User Tools

Site Tools

You are here: start » security » cyberresponse

Sidebar

Security Menu

DLZP INTERNAL ONLY

Home

IS-1

Security Assessment and Authorization - CA

Cyber Security Incident Response Checklists

CyberSecurity Incident Response

Cyber Security Tools & Docs

AWS Security Services Tools

WAF Rules Customer Docs

Old Security Info

security:cyberresponse

Table of Contents

Cyber Security Incident Response Plan

Table 1 - Control Satisfaction

Standard NIST Category Controls Satisfied Audit Controls
NIST 800-53rev4 - - -

Table 2 - Major Document History

DateCommentWho
12/19/2019Initial DocTharp

Response Plan Overview

Response Plan Compromised Instance or exposed Access Keys

  1. Change the root password and passwords for all IAM users
  2. Add / Validate MFA for all Admin users and console access users
  3. Create new EC2 key pairs and update instances (delete compromised keys)
  4. Relaunch the instance and create new AMI to relaunch if needed; edit ssh/authorized keys file
  5. Rotate and delete IAM access keys
  6. Delete unrecognized or unauthorized resources
    • Instances
    • IAM Users
    • Spot Bids
  7. Contact AWS Support
    • Respond to abuse notifications

Often times the worst attacks occur after the first vulnerability appears to have been remediated. Be Vigilant!!!

/opt/bitnami/dokuwiki/data/pages/security/cyberresponse.txt · Last modified: 2019/12/20 00:36 by brian.tharp

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki