Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Incident Response

Incident Response

Section titled “Incident Response”

5 automated security scanners

IR Plan Playbooks

Section titled “IR Plan Playbooks”

Purpose: This scanner analyzes the incident response plan and playbooks for a given domain to assess its vulnerability in handling cyber threats. It checks if the IR (Incident Response) plan is documented, roles are defined, and if there’s a classification framework. Additionally, it evaluates the coverage of critical scenarios through playbooks and their documentation currency.

What It Detects:

  • IR Plan Documentation: The scanner identifies whether the incident response plan is documented and if all necessary roles are defined.
  • Classification Framework: It checks for the presence of a classification framework within the IR plan to categorize incidents based on severity.
  • Playbook Coverage: The scanner evaluates the number of critical scenarios covered by playbooks, which should ideally be at least three.
  • Documentation Currency: It assesses whether the documentation is up-to-date and if it references current tools or technologies.

Inputs Required:

  • Domain: The target domain for the assessment, e.g., “acme.com”.

Business Impact: This scanner is crucial as it helps in identifying gaps in an organization’s cyber defense mechanisms. A robust incident response plan and up-to-date playbooks are essential to mitigate potential damages from cyber threats effectively.

Risk Levels:

  • Critical: The IR plan is incomplete or roles are undefined, and there are significant missing critical scenario playbooks.
  • High: Insufficient playbook coverage (less than three scenarios documented), outdated documentation, or references of outdated tools/technologies.
  • Medium: Partially covered critical scenarios, some role definitions lacking in the IR plan, or mixed signals regarding tool usage in documentation.
  • Low: Well-documented IR plan with current playbooks and clear roles defined, adequate coverage of critical scenarios, and no references to outdated tools/technologies.
  • Info: Minimal findings indicating minor issues that could be improved for better security posture.

Example Findings:

  1. The IR plan lacks a comprehensive structure, making it difficult to assign roles effectively.
  2. Only two out of the five critical scenarios are covered by playbooks, leaving significant gaps in potential threat responses.

Communication Protocols

Section titled “Communication Protocols”

Purpose: The purpose of this scanner is to analyze and assess the incident response communication protocols for a given domain, identifying potential vulnerabilities in escalation procedures, stakeholder communication framework, secure channels, and documentation templates. This assessment helps in understanding the organization’s preparedness for handling incidents efficiently through effective communication.

What It Detects:

  • Missing Escalation Procedures: The scanner identifies if there are no documented escalation procedures or if timeframes for escalation are not defined.
  • Incomplete Stakeholder Communication Framework: The scanner detects if the contact list is not maintained or if notification systems are lacking.
  • Insecure Channels: The scanner flags the absence of encrypted messaging and out-of-band communication channels.
  • Insufficient Templates: It checks for the presence of at least three types of templates related to incident communications.
  • Poor Documentation: The scanner identifies gaps in runbooks or contact maintenance procedures.

Inputs Required:

  • Domain: The domain name is required as input to perform the analysis on the organization’s communication protocols.

Business Impact: This assessment is crucial because effective incident response communication can significantly reduce the impact of a breach and ensure that all relevant parties are informed promptly. Poor communication can lead to misinformation, delayed responses, and inefficiency in crisis management.

Risk Levels:

  • Critical: If missing escalation procedures or incomplete stakeholder communication framework is detected, this could be critical as it directly affects the ability to respond effectively during an incident.
  • High: Inadequate secure channels or insufficient templates can also pose high risks by potentially compromising the integrity of communications and timely information sharing.
  • Medium: Missing some elements in escalation procedures, stakeholder communication framework, or documentation could lead to medium risk if they are partially addressed but still affect overall preparedness.
  • Low: Informational findings indicate that while there may be room for improvement, the current state does not pose significant risks.

Example Findings:

  1. The scanner might find that a domain lacks clear escalation paths for critical incidents, which could lead to delayed responses and increased risk.
  2. It might identify that stakeholder communication is primarily through email without utilizing more secure or direct channels, increasing the potential for data leakage or miscommunication.

Forensic Capabilities

Section titled “Forensic Capabilities”

Purpose: The purpose of this scanner is to analyze and assess the forensic capabilities of a given domain, including evidence collection procedures, forensic tools, chain of custody protocols, expertise availability, and legal hold practices. This assessment helps in identifying potential vulnerabilities and risks related to digital forensics within an organization’s infrastructure.

What It Detects:

  • Evidence Collection Procedures: The scanner checks if there are documented procedures for collecting volatile data and identifies the presence of disk imaging and memory forensics capabilities.
  • Forensic Tools: It evaluates whether forensic tools are documented, what types of disk forensics they support, which memory analysis tools are available, and whether commercial tools are utilized.
  • Chain of Custody: The scanner verifies if there are established procedures for the chain of custody, including templates for maintaining records throughout the investigation process.
  • Expertise Availability: It assesses the presence of internal or external forensic expertise within the organization, as well as any related training programs and certifications.
  • Legal Hold Practices: The scanner examines the existence of legal hold policies and procedures regarding data retention and backup preservation.

Inputs Required:

  • Domain: The domain name is required to target specific web infrastructure for analysis.

Business Impact: The accurate documentation and maintenance of forensic capabilities are crucial for effective incident response, ensuring that digital evidence remains intact and legally admissible throughout the investigation phase. Inadequate or missing forensic practices can lead to significant disruptions in legal proceedings and may compromise the integrity of digital evidence.

Risk Levels:

  • Critical: Severe vulnerabilities in evidence collection procedures, complete absence of forensic tools, broken chain of custody protocols, no expertise availability, and inadequate legal hold practices that could result in critical risks such as data loss or legal challenges.
  • High: Issues in one or more areas like missing documentation, lack of specific forensic tool capabilities, or weaknesses in the chain of custody that pose significant threats to digital forensics processes.
  • Medium: Minor deficiencies in some aspects of forensic practices but still require attention to avoid escalating risks.
  • Low: Informal or minor issues that do not significantly impact the organization’s ability to conduct effective digital forensics.
  • Info: Non-critical findings that provide supplementary information but do not directly affect the core forensic capabilities.

Example Findings:

  1. The domain lacks a documented procedure for collecting volatile data, which could lead to significant risks during incident response and legal investigations.
  2. There is no evidence of disk forensics tools being utilized, making it challenging to recover and analyze digital evidence effectively.

IR Team Capabilities

Section titled “IR Team Capabilities”

Purpose: The purpose of this scanner is to analyze and document the capabilities of an organization’s incident response (IR) team. This includes evaluating the technical skills, certifications, response availability, and experience indicators that are crucial for effective IR operations. The findings help in assessing the risk level associated with the IR team’s capability maturity and identify potential vulnerabilities.

What It Detects:

  • Team Structure: Whether there is a dedicated incident response team documented (maturity) and its size indicator.
  • Skill Coverage: Technical skills related to network analysis, log analysis, endpoint security, malware analysis, threat intelligence, and reverse engineering are assessed.
  • Certifications: Security and IR certifications that indicate expertise in these areas.
  • Response Availability: On-call procedures, response time SLA, escalation contacts, and emergency contact information are evaluated for 24/7 availability.
  • Team Experience: Indicators of experience such as senior expertise and documented years of experience help gauge the team’s maturity level.

Inputs Required:

  • Domain: The target organization’s domain name is required to gather relevant information from web pages, APIs, or other digital footprints related to IR capabilities.

Business Impact: The effectiveness of an organization’s incident response can significantly impact its security posture and reputation. A robust IR team with clear documentation of skills, certifications, and experience levels enhances the ability to detect, respond, and recover from cyber threats effectively.

Risk Levels:

  • Critical: If no dedicated incident response team is documented or if there are insufficient technical skills documented (less than 2), this indicates a critical risk as it severely compromises the IR capabilities.
  • High: Missing security or IR certifications, poor response availability, and low experience indicators suggest high risks as they may lead to inadequate handling of potential threats.
  • Medium: Indicators of medium risk include situations where there is minimal documentation of team maturity but still capable of responding to incidents with available resources.
  • Low: If the IR team shows basic capabilities despite some missing elements, it falls into the low risk category as they can improve further based on detected vulnerabilities.
  • Info: Provides informational findings about the presence or absence of certain documented elements that could be improved for better IR practices.

Example Findings:

  • “No dedicated incident response team documented.”
  • “Insufficient skill coverage: only 1 technical skill documented.”
  • “Team maturity level: minimal”

Containment Capabilities

Section titled “Containment Capabilities”

Purpose: The purpose of this scanner is to analyze and assess the incident containment capabilities of a given domain, including its network segmentation, system isolation, access revocation mechanisms, and communication disruption capabilities. This assessment helps in identifying potential vulnerabilities and risks associated with an organization’s operational security posture.

What It Detects:

  • Network Segmentation: The scanner checks if the network segmentation is documented and includes VLAN segmentation as well as firewall procedures. Additionally, it evaluates whether microsegmentation and zero-trust controls are in place.
  • System Isolation: It examines the presence of runbooks for system isolation and automated quarantine mechanisms. Endpoint isolation and virtual machine (VM) isolation are also assessed.
  • Access Revocation: The scanner looks into the automation of access revocation, including VPN termination and privileged access revocation. It also checks for the timeframe within which access can be revoked.
  • Communication Disruption: This includes evaluating DNS sinkholing, C2 blocking, egress filtering, and evidence of prevention through kill switches or other means.
  • Containment Automation: The scanner assesses the presence of automated workflows and a SOAR platform for incident handling, as well as testing for containment capabilities.

Inputs Required:

  • domain: The target domain whose operational security posture is to be assessed.

Business Impact: Assessing and maintaining robust incident containment capabilities is crucial for protecting an organization’s sensitive information and ensuring business continuity. Weaknesses in these areas can lead to significant data breaches, legal repercussions, and reputational damage.

Risk Levels:

  • Critical: The domain exhibits severe vulnerabilities with critical impacts such as unauthorized access to highly sensitive data or systems that could lead to catastrophic consequences.
  • High: There are significant weaknesses in network segmentation, system isolation, or other containment aspects that pose a high risk of data exposure or operational disruption.
  • Medium: The domain shows moderate deficiencies in some containment capabilities, which may still be risky but not as critical as those at the high level.
  • Low: The domain demonstrates adequate containment practices with minimal identified vulnerabilities.
  • Info: Informative findings that do not directly impact security posture significantly but are worth noting for awareness and continuous improvement.

Example Findings:

  • A documented network segmentation plan is lacking, which could lead to unauthorized access across systems.
  • The system isolation procedures are manual and not automated, increasing the risk of delayed response to potential threats.