Incident response

What is Incident Response?


Incident response refers to the processes and procedures that an organization puts in place to detect, contain, eradicate, recover from, and learn from security incidents. The goal of incident response is to minimize the impact of a security breach or other critical event on the organization's operations, reputation, and bottom line.


Why Incident Response Matters


Incident response is crucial because:


  1. Cybersecurity threats are increasing : As technology advances, cybercriminals become more sophisticated, and attacks become more frequent.
  2. Data breaches can have severe consequences : Lost or stolen data can lead to financial losses, reputational damage, and regulatory fines.
  3. Time is critical : The longer it takes to respond to an incident, the greater the potential damage.


Key Components of Incident Response


  1. Detection : Identifying a security incident as soon as possible.
  2. Containment : Isolating affected systems or networks to prevent further spread.
  3. Eradication : Eliminating the root cause of the incident (e.g., removing malware).
  4. Recovery : Restoring normal operations and services after an incident.
  5. Post-Incident Activities :
    • Incident closure: Confirming that the incident is fully resolved.
    • Lessons learned: Documenting what went well and what didn't, to improve future response.
    • Improvements: Implementing changes to prevent similar incidents from occurring.


Incident Response Steps


  1. Initial Response : Gather information about the incident (e.g., who reported it, when).
  2. Assessment : Determine the scope of the incident and potential impact.
  3. Containment : Isolate affected systems or networks.
  4. Eradication : Eliminate the root cause of the incident.
  5. Recovery : Restore normal operations and services.
  6. Post-Incident Activities : Document lessons learned, and implement improvements.


Best Practices for Incident Response


  1. Develop a comprehensive plan : Establish clear procedures and roles.
  2. Train personnel : Ensure all staff understand their roles in incident response.
  3. Maintain situational awareness : Stay informed about the incident's progression.
  4. Communicate effectively : Keep stakeholders informed throughout the process.
  5. Continuously improve : Review incident response processes to identify areas for improvement.


Common Incident Response Tools and Technologies


  1. Security Information and Event Management (SIEM) systems : Monitor system logs and detect suspicious activity.
  2. Threat intelligence platforms : Gather and analyze threat data to inform incident response decisions.
  3. Incident response software : Automate tasks, such as containment and eradication.
  4. Compliance management tools : Ensure adherence to relevant regulations and standards.


Remember


Incident response is an ongoing process that requires continuous improvement, effective communication, and a solid understanding of the organization's security posture. By being prepared, you can minimize the impact of security incidents and protect your organization from costly consequences.

Windows hosts — welke logs en hoe te verzamelen


Belangrijk: Windows heeft veel relevante artefacten — event logs, registry, prefetch, browser-artefacten, geheugen (voor credentials).


A. Windows Event Logs (.evtx)


  • Wat: Security, System, Application, Microsoft-Windows-PowerShell/Operational, Sysmon (als geïnstalleerd).

  • Waarom: Authentication events, service starts/stops, application errors, PowerShell use, process creations (Sysmon).

  • Hoe verzamelen (stap-voor-stap):

    1. Open een beheerders-PowerShell (zonder de machine te herstarten).

    2. Exporteer met wevtutilnaar .evtx:

      • wevtutil epl Security C:\forensics\logs\Security.evtx

      • wevtutil epl System C:\forensics\logs\System.evtx

      • wevtutil epl Application C:\forensics\logs\Application.evtx

      • wevtutil epl Microsoft-Windows-PowerShell/Operational C:\forensics\logs\PowerShell.evtx

      • Voor Sysmon: wevtutil epl Microsoft-Windows-Sysmon/Operational C:\forensics\logs\Sysmon.evtx

    3. Kopieer de geëxporteerde .evtx naar je forensische opslag (bijv. externe USB datadrager).

    4. Bereken hash: certutil -hashfile C:\forensics\logs\Security.evtx SHA256

  • Valkuil: sommige logs kunnen groot zijn; filteren hoeft niet—verzamel volledig en filter later offline.


B. PowerShell en ScriptBlock Logging


  • Wat: gedecodeerde PowerShell-commando’s (als logging ingeschakeld).

  • Hoe: zie PowerShell.evtx zoals hierboven; extra artefacten in C:\Windows\System32\winevt\Logs\.


C. Sysmon / Process Creation / Network Connections


  • Als Sysmon aanwezig: zijn process creation events, network connections, driver loads erg waardevol — exporteer Sysmon zoals boven.


D. Browser- & gebruikersartefacten


  • Profielmappen: C:\Users\<user>\AppData\Local\Microsoft\Edge\User Data\Defaultof Firefox/Chrome mappen. Kopieer relevante History, Cookies, Login Data(sqlite), en bookmarks. Hash deze bestanden.


E. Geheugen (RAM)


  • Waarom: credentials in cleartext, injection, in-memory-only malware.

  • Hoe:

    • Gebruik winpmemom een geheugenafbeelding te maken: winpmem.exe --format raw --output C:\forensics\memory.raw

    • Of gebruik Rekall/Volatility compatibele tools.

    • Daarna hash het bestand en documenteer het.

  • Valkuil: LSASS dump productiegevoelig — juridische toestemming + voorzichtigheid.

IN SEARCH/RUN FIELD (just type it in)  (Windows +R) 

What

Voor een grote lijst commando's zie


https://home.hccnet.nl/h.dalmolen/Computer/Start-run-commands.htm



CMD

Opens de DOS command box   (To run as an Administrator hold Shift - Ctrl while pressing enter after typing CMD) 

MSTSC

Connection with external desktop (Windows) Remote desktop

DISKMGMT.MSC

Diskmanagement

RUN

Opens the Run box  (also Windows Key +R) 

MRT 

Do  a virusscan of your computer