Skip to content

MCSB_v1 - Incident Response

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
IR-1 Incident Response 19.1 - Document Incident Response Procedures 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 10.8 Preparation - update incident response plan and handling process Ensure your organization follows industry best practice to develop processes and plans to respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the variances across IaaS, PaaS, and SaaS services. This will have a direct impact to how you collaborate with your cloud provider in incident response and handling activities, such as incident notification and triage, evidence collection, investigation, eradication, and recovery. Update your organization's incident response process to include the handling of incidents in the Azure platform. Based on the Azure services used and your application nature, customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. Implement security across the enterprise environment: Update your organization's incident response process to include the handling of incidents. Ensure a unified multi-cloud incident response plan is in place by updating your organization's incident response process to include the handling of incidents in the AWS platform. Based on the AWS services used and your application nature, follow the AWS Security Incident Response Guide to customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. AWS Security Incident Response Guide: https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 17.7 - Conduct Routine Incident Response Exercises IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#4-process-update-incident-response-processes-for-cloud
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Regularly test the incident response plan and handling process to ensure they're up to date. Incident response reference guide:
https://docs.microsoft.com/microsoft-365/downloads/IR-Reference-Guide.pdf Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
NIST SP800-61 Computer Security Incident Handling Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Incident response overview:
https://docs.microsoft.com/en-us/security/compass/incident-response-overview
IR-2 Incident Response 19.2 - Assign Job Titles and Duties for Incident Response 17.1 - Designate Personnel to Manage Incident Handling IR-4: INCIDENT HANDLING 12.1 Preparation - setup incident contact information Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alerts and notification in different Azure services based on your incident response needs. How to set the Microsoft Defender for Cloud security contact: Set up security incident contact information in AWS Systems Manager Incident Manager (the incident management center for AWS). This contact information is used for incident management communication between you and AWS through the different channels (i.e., Email, SMS, or Voice). You can define a contact's engagement plan and escalation plan to describe how and when the Incident Manager engages the contact and to escalate if the contact(s) does not response to an incident. Incident Manager Contact: https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
19.3 - Designate Management Personnel to Support Incident Handling 17.3 - Establish and Maintain an Enterprise Process for Reporting Incidents IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details
19.4 - Devise Organization-wide Standards for Reporting Incidents 17.6 - Define Mechanisms for Communicating During Incident Response IR-5: INCIDENT MONITORING Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
19.5 - Maintain Contact Information For Reporting Security Incidents IR-6: INCIDENT REPORTING
IR-3 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.9 - Establish and Maintain Security Incident Thresholds IR-4: INCIDENT HANDLING 10.8 Detection and analysis - create incidents based on high-quality alerts Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel. Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. How to configure export: Use security tools like SecurityHub or GuardDuty and other third-party tools to send alerts to Amazon CloudWatch or Amazon EventBridge so incidents can be automatically created in Incident Manager based on the defined criteria and rule sets. You can also manually create incidents in the Incident Manager for further incident handling and tracking. Incident creation in Incident Manager: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/continuous-export https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html
IR-7 INCIDENT RESPONSE ASSISTANCE High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. If you use Microsoft Defender for Cloud to monitor your AWS accounts, you can also use Microsoft Sentinel to monitor and alert the incidents identified by Microsoft Defender for Cloud on AWS resources. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
How to stream alerts into Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment:
https://docs.microsoft.com/azure/sentinel/connect-azure-security-center https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
IR-4 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Detection and analysis - investigate an incident Ensure the security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. Ensure your security operations team can query and use diverse data sources that are collected from the in-scope services and systems. In addition, it sources can also include: Snapshot a Windows machine's disk: The data sources for investigation are the centralized logging sources that collect from the in-scope services and running systems, but can also include: Traffic Mirroring: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Identity and access log data: Use Azure AD logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk - Identity and access log data: Use IAM logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
Use the cloud native SIEM and incident management solution if your organization does not have an existing solution to aggregate security logs and alerts information. Correlate incident data based on the data sourced from different sources to facility the incident investigations. - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Network data: Use VPC Flow Logs, VPC Traffic Mirrors, and Azure CloudTrail and CloudWatch to capture network flow logs and other analytics information. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
- Incident related activity data of from snapshots of the impacted systems, which can be obtained through: Snapshot a Linux machine's disk: - Snapshots of running systems, which can be obtained through: Creating EBS volume backups with AMIs and EBS snapshots:
a) The azure virtual machine's snapshots capability, to create a snapshot of the running system's disk. https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk a) Snapshot capability in Amazon EC2(EBS) to create a snapshot of the running system's disk. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory.
c) The snapshot feature of the other supported Azure services or your software's own capability, to create snapshots of the running systems. Microsoft Azure Support diagnostic information and memory dump collection: c) The snapshot feature of the AWS services or your software's own capability, to create snapshots of the running systems. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/use-immutable-storage.html
https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/
Microsoft Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. If you aggregate your SIEM related data into Microsoft Sentinel, it provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.
Investigate incidents with Azure Sentinel:
Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity.
IR-5 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 12.1 Detection and analysis - prioritize incidents Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Security alerts in Microsoft Defender for Cloud: For each incident created in the Incident Manager, assign an impact level based on your organization's defined criteria, such as a measure of the severity of the incident and criticality level of the assets impacted. Define your naming convention best practice: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
17.9 - Establish and Maintain Security Incident Thresholds https://docs.microsoft.com/azure/security-center/security-center-alerts-overview https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
Additionally, mark resources using tags and create a naming system to identify and categorize your cloud resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the resources and environment where the incident occurred. Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other details based on analytics rules. Use analytic rule templates and customize the rules according to your organization's needs to support incident prioritization. Use automation rules in Microsoft Sentinel to manage and orchestrate threat response in order to maximize your security operation's team efficiency and effectiveness, including tagging incidents to classify them. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Use tags to organize your Azure resources:
https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Create incidents from Microsoft security alerts:
https://learn.microsoft.com/azure/sentinel/create-incidents-from-alerts
IR-6 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Containment, eradication and recovery - automate the incident handling Automate the manual, repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to automatically trigger actions or run a playbooks to respond to incoming security alerts. Playbooks take actions, such as sending notifications, disabling accounts, and isolating problematic networks. Configure workflow automation in Security Center: If you use Microsoft Sentinel to centrally manage your incident, you can also create automated actions or run a playbooks to respond to incoming security alerts. AWS Systems Manager - runbooks and automation: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/workflow-automation https://docs.aws.amazon.com/incident-manager/latest/userguide/runbooks.html
IR-6: INCIDENT REPORTING Alternatively, use automation features in AWS System Manager to automatically trigger actions defined in the incident response plan, including notifying the contacts and/or running a runbook to respond to alerts, such as disabling accounts, and isolating problematic networks. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Set up automated threat responses in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Set up automated threat responses in Microsoft Sentinel:
https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook
IR-7 Incident Response nan 17.8 - Conduct Post-Incident Reviews IR-4 INCIDENT HANDLING 12.1 Post-incident activity - conduct lesson learned and retain evidence Conduct lessons learned in your organization periodically and/or after major incidents, to improve your future capability in incident response and handling. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of incidents in Azure. Incident response process - Post-incident cleanup: Create incident analysis for a closed incident in Incident Manager using the standard incident analysis template or your own custom template. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as the AWS Systems Manager runbook and Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of the incidents in AWS. Post-incident analysis: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
https://docs.microsoft.com/security/compass/incident-response-process#2-post-incident-cleanup https://docs.aws.amazon.com/incident-manager/latest/userguide/analysis.html
Based on the nature of the incident, retain the evidence related to the incident for the period defined in the incident handling standard for further analysis or legal actions. Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network traffic dumps and running system snapshots in storage such as an Azure Storage account for immutable retention. Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network traffic dumps and running system snapshot in storage such as an Amazon S3 bucket or Azure Storage account for immutable retention. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence