10 The Caribbean breach: a case study in incident response
This chapter covers
- Examining the six phases of responding to an incident
- Studying a security breach in a fictional organization
- Investigating Linux systems and AWS instances with forensic techniques
- Recovering from a breach: the steps an organization must take
“Everybody has a plan until they get punched in the mouth.”
—Mike Tyson
In the first nine chapters of this book, we worked hard to increase infrastructure security, reduce the exposure of sensitive systems to an intrusion, and limit the impact a breach would have on an organization. Continuously improving the security posture of an organization is critical, but you should also be prepared for the moment an attacker breaches the defenses. No infrastructure is perfectly safe, and every organization deals with a compromise at some point. How good your security is at the time of the incident makes all the difference between a full infrastructure compromise, and the breach of a handful of isolated systems.
To the inexperienced, responding to a security incident is a stressful, confusing, and sometimes psychologically violent exercise. Pressure increases as engineers, managers, and leadership work around the clock to protect the organization’s assets, and, ultimately, their jobs. In the worst cases, people start blaming each other, focusing more on protecting their own integrity than mitigating the incident.