Skip to main content

Chương 34: Incident Response cơ bản

IR Lifecycle

1. Preparation  → Training, playbooks, tools sẵn sàng
2. Detection    → Phát hiện incident
3. Analysis     → Hiểu scope và impact
4. Containment  → Ngăn lan rộng
5. Eradication  → Xóa attacker
6. Recovery     → Restore services
7. Post-Mortem  → Học từ incident

Detection

Các signal cần chú ý:
- Alert từ WAF/IDS: SQL injection, XSS attempts
- Unusual auth patterns: login từ IP mới, impossible travel
- Data exfiltration: large outbound traffic
- Unusual process: web shell execution (www-data → bash)
- Config changes không authorized
- Certificate changes
- New user accounts created

Containment

# Containment tức thì:
# 1. Block attacker IP
iptables -I INPUT -s ATTACKER_IP -j DROP

# 2. Revoke compromised credentials
aws iam delete-access-key --access-key-id COMPROMISED_KEY

# 3. Isolate compromised K8s pod
kubectl cordon affected-node
kubectl delete pod compromised-pod --grace-period=0

# 4. Revoke sessions
redis-cli del "session:*"  # Flush tất cả sessions

# 5. Scale down (nếu cần)
kubectl scale deployment webapp --replicas=0

# 6. Network isolation
kubectl apply -f network-policy-deny-all.yaml

Forensics cơ bản

# Thu thập evidence trước khi cleanup

# 1. Lưu logs
kubectl logs compromised-pod > pod-logs.txt
cp /var/log/nginx/access.log evidence/
cp /var/log/auth.log evidence/

# 2. Process snapshot
ps auxf > processes.txt
netstat -tulpn > network-connections.txt
lsof > open-files.txt

# 3. Disk image (nếu cần deep forensics)
# Không modify original evidence

# 4. Memory dump (advanced)
# avml hoặc lime kernel module

Communication

Internal:
- Security team: ngay lập tức
- Management: trong vòng 1 giờ
- Engineering leads: ngay khi cần containment

External:
- Customers: nếu data bị breach (theo regulation)
- Regulators: GDPR yêu cầu 72 giờ
- Law enforcement: nếu cần

Post-Mortem

# Security Incident Post-Mortem

## Timeline
- 14:30 Alert triggered: unusual admin access
- 14:35 Incident response activated
- 14:45 Compromised account identified
- 15:00 Credentials revoked, sessions cleared
- 15:30 Root cause identified: phishing attack
- 16:00 All systems verified clean
- 18:00 Services fully restored

## Root Cause
Phishing email → credential theft → unauthorized admin access

## What Went Well
- Alert triggered within 5 minutes
- Containment within 30 minutes

## What Went Wrong
- No MFA enabled → single factor compromised
- Logs tidak sufficient to determine scope

## Action Items
1. Enable MFA for all admin accounts [P0, Owner: Security]
2. Improve logging detail [P1, Owner: DevOps]
3. Phishing training for all employees [P1, Owner: HR]