SEC 10: How do you anticipate, respond to, and recover from incidents?

Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.

Resources

Prepare for and respond to security incidents in your AWS environment
Automating Incident Response and Forensics in AWS
DIY guide to runbooks, incident reports, and incident response
CloudEndure Disaster Recovery
AWS Incident Response Guide
Lab: Incident Response Playbook with Jupyter - AWS IAM
Lab: Incident Response with AWS Console and CLI

Best Practices:

• Identify key personnel and external resources: Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident.

• Develop incident management plans: Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.

• Prepare forensic capabilities: Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation.

• Automate containment capability: Automate containment and recovery of an incident to reduce response times and organizational impact.

• Pre-provision access: Ensure that incident responders have the correct access pre-provisioned into AWS to reduce the time for investigation through to recovery.

• Pre-deploy tools: Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.

• Run game days: Practice incident response game days (simulations) regularly, incorporate lessons learned into your incident management plans, and continuously improve.

Improvement Plan

Identify key personnel and external resources

Identify key personnel in your organization: Maintain a contact list of personnel within your organization that you would need to involve to respond to and recover from an incident.

Identify external partners: Engage with external partners if necessary that can help you respond to and recover from an incident.

Develop incident management plans

Review available resources: AWS and industry resources are available for you to use.
AWS Security Incident Response Guide
NIST: Computer Security Incident Handling Guide

Develop incident response playbooks: Easy to follow playbooks should detail steps that you would take to respond and recover from an incident.

Develop escalation and communications plans: Escalation and communications plans should include personnel in your organization, and external parties that you must notify at each stage during an incident.

Develop external public relations plan: Develop a plan for public relations to release information about an incident.

Prepare forensic capabilities

Identify forensic capabilities: Research your organization's forensic investigation capabilities, available tools, and external specialists.
Automating Incident Response and Forensics

Automate containment capability

Automate containment capability

Pre-provision access

Pre-provision access: Ensure that security personnel have the correct access pre-provisioned in AWS so that an appropriate response can be made to an incident.

Pre-deploy tools

Pre-deploy tools: Ensure that security personnel have the right tools pre-deployed in AWS so that an appropriate response can be made to an incident.
Lab: Incident response with AWS Management Console and CLI
Incident Response Playbook with Jupyter - AWS IAM
AWS Security Automation

Implement resource tagging: Tag resources with information, such as a code for the resource under investigation, so that you can identify resources during an incident.
AWS Tagging Strategies

Run game days

Run game days: Run simulated incident response events (game days) for different threats that involve key staff and management.

Capture lessons learned: Lessons learned from running game days should be part of a feedback look to improve your processes.