Incident Response (IR) is a systematic process for detecting, analyzing, containing, eradicating, and recovering from cybersecurity incidents. Its main goal is to minimize damage, protect data, and prevent recurring attacks. Demikian definisi respons insiden menurut beberapa sumber. Pernah dengan ECIH?
Sobat Kamsib telah melihat bahwa ada yang namanya proses deteksi, analisis, penahanan, penghapusan, dan pemulihan. Hal-hal tersebut menjadi bagian utama pada fungsi IR ini. Untuk memperkuat pemahaman kita mengenai IR, kita bisa membuka dokumen NIST SP 800-61.
Dalam dunia profesi, terdapat beberapa metode untuk mengetahui apakah seseorang memiliki kapabilitas di suatu bidang. Dua di antaranya adalah melalui pengujian langsung atau melalui program sertifikasi. Sama halnya dengan bidang respons insiden. Berikut beberapa sertifikasi populer:
- ECIH – EC-Council Certified Incident Handler
- GCIH – GIAC Certified Incident Handler (by SANS)
- GCFA – GIAC Certified Forensic Analyst
- GREM – GIAC Reverse Engineering Malware
- CCIR – Certified Cyber Incident Responder (Mile2)
Tentu masih banyak lagi sertifikasi, baik tingkat pemula hingga ahli. Dari beberapa program yang sudah disebut, Kamsib tidak disponsori satupun. Jadi kalah ada vendor sertifikasi yang ingin memberikan sponsor, kami sangat welcome. Haha!
ECIH (EC-Council Certified Incident Handler)
ECIH adalah sertifikasi internasional dari EC-Council yang berfokus pada keterampilan praktis dalam menangani insiden keamanan informasi. Program ini dirancang untuk melatih profesional keamanan agar mampu mendeteksi, merespons, dan memulihkan sistem dari berbagai jenis serangan siber.
Rata-rata Waktu Incident Response
Kalau kata EC-Council sih di dalam brosur mereka, respons insiden akan memakan waktu rata-rata:
- 277 days → Average time to identify and contain a data breach. (±9 bulan)
- 49 days → On average, how much longer ransomware breaches took to identify and contain. (hampir 11 bulan)
- 303 days → Average time to identify and contain a supply chain compromise. (±10 bulan)
Lalu, dalam promosi mereka mengatakan: With over 95 advanced labs, coverage of over 800 tools, and exposure to incident-handling activities on many different operating systems, the E|CIH provides a well-rounded but tactical approach to planning for and dealing with cyber incidents.
Apa benar ada 800 tools?
Kembali ke brosur, di halaman berikutnya ada daftar lengkap mengenai modul pembelajaran. Saya coba tanyakan ke ChatGPT untuk mendeskripsikan secara singkat mengenai modul tersebut. Berikut jawaban dari GPT:
MODULE 01: Introduction to Incident Handling and Response
📌 Fokus: dasar-dasar keamanan informasi dan insiden.
- Mengenal ancaman, vektor serangan, dan framework pertahanan.
- Konsep insiden, manajemen insiden, otomatisasi & orkestrasi.
- Best practices, standar (ISO 27035, NIST 800-61), framework (NIST, MITRE ATT&CK).
- Aspek hukum & compliance (GDPR, HIPAA, UU ITE, dsb).
MODULE 02: Incident Handling and Response Process
📌 Fokus: tahapan utama incident response (IR).
- Preparation → perencanaan, prosedur, tools.
- Detection & Recording → identifikasi insiden, logging, ticketing.
- Triage → klasifikasi & prioritas.
- Containment → isolasi sistem terdampak.
- Forensics & Evidence gathering → chain of custody.
- Eradication, Recovery, Post-Incident review.
- Information sharing (CERT, ISAC).
MODULE 03: First Response
📌 Fokus: langkah pertama di TKP (cyber atau fisik).
- Mengamankan & mendokumentasi “crime scene”.
- Teknik pengumpulan, pelabelan, dan transportasi evidence digital.
- Menjaga integritas data (hashing, write-blocker).
MODULE 04: Handling and Responding to Malware Incidents
📌 Fokus: insiden malware.
- Persiapan & deteksi malware.
- Containment (isolasi host terinfeksi).
- Malware analysis (static & dynamic).
- Eradication & recovery.
- Case study + best practices (EDR, sandbox, patching).
MODULE 05: Handling and Responding to Email Security Incidents
📌 Fokus: insiden email (phishing, spoofing, spam).
- Persiapan & deteksi email berbahaya.
- Penanganan unauthorized access via email.
- Inappropriate usage & DoS berbasis email.
- Case study & best practices (DMARC, SPF, DKIM).
MODULE 06: Handling and Responding to Network Security Incidents
📌 Fokus: insiden jaringan.
- Unauthorized access (credential theft, lateral movement).
- Inappropriate usage (abuse, policy violation).
- DoS/DDoS & wireless attacks.
- Monitoring & traffic analysis.
- Best practices (IDS/IPS, SIEM, NAC).
MODULE 07: Handling and Responding to Web Application Security Incidents
📌 Fokus: insiden aplikasi web.
- Serangan: SQL injection, XSS, CSRF, RCE.
- Deteksi & containment.
- Analisis (log, payload, vulnerability scanning).
- Eradication (patch, WAF tuning).
- Recovery + best practices (secure coding, pentesting).
MODULE 08: Handling and Responding to Cloud Security Incidents
📌 Fokus: insiden di cloud (AWS, Azure, GCP).
- Shared responsibility model.
- IAM misconfigurations, data leaks, cloud malware.
- Vendor-specific handling (AWS GuardDuty, Azure Sentinel, GCP SCC).
- Best practices: cloud security posture management (CSPM), logging, encryption.
MODULE 09: Handling and Responding to Insider Threats
📌 Fokus: ancaman internal.
- Malicious insider vs negligent insider.
- Deteksi & containment (UEBA, DLP).
- Investigasi & eradication.
- Recovery (HR, legal, monitoring).
- Best practices: least privilege, awareness training, monitoring.
MODULE 10: Handling and Responding to Endpoint Security Incidents
📌 Fokus: endpoint (laptop, mobile, IoT, OT).
- Insiden mobile (malware, rogue apps).
- IoT/OT (industrial attacks, firmware exploits).
- Forensics endpoint (memory dump, disk analysis).
- Case study + best practices (EDR, MDM, patching).
👉 Jadi kalau diringkas:
- Modul 1–3 = dasar & proses umum.
- Modul 4–10 = spesifik ke jenis insiden (malware, email, network, web, cloud, insider, endpoint).
