SEC 11: How do you respond to an incident?
Identify key personnel and external resources: Identify internal and external personnel and resources that would help your organization respond to an incident.
Identify tooling: Identify AWS, partner, and open source tools that would help your organization respond to an incident.
Develop incident response plans: Create incident response plans, starting with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.
Automate containment capability: Automate containment of an incident to reduce response times and organizational impact.
Identify forensic capabilities: Identify the forensic investigation capabilities that are available, including external specialists.
Identify people who will respond to an incident
Identify resources available that will help your organization respond to an incident.
- Identify compliance requirements: Discover the organizational, legal, and compliance requirements your workload needs to comply with.
AWS cloud compliance
- Identify key personnel in your organization: Maintain a contact list of personnel within your organization that you would need to involve to respond to and recover from an incident.
- Identify external partners: Engage with external partners if necessary that can help you respond to and recover from an incident.
- Identify tooling to respond and recover: Research and test tools that would help your organization respond to and recover from an incident.
- Identify forensic capabilities: Research your organization's forensic investigation capabilities, tools that are available, and external specialists.
- Develop incident response runbooks: Easy to follow runbooks should detail steps you would take to respond and recover from an incident.
- Develop escalation and communications plans: Escalation and communications plans should include personnel in your organization, and external parties that you must notify at each stage during an incident.
- Develop external public relations plan: Develop a plan for public relations to release information about an incident.
- Collect evidence: Evidence such as log files should be stored appropriately, as they may be required for forensic purposes.
- Develop root cause analysis process: Have a process to identify and document the root cause of an event so that you can develop mitigations to limit or prevent recurrence and you can develop procedures for prompt and effective responses. Communicate root cause as appropriate, tailored to target audiences.
- Pre-deploy tools: Ensure that security personnel have the right tools pre-deployed into AWS so that an appropriate response
can be made to an incident.
AWS Security Automation
- Pre-provision access: Ensure that security personnel have the correct access pre-provisioned into AWS so that an appropriate response can be made to an incident.
- Implement resource tagging: Tag resources with owner and data classification information so that you can identify
resources during an incident.
AWS Tagging Strategies
- Implement clean room: Pre-configure a clean room for isolation and analysis of an incident.
Automating incident response and forensics in AWS
- Automate containment capability: Automated containment of an incident can reduce response times and organizational impact.
Practice incident response and recovery
- Run game days: Run simulated incident response events (game days) for different threats that involve key staff and management.
- Capture lessons learned: Lessons learned from running game days should be part of a feedback look to improve your processes.