The slide discusses incident handling and response in the context of cybersecurity. It emphasizes the importance of staying calm and following incident guidelines, as even low incidents can cause stress. The slide suggests that incident handling is similar to first aid and requires careful attention to avoid costly mistakes. It also encourages sharing experiences and highlights the six stages of incident handling include preparation, identification, containment, eradication, recovery, and lesson learned. It provides tips and recommendations for each phase, such as having the necessary resources and documentation, restoring backups, improving defenses, and documenting the incident for future improvements.

1. SECURITY INCIDENT
HANDLING & RESPONSE
- Mohammad Febri Ramadlan

2. 1. 6 Phases of Incident (SANS)
2. Problem Vs Solution
3. Conclusion
AGENDA

3. 01
Preparation
Identification
Containment
02
03
04
05
06
Eradiction
Recovery
Lesson Learned

4. Be ready and steady
01 PREPARATION

5. ● People
● Policy
● Data
● Software/Hardware
● Communications
● Supplies
● Transportation
● Space
● Power and Environmental Control
● Documentation
Preparation

6. Tips: Preparation
Incident Forms:
https://www.sans.org/sc
ore/incident-forms
https://docs.google.com
/document/d/1PA6T66R
dY-pKwiMY0kKk8KrjMjX
L_A3bK7AGrh1bYeo/edit
?usp=sharing
Form
Laptop with good
software and hardware
(16/2TB)
dd, autopsy, and other
incident tools are
installed
Jump Bag
Set up planning, tools
and technique, or
conduct war games
Train

7. Be willing to alert early!
02 IDENTIFICATION

8. Tips: Identification
● Windows Platform
● Linux Platform
Mitre ATT&CK Mapping

9. Identification
firewall, nips/nids
Network perimeter
personal/windows firewall, port
sentry
Host perimeter
AV, endpoint security, file
integrity (FIM)
System-level (host)
Application logs (web, app
server, cloud services)
Application-level detection

10. Stop the bleeding
03 CONTAINMENT

11. Containment
https://www.first.org/resources/guides/csirt_case_classi
fication.html
Classification, Criticality, Sensitivity:
Cheat Sheet Question
1. have we been compromised?
2. which system has been compromised?
3. who is the user on that system?
4. are any other systems at risk?
5. what are our containment?

12. Tips: Containment
Incident Tracking
Don’t Play the
Blame Game
Don’t Tip Off

13. 04 ERADICTION
To get rid of the attacker’s artifacts on the machine

14. Tips: Eradiction
Restore Backup
Remove Malware Improve defenses
Search for recent
backup before an
intrusion
Moving the system to a
new name/IP address

15. 05 RECOVERY
To put the impacted systems back into production
in a safe manner

16. Tips: Recovery
Have the
business unit
retest
Validate
System owner
make the final
call. Keep put
advices and
recommendati
ons
Restore
Assess Another
Same Machines
Monitor

17. 06 LESSON LEARNED
Document what happened and improve capabilities

18. ● Meeting
- Review the report
- Short and professional
● Apply Fixes
(people, process, technology)
Report

19. PROBLEM VS. SOLUTION
Don’t panic and read the
incident guideline.
Check incident history if any
Even a low incidence tends to
cause stress
Remain Calm Well Policy and
Procedure

20. Question?

21. Conclusion
● Keep the 6 stages in
mind.
● Incident Handling is
similar to first aid
● The caregiver is under
pressure and mistaken
can be costly
● Share your experience

22. CREDITS: This presentation template was created
by Slidesgo, including icons by Flaticon,
infographics & images by Freepik and
illustrations by Stories
THANKS!
mohammadfebrir@gmail.com