Incident Response: Managing Cyber Attacks And Security Breaches

Module Learning Outcomes Assessed:

1. Critical awareness of the legal, ethical and professional issues involved in incident response investigation.

2. Evaluate and apply appropriate technological solutions and processes in the detection, management and investigation of information and system security incidents.

3. Critically evaluate and apply digital forensic methodology to cyber security incidents and commercial investigation; establish an audit trail, documenting a digital investigation from a legal and professional perspective.

4. Ensure all actions undertaken are Association of Chief Police Officers (ACPO) Principles of Digital Evidence compliant.

The Purpose of Incident Response

Incident response refers to the organized approach for denoting and controlling the activities after any cyber attack or security breach take place. It aims to manage the scenario such the damages are restricted and the recovery costs and times are reduced.

The given network is designed in such a way that here various segments are spread out over server farms. The following report detects the reconnaissance of the system along with a collection of statistical data. Then a discussion is made whether to go for Snort or PF or PacketFence. Later the advanced persistent or APTs are identified along with investigating the cost-effectiveness.

Data to be collected and the areas of the chosen network:

First of all the customer information is to be collected. This includes customer names, payment card information, application attributes, emails and social security numbers and so on. Similar to customer data, the employee data comprises of social security numbers, addresses, and names. This also includes banking data like that for payment purposes, passwords or usernames and data related to a credentialing process. Then the information regarding trade secrets and intellectual property is to be gathered. This is present in document management system in a proprietary manner with a third party (Leigh, Jackson and Dunnett 2016). For instance, as software is developed, that can be a code. However, for hardware developers it is schematics. This extends to product specifications, competitive research and anything that falls under a non-disclosure agreement with vendors. Here, to identify the network area let two companies A and B are considered. A is found to develop a phone and B helps A with designing component. As B gets breached, A turns out to be vulnerable to have that sensitive data exposed that has been catastrophic. The data to be identified is the inventory and operational information. It has been encompassing generalized business inventory and operations. To identify the areas in the network in this case, for example, the selling of physical products can be considered. Here the disclosing of sales figures are never intended to be disclosed making them sensitive information. The last one is the industry-specific data. Depending on the industry there has been particular sensitive data that are needed to protect (Raithel et al. 2017).

There have been various ways in which potential intruders can collect and utilize those data for malicious causes. The first technique is a man in the middle. Here, hackers watch the data that are also passed from computer form network. It indicates that as the valuable data is passed, the hackers can see that and take proper measure (McCausland et al. 2016). It is similar to a man in the middle approach. Besides, hackers set up a distinct network looking same as the original. In such case, customers, staffs can access the fake network and then submit the data thinking that to be a real network. This approach is called evil twin. The next tool is phishing emails where fake emails are made to look like brands and companies receive those emails from. Though opening the emails simply, or clicking the links download the malware and viruses to the network.

Detecting APTs and Potential Intruder Techniques

The next tool is social engineering. This has nevertheless the most effective one. Here the hackers study any person and begin to take note of vulnerabilities and patters in business and undertake benefits of that. It indicates that assuring employees have been putting sensitive data on a network that are easily hacked by hackers (Steinke et al. 2015). The next tool is packet sniffer technique. It allows hackers to fetch various packets of data across any network. Further, they can use and then copy that data. The next one is malware attack. Here unsuspecting customer or employee downloads or uploads malware from a network.

Security activities to be configured	Challenges	Discussion	Tools to be used
Searching telltale signs of breach	The attackers here go slow and low. Hence some time is needed for analysis. Moreover, there has been a lot of chatty protocols and tools. Hence it takes some time filtering out the noise	Attackers initially requires understanding network topology that is infiltrated. There, they must look for the servers and endpoints of vulnerabilities and zero over administrative users along with various important data stores	Here, the tools to be used ate network management and monitoring tools and various NetFlow aggregations (Kaplan et al. 2015).
Looking for regular users doing administrative tasks	Unfortunately any single source of data in absent to reveal who the administrations have been and what the assets are needed to be managed	The attackers have been using various native tools over servers and computers instead of known malware and tools. This is to avoid detection through EDR and anti-virus software	Here the tools are an assimilation of network information like NetFlow data and network packets.
Searching for devices utilizing various credentials and accounts for accessing network resources	Here, there is various variability taking place between users. However one tries to baseline those average. Listing out large volume users must be given decent visibility. It happens as one sees a new name pop onto the list that can be checked out	Attackers always like credentials for easing their process and remain undetected (Ruefle et al. 2014). Here, they steal or create accounts and then utilize those to gain and explore access	The tools used are monitoring network traffic and then assessing logs for authorization and authentication.
Looking for attackers to try to seen valuable data within file servers	Various files have been sharing various commonly accessed and large spikes when any user makes entry for the first time	Spotting anomalies under file share is a valuable signal and also alerts employees who have been considering the insider theft	The tools used here are the logs from file servers. However, it has been taking some investigation to change the perspective from a perspective of users and granting the ability to see anomalies regarding user-access.

The various relevant strategies are demonstrated hereafter. First of all, every problem must be defined before solving that. Some time must be taken to make sense of the issues and criteria for good decision and create some smart options. The one or two firmly suggested solutions must be offered. The business must ve clear on the direction offered with the solution and asks team or person who is supported. This must be done to repeat that back, such that it becomes clear. The steps of action of the clients must be prioritized for avoiding different overwhelm. A step-by-step action plan must be implemented. As the problems are fetched systematically, the essentials are covered every time the decisions get well thought out, planned and executed. A checklist must be provided along with a mark off for every item when it is achieved. This makes others feel that they have achieved their aims and have been moving away from challenges, obstacles, problems. It keeps them motivated and under motion (Phillips et al. 2017). Lastly, the network administrators must look for several ways for improving the problem-solving concept for avoiding future problems. The business must move on perfecting their skills of problem-solving and they are to be utilized for constant development initiatives serving the needs of clients. More efficiently the problems are solved, more value gets created.

The session data denotes the flow or stream or conversation which is a summary of packet exchange between two systems. It includes seven minimum elements of a session. The first one is the timestamp that denotes the starting phase of the course, including an end of the session also. It also includes protocols, source IP address, source port, destination IP address and destination port (Dunnett, Leigh and Jackson 2018).

The reason to use Snort data is to point out malicious and suspicious activities through inspecting  network traffics. Session data judges the traffic by analytical abilities and then notifies the operator of the decision through creating the alert. The output of the process, called as collect-inspect-report is known as alert data. It must be reminded that no alerting system has been utterly identifying every malicious and suspicious task. In many instances, it has not been possible particularly on any “packet-by-packet” basis. This is to recognise stream or packet being worthy of the attention of the operator. In these cases, it has been mak8ng sense to keep a log of traffic (Hedrick and Miller 2017).  The recording of characteristics of traffic or only traffic for later investigation has been labelled as an RNA or “Retrospective Network Analysis”. However, many others refer to this as the “network forensics”. In this case, it implies an evidence handling and degree of care exceeding the methodology presented here.

Data Areas to Be Collected for Incident Response

Every session, regardless of their protocol have some standard features. They need some signal to be established. Further, there is two-way information exchange and every session is unique singularly. Sessions comprise of bit low in the network layer along with directionality and states. All these properties make it possible to relate to flows and packets with a unique course and control the session.

Classical statistical data, on the other hand, is based on assumption that various observations are sampled. This states that these observations must be independent of each other. However, the views have never been independent of each other in case of networks. However, they have been dependent on the network structure. The dependence of comments on one another is the feature of data instead of a nuisance. They are collected through various processes that are demonstrated hereafter along with understanding the different potential intrusions (Chen et al. 2014).

The first one is mean or “average”. It is helpful to find out the entire trend of dataset delivering a quick snapshot of data. To understand the potential intrusion, it is essential, as it is very quick and easy to calculate. The next one is the standard deviation. It denotes that the data is spread more broadly across the mean. Then there is the regression analysis. The regression models relationships between explanatory and dependent variables. These are commonly charted on a scatterplot. Regression line designates whether the links are weak or strong. Then there is sample size determination (Piedrahita et al. 2018). While measuring huge data population or set, information about every member of the population is collected. Through using standard deviation methods and proportion, one can accurately find out the proper sample size for making data collection significant statistically. The last one is hypothesis testing. It is also known as t testing. To understand statistics and data analysis, for finding potential intrusion in networks the results of the hypothesis are statistically relevant.

Nodes, where statistical data is to be collected	Type	Justification of choice	Tools and configuration
Node number 20	Host server node	The server IP addresses and port number is used to communicate with the server	Sending statistics request with the help of IP address. Then porting for the node is to be done in a cluster.
Node number 6	Gateway node	There can be 2, 3 and even more gateways to pick up and forward messages. As the end, the gateway might receive, forward and many more additional messages that end up in an API	The information for server start time to current time can be used to analyze the various amount of requests that are processed by the nodes at regular intervals. The IP address is to be used for a direct Gateway-to-Gateway connection.
Node number 12	Gateway node connected to client node	As an intermediate solution, the packer forwarder logs some information regarding the number of received messages. This also includes some messages with proper or missing CRC and amount of forwarded messages	While the CA API Gateway is set up, the logs must be used to help in diagnosing problems for Gateway node.

The senior network administrator over the client site has considered deployment of different packet filters around networks. This is to minimize undue traffic and prevent the exposure of various critical services. Now, a choice is needed to be made between PF and Snort. They are broadly used products that are available to be deployed as firewalls.

Discussion on Snort:

Snort is a kind of prevention system of the open source network. It can perform real-time traffic analysis and packet logging over IP networks. It can perform content searching/matching, protocol analysis and can be used for detecting several of probes and attacks. This includes buffer overflows, CGI attacks, stealth port scans, SMB probes and many more (Emmanuel et al. 2015).

Relevant Strategies for Problem-Solving

It must be reminded the protocol is a significant part of Snort rule. Snort rule under its protocol section denotes what kind of packer rule must be applicable. At present some of the protocols to be understood are UDP, TCP, ICMP and IP. As the protocol is IP, Snort checks the link layer header determined the packet type. As another kind of protocol is used, Snort uses IP header for determining the protocol type. The protocols play a role in specifying criteria in a header part of that rule. Options part of the rule has extra criteria that are unrelated to a specified protocol. For instance, the rule below can be considered where the protocol is ICMP.

alert icmp any any -> any any (msg: "Ping with TTL=100";  ttl: 100;)

The options part examines the TTL or “Time To Live” value that has never been a part of ICMP header. Instead, TTL is a part of IP header instead. This indicates that the options part can investigate parameters within additional field also.

PacketFence is an open-source and free solution providing network access control functionalities. It has included various standard features. The first one is registration of various network components such as printers, laptops and desktops. Optionally it also helps in accepting network usage policy on registration before achieving the entire network access (Wilson et al. 2016). Detecting of violations of network usage policy is based on active and passive network scans over every connected node. It also includes isolation of offending nodes notifications like pop-ups, e-mail and many more by network usage policy violation. Further, it involves remediation such that network components can regain network access after the breach takes place.

For PF, LLDP and CDP are also helpful. The CDP or Cisco Discovery Protocol is a device-discovery protocol running over Cisco-manufactured tools like switches, bridges, access servers and routers. Utilizing CDP, any device advertises to various other existence to different devices and retrieve data regarding other devices on the similar LAN or over any remote side of WAN. At the present world of VoIP, the CDP can determine where the connecting device if IP Phone or not. It further reveals whether IP Phone can be used to tag their Ethernet frame though using VLAN over the switch port (Bennett, Brooks and Walker 2014).

However, for the current analysis, Snort is chosen to be the most suitable. It is an open source network intrusion prevention system or IPS. It can perform real-time traffic analysis and packet-logging over IP networks. It can do protocol analysis, searching and matching contents. Further, it can be used for detecting various probes and attacks. It utilizes flexible rules language for examining traffic. It also collects or passes and identifies engine which utilizes modular plug-in architecture. It also possesses a real-time alerting ability, including alerting mechanisms to syslog, user-specified file, WinPopup messages, UNIX socket top Windows client by utilizing Samba’s smbclient. Further, Snort comprises of three primary uses. This can use a straightforward packet sniffer such as tcpdump, packet logger and fully-blown network intrusion prevention system.

Network Session Data Comprehension

There are various data collection and retentions included as part of an operation of the client expectations for undertaking operations. Client admits little previous knowledge and experience with legal aspects related to data retention and interception. Here the client owns all the data. The client privacy and Internet professional responsibility are the difficulties that are intimately associated with services that are offered by various lawyers (Bada et al. 2014). Here, the electronic attorney services lead to data gathering, document transfers, developed communication, novel opportunities, information exchange regarding promotion and marketing. In turn, this service delivers the array of complex ethical issues presenting pitfalls regarding unwary and uninitiated. As Internet interpenetrates all the aspects of law, activities over Internet results in a grievance filed against various attorneys for ethical and professional misconduct as this kind of misconduct results in. It includes fund misuse, improper billing, advertising violations, court appearances, missed deadlines, dishonesty, fraud, misrepresentation, conflicts of interest and communication failures. As particular Internet privacy violation rules and regulations are rarely applied to transactions of attorney, they are implicated regularly in deceptive and unfair trade practices. This also includes industry-specific violations that are often interspersed with various privacy violation facts (Calfee et al. 2016).

Attorneys comprise of professional-liability duty for using the Internet and this is the professional liability that leads top difficulties in doing that. To be more specific, UK’s model rules of professional conduct rule for competence is needed to use the Internet. Further, regulations related to soliciting, advertising and communications mainly charge an attorney with malfeasance to use the Internet wrongly. Standards of Internet professional conduct and model commentary or rules cross full range of Internet-related concerns (Brown,  Greenspan and Biddle 2016). This includes expert self-identification and description in particular. It is the proper way to structure various personal, different privacy settings for social media, significance and usage of disclaimers constituting communication. This also involves the establishment of an attorney-client relationship. Further, there are ethic rules addressing “lagging”, “friending”, “liking” practices.

Various ways to protect client privacy and promote professional responsibility includes legal, business and technical options. For example, a lawyer searching to use the Internet to attract new clients around various jurisdictions frequently can be confronted. This has been inconsistent with different rules and regulations. Multiple numbers of authorities have considered the situation that Internet communication is a type of advertising and hence it is subjected to specific ethical restrictions of state bars (Butler 2015). These kinds of restrictions related to Internet content includes prohibitions on self-laudatory statements, banning testimonials, disclaimers and labelling materials presented as advertising. Various other restrictions relating to content processing are needed that advances copies of advertising materials to be submitted for reviewing multiple designated bar entities. This must be before dissemination and need attorneys to keep a copy of their websites along with any changes made to that for about three years. This must include a record of where and when the site has been used. However, there are several restrictions relating to distribution techniques. This includes unsolicited commercial emailing like email. It is considered by some steps as overreaching on the similar ground as there are ethical banks over a telephone or in-person solicitation (Lockhart and Woods 2017).

For overcoming those difficulties and permitting responsible usage of the Internet regarding attorney marketing business and technical solutions are available. These technical solutions employ various selectively serving advertisements for proper locations. Here, for that result, the software can be deployed for detecting the source of an Internet transaction. Another legal problem related to an attorney is marketing and Internet advertising that has been an unauthorized practice of law (Grispos, Glisson and Storer 2017).

At first, the workers must have the legal right of accessing data that their employer has been holding on. At the meantime, the employers must also assure that the staffs have been compliant with regulations of data protection on their daily work and possess the duty to monitor such as CCTV, emails and telephone calls when needed. Further, the data controllers maintain a series of significant roles and should abide by those protection guidelines.

First of all the personal data should be processed lawfully and reasonably. For complying, individuals must be provided with names of business and detailed information of the purpose for which their data must be used. It should be clarified that the individuals can correct and access the data that is held about them. It must also reveal to them that the data to be used in any way has not immediately apparent. For instance, one should tell people as their details are passed to credit reference agencies (Leigh, Dunnett, and Jackson 2015).

Further, personal data should be processes for particular lawful reasons. One should have a specified legitimate cause to collect data that cannot be obtained merely speculatively. Moreover, one is unable to use the data collected for another unlawful or incompatible reason. Next, personal data should be relevant, adequate and excessive. One must not only receive the bare minimum, one might also collect data that has not been important for a specific purpose. One must not collect additional data that is needed. Moreover, the personal data should be accurate and upgraded. Here any data held should be factually correct and updated as necessary. Several mechanisms must be developed depending on the nature of the business (Schnepp, Vidal and Hawley 2017). This must allow people to improve their detailed information very fast. Besides, personal data should not be kept longer than needed. As the reason for which the data is collected gets limited to time, one must assure that the information is retained once it gets obsolete. Individuals must be informed of how long the evidence has been likely to be maintained. Apart from this, the personal information should be processed according to the individual rights. This Acts reveals the rights of people and responsibilities of data controllers. One must assure that the right things are understood and they must act according to that.

Additionally, personal data should be kept under security. Adequate steps must be taken to assure the data security. It indicates that it is safe from tampering, unlawful processing or loss. One should enhance the organizational and technical skills to deal with the obligation. Lastly, the principles state that the personal information should not be transferred outside “European Economic Sector” without enough protection. Here, the data can only be moved out of EEA as the country to which it gets transferred possess proper legal protection for people and other details (Schneier 2014).

Types of test to be conducted:

Network Support:

Recently a protocol known as Local Area Network or LIN has been utilized in applications that lower speed requirements and bandwidth. It is attractive for less sophisticated applications since it decreases costs.

Node emulation:

As any “real” hardware is absent for testing, node emulation is required. Here, node emulation is done by device possibly with more costly programmable components or software.

Scripting:

It has also turned out to be needed function for network analysis tools for automating tests, simulating nodes or initiating messages by network activity. Here, the users can allow other team members to concentrate on performing test instead of the test setup. Here, the script tool is easy to use and by the environment familiar to most developers, making implementation useful and fast (Piedrahita et al. 2018).

Issues to be considered by companies:

The network engineers or computer network architects are intended to design, create and operate various computer network servers, software and hardware. However, these testers must know how to plan networks and should perform job tasks such as deciding what kind of equipment is required for the supporting system, designing layout for different data communication networks. Further, they must determine what type of security is needed by the networks.

The tests require having problem-solving skills, leadership, organization and customer-service. Further, they need having familiarity with the different field-specific software. Examples of these are administration, network security, configuration management software and network monitoring. They should also have the ability to use relevant tools like network switches and network analyzers. As per U.S. Bureau of Labor Statistics or BLS goes, testers for the current case required a minimum of 5 years of experience (Sultana,  Midi and Bertino 2014). Apart from designing the organization’s networks, they should also lead the engineer’s team and other workers in various computer-related positions.

Kind of APT behaviour observed:

In the current network, the “Advanced Persistent Threat or (Apt) attack is found. Here the cyber attack has come from funded and well-coordinated individuals. These have specific objectives often directed towards the business. The aspect that has made this APT attack different from other cyber attacks is its scope. They have been exploiting vulnerabilities without disrupting the system and have been mainly collecting sensitive data. Its motive to invade the business has given rise to a worldwide demand for solutions for combating those dangerous rising threats. As shown by one of UK’s non-profit independent association these APT are the actual imminent threats possess the capability to affect economic stability and national security.

Security for the current client’s network has a cost irrespective various factors like an inconvenience, human effort and equipment. Thus security has been involving trade-offs. It must be kept in mind that it costs three times in cleaning up incidents than to restrict one. Simple formulas can be used to find out where the investment is made within the security software. This also determines why earlier detection is essential (Gorter,  Jacobson Frey and O'Brien 2015). For instance, various utilities like “Tenable Network Security’s SecurityCenter Continuous View” are used for constant monitoring, one can find out various abnormalities in the traffic. This leads to detect the suspected outbreaks earlier. This includes less overall response costs leading to cleaning up activities up o those involved in an incident response.

Cost of equipment:

Every year, maintenance costs have been swallowing from 20% to 25% of the entire IT budget of the total enterprise. The network managers have been continuously decreasing and controlling those costs. However, there are various ways through which network support and maintenance costs apply to every kind of networking equipment. First of all, they must negotiate the initial maintenance contract pricing as one negotiates equipment purchase prices. It should be assured that network equipment comprises of a proper maintenance level (Silva et al. 2015). The maintenance contracts must be centrally managed and co-terminated. Further, the restricted lifetime warranties the clients to take advantage of more stable parts and less critical of the network.

Further, it must be reminded that the costs must be reduced network growth projections and other areas. Current maintenance and support contracts must be searched for various relevant SLAs. Opportunities must be reviewed for extending equipment life and various maintenance contracts must be combined. Advantages of hybrid support services must be analyzed. However, the challenge that is faced by multiple IT professionals is that business never put the same focus to negotiate the best rates regarding maintenance and support contracts. This must be done while purchasing network equipment. Moreover, for reducing network maintenance costs, it is equally vital to have a holistic approach to choosing the proper level for service regarding network equipment.

A dynamic and interconnected cost analysis approaches are needed to be built across networks and related complexity methods. This creates more sustainable and human-centred directions. They also reveal the weakness in the system built on the ignorance of complexity. For this, the expenses of useful manual configuration are needed to investigate. In steering of monitoring, operations are an efficient model required to be developed regarding what these people do along with their relationship with the complicated network more faithfully (Eden et al. 2016).  This makes the way through which progress can be made subtly. These models have been illustrating the potential for the clients to shift and change solutions instead of damaging and distracting simple point-estimate.

This is to be determined regarding disruption to normal operations. The IT teams of the current business have always been in search for simplifying their infrastructure. This is not only helpful for saving money and also has been able to make things simpler for employees who have been overflowing to make the lists. Hyperconverged products are the critical resources. Through simplifying the particular process, experts can focus on the areas that are important. Here, one of the main aims of hyper-convergence is to eradicate the necessity to separate the storage resources (Miller 2015). The storage is put into server containers and they are needed to manage that has single device instead of having multiple tools that are required to be examined and connected. In this way lot of complexities and costs in the environment of a data centre can be removed for clients.

By input estimates of various incident responses and business expenses, along with lost customers and sales, tools like CyberTab can be used. It is helpful to calculate particular cyber attacks and then estimate the return on investment regarding preventive measures. This was comprised of a couple of modes. The first one is planning way determining the expense of potential attack. This is helpful for the business to understand the risks better that are faced. This also includes choices of security investment and reporting mode. This is also useful to report the expense of particular attacks that have occurred recently by a long list of factors (Tlali, Hancke and Silva 2016).

Conclusion:

The above report shows that to deal with incident response, different constitutes of security incident must be adequately understood. The study helps in understanding the security event at the given network. The security event comprises of availability, confidentiality and integrity of information resource. Incidents have been including attacks which are an international attempt at gaining unauthorized access to destroying and damaging networks. Furthermore, the study throws light in critical awareness on various issues that are critical, ethical and legal included in the investigation of incident response. Proper technological solutions are applied and evaluated along with processes to detect, manage and investigate of information and system security incidents. Further, the literature has analyzed methodologies that apply to events regarding cybersecurity, financial investigation. This investigation is done from a professional and legal viewpoint.

References:

Baber, C. and McMaster, R., 2016. Macrocognition in Day-To-Day Police Incident Response. Frontiers in psychology, 7, p.293.

Bada, M., Creese, S., Goldsmith, M., Mitchell, C. and Phillips, E., 2014. Computer Security Incident Response Teams (CSIRTs) An Overview. Global Cyber Security Capacity Centre, pp.1-23.

Bennett, B., Brooks, E. and Walker, R., 2014. Deep Sea Incident: Oil Spill Response Capacity Enhancement using Local Volunteers.

Brown, J.M., Greenspan, S. and Biddle, R., 2016. Incident response teams in IT operations centers: the T-TOCs model of team functionality. Cognition, Technology & Work, 18(4), pp.695-716.

Butler, R., 2015. Computer Incident Response.

Calfee, M.W., Tufts, J., Meyer, K., McConkey, K., Mickelsen, L., Rose, L., Dowell, C., Delaney, L., Weber, A., Morse, S. and Chaitram, J., 2016. Evaluation of standardized sample collection, packaging, and decontamination procedures to assess cross-contamination potential during Bacillus anthracis incident response operations. Journal of occupational and environmental hygiene, 13(12), pp.980-992.

Campbell, T., 2016. Digital Evidence and Incident Response. In Practical Information Security Management (pp. 179-191). Apress, Berkeley, CA.

Chen, T.R., Shore, D.B., Zaccaro, S.J., Dalal, R.S., Tetrick, L.E. and Gorab, A.K., 2014. An organizational psychology perspective to examining computer security incident response teams. IEEE Security & Privacy, 12(5), pp.61-67.

Ding, C., Ma, X., Wang, Y. and Wang, Y., 2015. Exploring the influential factors in incident clearance time: disentangling causation from self-selection bias. Accident Analysis & Prevention, 85, pp.58-65.

Dunnett, S., Leigh, J. and Jackson, L., 2018. Optimising police dispatch for incident response in real time. Journal of the Operational Research Society, pp.1-11.

Eden, P., Blyth, A., Burnap, P., Cherdantseva, Y., Jones, K., Soulsby, H. and Stoddart, K., 2016, August. Forensic readiness for SCADA/ICS incident response. In Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016 (pp. 1-9). BCS Learning & Development Ltd..

Emmanuel, G.R., McClain, J.T., Matzen, L.E. and Forsythe, J.C., 2015. Measuring Expert and Novice Performance within Computer Security Incident Response Teams (No. SAND2015-1796C). Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States).

Gleason, J. and Gunning, J., 2015. Incident Management and Crisis Response. Coast Guard Journal of Safety & Security at Sea, Proceedings of the Marine Safety & Security Council, 72(1).

Gorter, J., Jacobson Frey, J. and O'Brien, S., 2015. Broadening the Value of Critical Incident Response. Journal of Employee Assistance, 45(3), pp.10-13.

Grispos, G., Glisson, W.B. and Storer, T., 2017. Enhancing security incident response follow-up efforts with lightweight agile retrospectives. Digital Investigation, 22, pp.62-73.

Hawe, G.I., Coates, G., Wilson, D.T. and Crouch, R.S., 2015. Improving Agent-Based Simulation of Major Incident Response in the United Kingdom through Conceptual and Operational Validation. International Journal of Information Systems for Crisis Response and Management (IJISCRAM), 7(4), pp.1-25.

Hedrick, E. and Miller, R., 2017. Robust Sampling and Lab Prep Bolster Incident Response. Opflow, 43(5), pp.30-32.

Kaplan, J.M., Bailey, T., Rezek, C., O’Halloran, D. and Marcus, A., 2015. After the Breach: Improve Incident Response across Business Functions.

Leigh, J.M., Dunnett, S.J. and Jackson, L.M., 2015. Police officer selection process for incident response.

Leigh, J.M., Jackson, L.M. and Dunnett, S.J., 2016. Police officer dynamic positioning for incident response and community presence.

Lockhart, C.F. and Woods, K., 2017. Exploring the development of critical incident response teams. International Journal of School & Educational Psychology, 5(4), pp.243-254.

McCausland, T., Repchick, K.M., Chen, T.R., Hargrove, A.K. and Zaccaro, S.J., 2016. A Comprehensive Multilevel Taxonomy of Cyber Security Incident Response Performance. In Psychosocial Dynamics of Cyber Security (pp. 43-85). Routledge.

Miller, C., 2015. Alaska State Trooper Critical Incident Response Team and Peer Support Program Development.

Phillips, R., Harper, W., Kempisty, D. and Magnuson, M., 2017. Water Contamination Incident Response & Recovery Research at EPA’s National Homeland Security Research Center. Proceedings of the Water Environment Federation, 2017(5), pp.5175-5180.

Piedrahita, A.F.M., Gaur, V., Giraldo, J., Cardenas, A.A. and Rueda, S.J., 2018. Virtual incident response functions in control systems. Computer Networks, 135, pp.147-159.

Piedrahita, A.F.M., Gaur, V., Giraldo, J., Cárdenas, Á.A. and Rueda, S.J., 2018. Leveraging Software-Defined Networking for Incident Response in Industrial Control Systems. IEEE Software, 35(1), pp.44-50.

Raithel, J.D., Reynolds?Hogland, M.J., Koons, D.N., Carr, P.C. and Aubry, L.M., 2017. Recreational harvest and incident?response management reduce human–carnivore conflicts in an anthropogenic landscape. Journal of Applied Ecology, 54(5), pp.1552-1562.

Ruefle, R., Dorofee, A., Mundie, D., Householder, A.D., Murray, M. and Perl, S.J., 2014. Computer security incident response team development and evolution. IEEE Security & Privacy, 12(5), pp.16-26.

Schneier, B., 2014. The future of incident response. IEEE Security & Privacy, 12(5), pp.96-96.

Schnepp, R., Vidal, R. and Hawley, C., 2017. Incident management for operations.

Silva, A., Emmanuel, G., McClain, J.T., Matzen, L. and Forsythe, C., 2015, August. Measuring expert and novice performance within computer security incident response teams. In International Conference on Augmented Cognition(pp. 144-152). Springer, Cham.

Singer, A., 2014. DON {textquoteright} T {PANIC}: Managing Incident Response.

Smith, J., 2017. Ransomware Incident Response for Law Enforcement (Doctoral dissertation, Utica College).

Souza, G., 2015. Protecting Defense Acquisitions, Part II Risk Management vs Incident Response.

Steinke, J., Bolunmez, B., Fletcher, L., Wang, V., Tomassetti, A.J., Repchick, K.M., Zaccaro, S.J., Dalal, R.S. and Tetrick, L.E., 2015. Improving cybersecurity incident response team effectiveness using teams-based research. IEEE Security & Privacy, 13(4), pp.20-29.

Sultana, S., Midi, D. and Bertino, E., 2014, November. Kinesis: a security incident response and prevention system for wireless sensor networks. In Proceedings of the 12th ACM Conference on Embedded Network Sensor Systems (pp. 148-162). ACM.

Tlali, V.I., Hancke, G.P. and Silva, B.J., 2016, March. A smartphone-based mobile incident response system for indoor and outdoor scenarios. In Industrial Technology (ICIT), 2016 IEEE International Conference on (pp. 2036-2041). IEEE.

Van der Kleij, R., Kleinhuis, G. and Young, H., 2017. Computer Security Incident Response Team Effectiveness: A Needs Assessment. Frontiers in psychology, 8, p.2179.

Wilson, D.T., Hawe, G.I., Coates, G. and Crouch, R.S., 2015. Modeling Uncertain and Dynamic Casualty Health in Optimization-Based Decision Support for Mass Casualty Incident Response.

Wilson, D.T., Hawe, G.I., Coates, G. and Crouch, R.S., 2016. Online optimization of casualty processing in major incident response: An experimental analysis. European Journal of Operational Research, 252(1), pp.334-348.