Incident Response

The SOLUTE team takes a four-phased approach to handling computer security incidents and approaches
incident response with the goals of identifying the threat, preserving evidence, and rapidly restoring services.

Phase 1: Preparation

Preparation is key to successful incident response. The SOLUTE Team maintains detailed checklists and a
fly-away incident response kit based on industry references and best practices such as:

  • NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response
  • NIST Special Publication 800-61: Computer Security Incident Handling Guide
  • Incident Response: Investigating Computer Crime by Kevin Mandia
  • Windows Forensics and Incident Recovery by Harlan Carvey

The SOLUTE Team customizes our checklists to meet the needs for each of our clients.

Phase 2: Detection and Analysis

One of the most difficult components of incident response is identifying that an incident indicator has
occurred. An incident indicator can be thought of as a symptom of an incident. These can be obvious, such
as a web server crashing, or antivirus software alerts detecting a worm. But often, they are more subtle,
such as degradation of service, a variation in traffic flow, or phishing emails.

Once an incident is identified and reported to the SOLUTE team, we first categorize the incident so we can
better assess how to handle it. Common types of incidents include denial of service, malicious code,
unauthorized access, inappropriate use, leakage of sensitive or classified materials, or any combination of
these. Depending on the nature of the incident, the SOLUTE Team selects the best tools to capture and
analyze system data, including volatile data, in a forensically sound manner to maintain evidence for possible
future prosecution.

Phase 3: Containment, Eradication, and Recovery

The next step is to contain the incident to prevent further impacts, remove the source of the incident, and
return to operations. Containment can be a delicate process. If your system is being hacked, you may want
to proceed carefully so as not to alert the hackers that you are aware of their presence until you can collect
information on them. However, you also want them out of your system as quickly as possible and with
as little impact as possible. In other instances, disconnecting a computer from the network may trigger
further damage by malicious code on that computer. The SOLUTE response team is prepared to determine
the most appropriate containment strategy for each incident while minimizing impacts to the system and
maximizing forensic data preservation.

The next step is eradication. When all the needed data has been saved, we can begin to eradicate the cause
of the incident. The steps taken here vary based on the type of incident. It may be simply changing
passwords or removal of infected files. Or, it could be as complicated as completely rebuilding a system.
Due to the nature of the Advanced Persistent Threat (APT), sophisticated attackers may leave behind
undetected malware on compromised systems. To combat this threat, SOLUTE scans for these threats
and will establish additional monitoring capability to detect this threat. If needed and available, the system
will be restored with a clean backup. Modifications will also be made to address the vulnerability exploited to
cause the incident.  Finally, the system will be returned to a secure operational state. When conducting
incident response, the SOLUTE team communicates with all stakeholders on the status of the response and
impact to effected systems.

Phase 4: Post-Incident Activity

Once the response is complete, the SOLUTE team conducts a post-incident analysis to assess the response.
The team evaluates if required timelines were met, if proper procedures were followed, and that appropriate
personnel were notified. The team will also validates the tools used to respond to the incident. The SOLUTE
Team generates a detailed report once the analysis is complete. Finally, the team will hold lessons learned
sessions to assess the overall effectiveness of the response and find areas for improvement in future
incident responses and in curent vulnerability management. If applicable, recommendations will be made
for updates to procedures, policies, and training to the client.