Concepts and Terminology - AWS Security Incident Response User Guide

Concepts and Terminology

The following terms and concepts are important for understanding the AWS Security Incident Response service and how it works.

Scope: AWS Security Incident Response aligns with the National Institute of Standards and Techology (NIST) 800-61 Computer Security Incident Handling Guide, providing a consistent approach to security event management as related to industry best practices.

Analysis: The detailed investigation and examination of a security event to understand its scope, impact, and root cause.

AWS Security Incident Response service portal: A self-service portal for you to initiate and manage security event cases. Ongoing communication and reporting facilitated through the ticketing system, automated notifications, and direct engagement with the service team.

Communication: The ongoing dialog and information sharing between the AWS Security Incident Response team and the customer during the incident response process.

Containment, Eradication, and Recovery: The prevention of additional unauthorized activity (containment), coupled with the removal of unauthorized resources and the original vulnerability (eradication), and recovering resources to get back to business as normal.

Continuous Improvement: AWS Security Incident Response incorporates feedback and lessons learned from prior engagements to enhance its detection capabilities, investigative processes, and remediation actions. AWS Security Incident Response also stays up-to-date with the latest security threats and best practices to address evolving security challenges.

Cybersecurity Event: An action that uses an information system or network to produce an adverse effect on the system, network, or information it contains.

Cybersecurity Incident: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Incident Response Team: A group of individuals who provide support during active security events. For AWS supported cases, this is the AWS Customer Incident Response Team (CIRT).

Incident Response Workflow: The defined sequence of steps and activities involved in the end-to-end management of a security event, aligned with the NIST 800-61 standard.

Investigative Tooling: AWS Security Incident Response tools and service-linked roles used to review the operational health of your account and resources.

Lessons Learned: The review and documentation of a security event response to identify areas for improvement and inform future incident response planning.

Monitoring and Investigation: AWS Security Incident Response rapidly reviews security alerts from Amazon GuardDuty, bringing to the forefront the most important alerts your team needs to analyze. It configures suppression rules based on the specifics of your environment to prevent unnecessary alerts.

Preparation: The activities undertaken to get an organization ready to effectively respond to and manage security events, such as developing incident response plans and testing procedures.

Reporting and Communication: The processes used to keep you informed throughout the incident response process, including automated notifications, call bridges, and the delivery of investigation artifacts. AWS Security Incident Response provides a single, centralized dashboard in the AWS Management Console to manage all your AWS Security Incident Response efforts.

Responder Generated Intelligence: indicators of compromise; tactics, techniques, and procedures; and associated patterns observed by AWS CIRT investigations.

Security Event Expertise: The specialized knowledge and skills required to effectively respond to and manage security events, particularly in the context of the AWS cloud.

Shared Responsibility Model: The division of security responsibilities between AWS and the customer, where AWS is responsible for security of the cloud, and the customer is responsible for security in the cloud.

Threat Intelligence: Internal and external data feeds containing details of unauthorized activity to help identify and respond to evolving security threats.

Ticketing System: A dedicated case management platform that allows you to onboard and manage security event cases, add attachments, and track the incident response lifecycle.

Triage: The initial assessment and prioritization of a security event to determine the appropriate response and next steps.

Workflow: The defined sequence of steps and activities involved in the end-to-end management of a security event.