Skip to content

CH6: IR Preparation Phase

Introduction

In Chapter 5, we established the Incident Response Lifecycle—the roadmap for how we handle a security crisis. We identified Preparation as the first and most critical phase.

There is a military adage often cited in cybersecurity: "The more you sweat in peace, the less you bleed in war."

Once an attacker is inside the network, it is too late to decide who has the authority to shut down the e-commerce server. It is too late to buy forensic software. It is too late to negotiate an hourly rate with an external investigation firm. If these assets are not in place before the detection alert triggers, the organization will fail to contain the breach effectively.

This chapter details the specific architecture of readiness. We will construct the administrative "shield" (Policy and Plans), build the technical "armory" (Logging, Sensors, and the Forensic Jump Bag), and operationalize the intelligence required to anticipate adversary movements.

Learning Objectives

By the end of this chapter, you will be able to:

  • Distinguish between an IR Policy (Governance) and an IR Plan (Operations), and explain the purpose of each.
  • Design a "Forensic Jump Bag" containing the necessary hardware and software for immediate evidence collection.
  • Evaluate the importance of Centralized Logging and SIEM architecture in reconstructing an attack timeline.
  • Analyze the "Pyramid of Pain" to understand the difference between trivial indicators (Hashes) and difficult behaviors (TTPs).
  • Develop a "Break-Glass" strategy for privileged access during a catastrophic identity failure.
  • Explain the role of Third-Party Retainers and Cyber Insurance in the preparation phase.

6.1 The Regulatory Shield: Policy vs. Plan

A common mistake in novice security programs is combining everything into a single document called "The Security Plan." In professional practice, we separate Governance (Rules) from Operations (Actions).

The Incident Response Policy

The Policy is a high-level governance document approved by senior leadership (C-Suite or Board). It does not contain technical steps. Instead, it defines Authority.

The IR Policy answers the political questions that cause hesitation during a crisis:

  • Definition: What defines an "Incident" for this company?
  • Authority: Who has the specific right to declare a disaster? Who has the right to monitor employee traffic? Who authorizes the disconnection of revenue-generating systems?
  • Scope: Does this apply to contractors? Cloud vendors? Bring Your Own Device (BYOD) phones?
  • Reporting: Who must be notified, and how quickly?

Why this matters: Imagine a security analyst detects a breach on the CEO's laptop. Without a signed policy granting the CSIRT authority to seize executive devices, the analyst might hesitate or be blocked by an executive assistant. The Policy is the "Badge" that gives the CSIRT the legal right to act.

Example: Anatomy of an IR Policy

To be effective, an IR Policy does not need to be long, but it must be precise. Below are the standard sections found in a corporate Incident Response Policy:

Policy Section Description & Purpose
1. Purpose States why the policy exists (e.g., "To ensure the organization can respond to cyber threats in a way that minimizes damage and legal liability").
2. Scope Defines who and what this policy applies to. Does it cover contractors? Cloud environments? Employee personal devices (BYOD)?
3. Definitions Clearly defines what constitutes an "Incident" vs. an "Event" to prevent ambiguity.
4. Authority The most critical section. Explicitly grants the CSIRT the right to monitor traffic, seize hardware, and disconnect systems without prior executive approval during a crisis.
5. Reporting Requirements Mandates that all employees must report suspected incidents immediately and defines how to report (e.g., "Email soc@company.com or call ext. 911").
6. Role Assignment Designates the specific job titles (e.g., CISO, SOC Manager) responsible for maintaining the IR capability.
7. External Communications Explicitly forbids employees from speaking to the media regarding an incident; delegates this authority solely to Public Relations or Legal.
8. Non-Compliance States the consequences for violating the policy (e.g., "Failure to report a known breach may result in termination").

The Incident Response Plan (IRP)

While the Policy is the "Constitution," the Plan is the "Battle Manual." It is an operational document used by the CSIRT. It provides the tactical instructions for the response.

The IR Plan typically includes:

  • Roles & Responsibilities: The specific roster of the CSIRT (Primary and Backup).
  • Call Trees: A diagram of who calls whom. (e.g., Analyst calls Manager -> Manager calls CISO -> CISO calls Legal).
  • Escalation Paths: The specific triggers (Severity Levels) that move an incident from the Help Desk to the SOC, and from the SOC to Crisis Management.
  • Cyber Incident Response Annexes (Playbooks): Specific guides for common scenarios (e.g., "Ransomware Playbook," "Phishing Playbook," "Data Exfiltration Playbook").

Severity Classification & Escalation

A core function of the IRP is to remove ambiguity. When an incident occurs, the first question is always, "How bad is it?" The Plan must provide a Severity Matrix that maps Impact (Damage) and Scope (Spread) to a specific Severity Level (SEV).

This level dictates the Call Tree—the specific list of people who must be woken up.

Severity Definition Examples Call Tree / Escalation
SEV-4 (Low) Routine. Minimal impact. No sensitive data loss. Single laptop malware infection; Phishing email reported and deleted. Handle Locally. Help Desk & Tier 1 SOC. No escalation required.
SEV-3 (Medium) Significant. Potential data risk or service degradation. Unauthorized access to a non-critical server; Uncontained malware spreading to <5 hosts. Escalate to CSIRT. Notify SOC Manager. IT Operations on standby.
SEV-2 (High) Critical. Confirmed data theft, critical system outage, or financial loss. Ransomware encryption of a department; Exfiltration of customer PII; Active C2 traffic from Domain Controller. Activate Incident Commander. Notify CISO, Legal Counsel, and Business Owners.
SEV-1 (Critical) Existential. Threat to human safety, massive financial viability, or massive public reputation damage. Enterprise-wide Ransomware; Loss of all customer databases; Life-safety system failure. Activate Crisis Management Team. Notify CEO, Board of Directors, PR Firm, Insurance, and Law Enforcement.

Linking Severity to Action: Having these levels predefined prevents "Alert Fatigue" (waking the CEO for a virus on a laptop) and "Silence" (failing to wake the CISO for a data breach). The IRP explicitly states: "If SEV-2 is declared, the Incident Commander MUST be notified within 15 minutes."

Activity

Can you identify the best severity level given a specific scenario?

Operational Annexes (Playbooks)

The Plan also includes specific guides for common scenarios, known as Playbooks or Runbooks:

  • Ransomware Playbook: Steps to isolate network segments and protect backups.
  • Phishing Playbook: Steps to purge malicious emails from Exchange/Office 365.
  • Data Exfiltration Playbook: Steps to analyze firewall logs and determine what left the building.

Professional Insight: Hard Copies Matter In a total network compromise (like a ransomware attack), your SharePoint, Google Drive, and internal Wiki might be encrypted or inaccessible. A "Prepared" organization maintains offline, printed copies of the IR Plan, Call Trees, and Severity Matrix in a secure physical location. You cannot recover the network if the instructions on how to do it are locked inside the network.

6.2 Technical Readiness (Architecture Setup)

You cannot investigate what you cannot see. Technical preparation focuses on Visibility and Tooling.

Logging Architecture & The SIEM

The primary evidence source in any investigation is logs. However, logs stored locally on a server are useless if the attacker wipes that server.

Centralized Logging is mandatory for IR. Organizations use a SIEM (Security Information and Event Management) system (like Splunk, Microsoft Sentinel, or Elastic) to aggregate logs from all sources into a single, immutable repository.

Critical Log Sources for Preparation:

  • Authentication Logs: (Active Directory/Okta) To track user movements.
  • Endpoint Logs: (EDR/Sysmon) To track process execution (e.g., powershell.exe running a hidden script).
  • Network Logs: (Firewall/DNS) To track command-and-control (C2) beacons leaving the network.
  • Cloud Audit Logs: (AWS CloudTrail/Azure Monitor) To track infrastructure changes.

Sensor Placement

To catch an intruder, you must place sensors at the "choke points" of the network.

  • North-South Traffic: Sensors placed at the Internet Gateway (Firewall/IDS). These see traffic entering and leaving the company.
  • East-West Traffic: Sensors placed on the Core Switch or Internal Segmentation Firewalls. These see traffic moving between internal departments (Lateral Movement).

Note: As encryption (TLS 1.3) becomes standard, network sensors are becoming less effective because they cannot read the encrypted payload. This shifts the priority to Endpoint Sensors (EDR), which can see the data after it is decrypted on the user's screen.

The Forensic Jump Bag

Every physical CSIRT needs a "Jump Bag"—a physical kit ready to grab-and-go when an incident occurs on-site.

Standard Jump Bag Inventory:

  1. Write-Blockers: Specialized hardware bridges (USB/SATA) that allow an analyst to read a hard drive without altering a single bit of data. This is critical for Chain of Custody; if you plug a suspect drive directly into Windows, the OS will alter metadata, potentially ruining the evidence for court.
  2. Clean Storage: Brand new, high-capacity external SSDs (2TB+) to store disk images. These must be wiped and formatted ahead of time.
  3. Forensic Laptop: A clean, high-powered laptop pre-loaded with analysis tools (FTK Imager, EnCase, Zimmerman Tools, Volatility). This machine should never connect to the internet to prevent contamination.
  4. Cables & Adapters: Every possible dongle (USB-C, SATA, IDE, Ethernet, Console cables) to connect to legacy or modern hardware.
  5. Bootable Media: USB drives loaded with forensic operating systems (like SANS SIFT Workstation or CAINE) to boot a suspect computer without loading its internal OS.

6.3 Cyber Threat Intelligence (CTI)

Preparation is not just about having tools; it is about knowing what to look for. Cyber Threat Intelligence (CTI) involves analyzing data about adversaries to improve defenses.

The Pyramid of Pain

Created by David Bianco, the Pyramid of Pain illustrates the relationship between the types of indicators we search for and how much "pain" we cause the adversary when we block them.

The Pyramid is arranged from "Easy" (bottom) to "Tough" (top):

  1. Hash Values (Trivial): A specific file signature (e.g., MD5 of a malware file).
    • Why it's trivial: The attacker just changes one bit of the file, and the hash changes. Blocking hashes is easy but rarely stops a determined attacker.
  2. IP Addresses (Easy): The address the attacker connects from.
    • Why it's easy: Attackers use proxies and botnets. They can change IPs in seconds.
  3. Domain Names (Simple): The web address (e.g., evil-login.com).
    • Why it's simple: Domains cost money and take time to register, but are still disposable.
  4. Network/Host Artifacts (Annoying): Specific traces left by tools (e.g., a specific User-Agent string or a registry key).
    • Why it's annoying: The attacker has to reconfigure their toolset to change these.
  5. Tools (Challenging): The actual software the attacker uses (e.g., Cobalt Strike, Mimikatz).
    • Why it's challenging: If we can detect the tool itself, the attacker has to develop or buy new software.
  6. TTPs (Tough): Tactics, Techniques, and Procedures. This describes the behavior (e.g., "Attacker dumps credentials using LSASS injection").
    • Why it's tough: This is the attacker's skillset. To change their TTPs, they have to re-learn how to hack. This is the gold standard of detection.

Activity

Test your Pyramid of Pain skills with this interactive activity.

Integrating Intel

Modern preparation involves automating CTI. We use standard formats like STIX (Structured Threat Information Expression) to describe threats and TAXII (Trusted Automated Exchange of Intelligence Information) to transmit them.

Tools like MISP (Malware Information Sharing Platform) allow organizations to subscribe to feeds. If a bank in London sees a new ransomware group, they upload the Indicators of Compromise (IoCs) to MISP. Your organization's firewall automatically downloads those IoCs and blocks them before the attacker even targets you.

6.4 Operational Readiness & Exercises

A plan that is never tested is a hallucination. Operational readiness focuses on drilling the human element.

The Exercise Program

  • Tabletop Exercises (TTX): Discussion-based sessions where the team talks through a scenario (e.g., "What if the CEO's email is compromised?"). These are low-stress and focus on policy and decision logic.

  • Functional Drills: Specific technical tests. (e.g., "Restore the Finance Database from backup and verify the data integrity").

  • Adversary Emulation (Red Teaming): Hiring ethical hackers to simulate a real attack without warning, testing whether the SOC actually detects them.

Identity & Access Readiness (Break-Glass)

In a major incident, your primary authentication system (Active Directory or Okta) might be down or compromised.

  • The "Break-Glass" Account: A specific, highly privileged administrative account (e.g., admin-emergency) that is never used for daily work.
  • Protection: Its complex password is split into two parts (stored in physical safes) or stored in a physical envelope in the CEO's safe.
  • Usage: It is only monitored for use. If the admin-emergency account logs in, alarms should ring everywhere. It is the "In Case of Emergency" fire axe.

Third-Party Readiness

Preparation includes arranging help.

  • IR Retainer: A contract with a cybersecurity firm (like Mandiant or CrowdStrike) that guarantees a response time (SLA). You pay a fee upfront (the retainer) so that when you call at 2:00 AM on Christmas, they answer.
  • Cyber Insurance: A policy that covers the costs of the breach (legal fees, ransom payments, credit monitoring for customers).
  • Privilege: Establishing a relationship with Breach Counsel (lawyers specializing in cyber). Working through counsel protects the investigation report under "Attorney-Client Privilege," potentially keeping it from being used against you in lawsuits.

Summary

Preparation is the silent phase of Incident Response. It lacks the adrenaline of the Containment phase or the technical mystery of the Investigation phase, but it dictates the success of both.

We prepare by:

  1. Establishing Authority: Writing the Policy that lets us fight.
  2. Structuring Response: Defining Severity Levels so we know who to call.
  3. Deploying Visibility: Configuring logs and sensors so we aren't blind.
  4. Building the Kit: Packing the Jump Bag with forensic tools.
  5. Using Intelligence: Leveraging the Pyramid of Pain to focus on behaviors (TTPs).
  6. Practicing: Running tabletop exercises so the first time we face a crisis isn't the real thing.

In the next chapter, we will activate these preparations as we enter Phase 2: Detection, learning how to spot the signal in the noise.