delta
373 | 
374 | 11. Update against key investigation questions 
375 | 
376 | 12. Update against "Eradication event criteria"
377 | 
378 | ## Defining a watch out criteria 
379 | 
380 | 1. Attacker finds a previously unidentified route into the environment
381 | 
382 | 2. Attacker moves towards sensitive or personal data
383 | 
384 | 3. Attacker compresses or stages files
385 | 
386 | 4. Attacker accesses internet facing servers
387 | 
388 | 5. Attacker gains domain administrator privileges 
389 | 
390 | 6. Attacker gains access to a domain controller
391 | 
392 | 7. Attacker adds or edits users in Active Directory
393 | 
394 | 8. Attacker carries out activity indicating potential destructive intentions
395 | 
396 | If triggered: 
397 | 
398 | 1. Who should this be communicated to?
399 | 
400 | 2. How should this be communicated to them?
401 | 
402 | 3. How should this first be verified? 
403 | 
404 | 4. Should this communication be written or verbal in the first instance?
405 | 
406 | 5. What technical response playbooks have been written to ensure a rapidly and effectively response? 
407 | 
408 | 6. What playbooks have been written for carrying out common response tasks such as blockings IPs, sinkholing DNS, resetting accounts and isolating systems? 
409 | 
410 | 7. How is the organisation building an increased state of readiness? 
411 | 
412 | ## Managing an interrupted remediation
413 | 
414 | If remediation activities are interrupted by an alert what are the key questions to ask. 
415 | 
416 | 1. When did the first alert occur? 
417 | 
418 | 2. What is the first evidence of compromise on this system? (e.g. before or after eradication, key to decide whether to rapidly remediate)
419 | 
420 | 3. Should any of this activity have been blocked? 
421 | 
422 | 4. Are we seeing any of the same indicators as used previously? (e.g. IP or domain names)
423 | 
424 | 5. Are we seeing similar TTPs to previous activity? 
425 | 
426 | 6. Are we confident this is the same attacker? 
427 | 
428 | 7. Are we seeing attacker hands-on keyboard activity? 
429 | 
430 | 8. What activity has the attacker performed? 
431 | 
432 | 9. What level of access has the attacker gained? 
433 | 
434 | 10. Is there any other related activity on other systems? 
435 | 
436 | Key decision making factors for response 
437 | 
438 | 1. Are we confident all new activity has been identified? 
439 | 
440 | 2. Will we alert on all instances of this activity going forward?
441 | 
442 | ## Delivering the response to an incident 
443 | 
444 | Responding to a significant cyber security incident requires not only a technical response but a highly integrated strategic organization-wide response.
445 | 
446 | #### Crisis Management Team (CMT)
447 | 
448 | * Manages and coordinates the organization-wide response to the incident
449 | * Sets the response objectives, priorities and strategies
450 | * Has overall responsibility for all response activities
451 | * Secures support from the wider organization including from senior management
452 | * Leads with an example of the culture required to successfully navigate through the crisis
453 | 
454 | Needs to be tightly integrated with the technical response.
455 | 
456 | #### Strategy Advisory Group (SAG)
457 | 
458 | * Propose priorities and strategies to resolve the incident 
459 | * Consist of cyber security leadership, external advisors and legal
460 | * Consider technical risks and issues 
461 | 
462 | #### Incident Management Team (IMT)
463 | 
464 | * Delivers the technical response to the incident
465 | * Uses the inter-operable / modular [FEMA Incident Command System (ICS)](https://training.fema.gov/emiweb/is/icsresource/index.htm)
466 | * The incident command is in charge of the technical response to the incident
467 | 
468 | Needs to be tightly integrated with the strategic organization-wide response.
469 | 
470 | 
471 | | Investigation         | Threat Hunting    | Remediation           | Monitoring            | Operations          | Logistics / PMO   |
472 | |-----------------------|-------------------|-----------------------|-----------------------|---------------------|-------------------|
473 | | Situational Awareness | Threat Detection  | Analysis and Planning | Alert Triage          | Evidence Collection | Action Tracking   |
474 | | Forensic Analysis     | Hunting           | Triage                | Continuous Monitoring | Tech Deployment     | Resourcing        |
475 | | Threat Intelligence   | Tuning            | Delivery              |                       | Agent Deployment    | Finance and Admin |
476 | | Impact Assessment     |                   |                       |                       | Recovery            |                   |
477 | 
478 | Other ideas for workstreams:
479 | - Agent Deployment
480 | - Threat Intelligence 
481 | - Pre-emptive containment (limit the impact of ransomware attacks before they detonate)
482 | - Recovery
483 | - Strategic Improvement
484 | 
485 | ## Key response documents
486 | 
487 | 1. Incident action plan
488 | 
489 | 2. Ways of working
490 | 
491 | 3. Red line / watch out criteria 
492 | 
493 | 4. Immediate priorities checklist 
494 | 
495 | 5. Incident timeline
496 | 
497 | 6. Remediation plan
498 | 
499 | 7. Risks, actions, issues, decisions tracker
500 | 
501 | 8. Investigation tracker 
502 | - What systems are compromised / suspected compromised?
503 | - What systems has the attacker accessed? 
504 | - What systems has the attacker performed recon against? 
505 | - What accounts are compromised / suspected compromised?
506 | - What systems have agents deployed? 
507 | 
508 | 9. Stakeholder mapping 
509 | 
510 | 10. Evidence tracker 
511 | 
512 | 11. Media handling FAQ 
513 | 
514 | 12. Comms tracker
515 | 
516 | ## Communicating on data breaches 
517 | 
518 | Key messages to deliver: 
519 | 
520 | * Care and concern (about those affected)
521 | 
522 | * Control (of the situation)
523 | 
524 | * Commitment (to resolving the problem)
525 | 
526 | Key considerations: 
527 | 
528 | * Mapping stakeholders 
529 | 
530 | * Coordinating / sequencing communications based on priority 
531 | 
532 | * Anticipating stakeholder issues and preparing to respond 
533 | 
534 | * Incremental reassurance
535 | 
536 | * Media trackers 
537 | 
538 | * External comms trackers (e.g. vendors)
539 | 
540 | Key questions to answer: 
541 | 
542 | - What happened?
543 | 
544 | - How this happened?
545 | 
546 | - What will the impact be on customers? 
547 | 
548 | - How do you feel about it?
549 | 
550 | - What you are going to do to fix it?
551 | 
552 | - How you are committed to making this right? 
553 | 
554 | - How you are going to be transparent and maintain customer trust?
555 | 
556 | - How you are staying true to your values?
557 | 
558 | - What steps customers can take to protect themselves? (what are you doing to help customers?) 
559 | 
560 | - When are you going to provide your next update? 
561 | 
562 | - FAQs (see my other GitHub repo [here](https://github.com/WillOram/cyber-data-breach-q-and-a) for examples)
563 | 
564 | 


--------------------------------------------------------------------------------