Assume that you have been tasked by your employer to develop an incident response plan. Create a list of stakeholders for the IR planning committee. For each type of stakeholder, provide the reasons for inclusion and the unique aspects or vision that you
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 4 Incident Response: Planning
Objectives
• Describe the process used to organize the incident response planning process
• Describe the activities and deliverables used to develop an incident response policy, including how policy affects the incident response planning process and how policy can be implemented to support incident response practices
• Explain the techniques that can be employed when forming a security incident response team
Principles of Incident Response and Disaster Recovery, 2nd Edition 2
Objectives (cont’d.)
• List the skills and components required to devise an incident response plan
• Discuss some of the concerns and trade-offs to be managed when assembling the final incident response plan
Principles of Incident Response and Disaster Recovery, 2nd Edition 3
Introduction
• Contingency planning (CP) – Addresses everything to prepare for the unexpected
• Incident response (IR): element of CP – Focus: detect and evaluate the severity of emerging
unexpected events • Documented escalation process
– Used when other CP process elements activated • IR process phases
– Preparation, detection and analysis, containment, eradication and recovery, and post-incident activity
Principles of Incident Response and Disaster Recovery, 2nd Edition 4
The IR Planning Process
• Contingency planning management committee (CPMT) – Completes each business impact analysis component – Transfers information to subordinate committees
• IR committee, disaster recovery (DR) committee, business continuity (BC) committee
– Provides information that may overlap • Attack information • Attack prioritization information • Attack scenario end cases
Principles of Incident Response and Disaster Recovery, 2nd Edition 5
The IR Planning Process (cont’d.)
• Committee members begin their subordinate plans – Incident planning stages
• Form the IR planning committee • Develop the IR planning policy • Integrate the BIA • Identify preventive controls • Organize the Computer Security Incident Response
Team (CSIRT) • Create IR strategies and procedures • Develop the IR plan • Ensure plan testing, training, exercises, maintenance
Principles of Incident Response and Disaster Recovery, 2nd Edition 6
Principles of Incident Response and Disaster Recovery, 2nd Edition 7
The IR Planning Process (cont’d.)
• IR planning process organization – Begins with staffing the IR planning committee
• IR team organized as a separate entity – Begins by identifying and engaging collection of
stakeholders • Representative collection of individuals • Have a stake in the successful and uninterrupted
operation of the information infrastructure • Used to collect vital information on the roles and
responsibilities of the CSIRT
Principles of Incident Response and Disaster Recovery, 2nd Edition 8
The IR Planning Process (cont’d.)
• Typical stakeholders – General management – IT and InfoSec management – Organizational departments
• Legal department • Human resources department (HR) • Public relations (PR) • Departments with an information security overlap
– General end users, key business partners, contractors, temporary employee agencies, consultants
Principles of Incident Response and Disaster Recovery, 2nd Edition 9
Forming the IR Planning Team
• Incident response planning team (IRP team) – Performs planning and development activities – Built by executive leadership
• Information technology (IT) involvement • Information security involvement • CPMT organizational management representatives • Team leader: liaison between IR team and CPMT • Champion: chief information officer (CIO) or vice
president of IT – Should meet regularly to develop IR plan, structure,
develop, and train CSIRT Principles of Incident Response and Disaster Recovery, 2nd Edition 10
Developing the Incident Response Policy
• IR policy – First deliverable prepared by the IRP committee – Defines team operations – Articulates response to various types of incidents – Advises end users on how to contribute to the
effective response • Rather than contributing to the problem at hand
– Similar in structure to other organization policies
Principles of Incident Response and Disaster Recovery, 2nd Edition 11
Principles of Incident Response and Disaster Recovery, 2nd Edition 12
Principles of Incident Response and Disaster Recovery, 2nd Edition 13
Developing the Incident Response Policy (cont’d.)
• In developing the policy: – Critical to involve those who actually use the policies – Include interaction and review by other CP teams
• Aids in developing clear, consistent, uniform policy elements and structure
– Look at policies from other agencies and organizations
Principles of Incident Response and Disaster Recovery, 2nd Edition 14
Developing the Incident Response Policy (cont’d.)
• Policy information sources – Organization charts for the enterprise and specific
business functions – Topologies for organizational or constituency systems
and networks – Critical system and asset inventories – Existing DR or BC plans and any existing IR plans – Existing guidelines for notifying the organization of a
physical security breach – Any parental or institutional regulations – Any existing security policies and procedures
Principles of Incident Response and Disaster Recovery, 2nd Edition 15
Building the Computer Security Incident Response Team
• Loose or informal CSIRT association – Consists of IT and InfoSec staffers
• Informed if attack detected on information assets • Formal CSIRT implementation
– Team of people and supporting policies, procedures, technologies, and data
• Prevent, detect, react to, and recover from incident that could potentially damage information
• At some level CSIRT team member come from all organization members – Every action could cause or avert an incident
Principles of Incident Response and Disaster Recovery, 2nd Edition 16
Incident Response Planning
• Incident response plan (IR plan) – Detailed set of processes and procedures
• Anticipate, detect, and mitigate unexpected event effects that might compromise information resources and assets
• Adverse events: organization viewpoint – Unexpected activities occurring periodically
Principles of Incident Response and Disaster Recovery, 2nd Edition 17
Incident Response Planning (cont’d.)
• Incident: contingency planning viewpoint – Adverse event threatening security of organization’s
information – Adverse event: natural or human made – Occurs when adverse event affects information
resources and/or assets • Causes actual damage or other disruptions
• Incident response (IR) – Set of procedures
• Commence when incident detected – Must be carefully planned and coordinated
Principles of Incident Response and Disaster Recovery, 2nd Edition 18
Incident Response Planning (cont’d.)
• IR plan activation – Occurs when incident causes minimal damage
• According to criteria set in advance • Activated with little or no disruption to operations
• Information security incident – Three required characteristics
• Directed against information assets owned or operated by the organization
• Has realistic chance of success • Threatens information resources and assets
confidentiality, integrity, or availability Principles of Incident Response and Disaster Recovery, 2nd Edition 19
Incident Response Planning (cont’d.)
• IR procedures – Reactive measures; not considered preventive control
• Excluding efforts taken to prepare for such actions • Chief information security officer (CISO)
– Responsible for creating organization’s IR plan – Creates CSIRT by selecting members from each
community of interest – Should clearly document and communicate roles and
responsibilities • May include an alert roster
Principles of Incident Response and Disaster Recovery, 2nd Edition 20
Incident Response Planning (cont’d.)
• IRP team and CSIRT – Develop series of predefined incident responses
• IR plan creation – Part of the multistep CP process completed by IR
team – Integral IR procedures begin to take shape – For every potential attack scenario IR team creates
the incident plan – Incident plan made up of three sets of incident-
handling procedures • Address steps taken before, during, & after incident
Principles of Incident Response and Disaster Recovery, 2nd Edition 21
Planning for the Response During the Incident
• IR planning activities – Begin with the middle: the actual incident response
• Most important phase – Reaction to the incident (“during the incident”) – Team needs quick and easy access to specific
procedures • Must identify, contain, and terminate the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition 22
Triggering the IR Plan
• Viable attack scenario end cases – Examined in turn by IR team and CSIRT
representatives • Understand actions needed to react to the incident
– Discussion begins with the trigger • Circumstance causing IR team activation and IR plan
initiation
Principles of Incident Response and Disaster Recovery, 2nd Edition 23
Triggering the IR Plan (cont’d.)
• Trigger situations or circumstances – Phone call from a user to the help desk about unusual
computer or network behavior – Notification from systems administrator about unusual
server or network behavior – Notification from an intrusion detection device – Review of system log files indicating an unusual
pattern of entries – Loss of system connectivity – Device malfunctions
Principles of Incident Response and Disaster Recovery, 2nd Edition 24
Triggering the IR Plan (cont’d.)
• Once indicator reported: – IR team leader or IR duty officer determines IR plan
activation – IR duty officer
• CSIRT team member (not the team leader) • Currently performing team leader responsibilities • Scanning information infrastructure for signs of an
incident – Team members notified once potential incident
detected • Move forward with IR plan
Principles of Incident Response and Disaster Recovery, 2nd Edition 25
The Reaction Force
• IRP team determines individuals needed to respond to each particular end case – Unique team for each attack scenario end case – Team leader specified in IR plan – Resources and skill sets added as necessary – IR plan specifies the scribe (archivist or historian)
• Develops and maintains event log used in reviewing actions during the after-action review
– CSIRT reaction force • The resulting incident team
Principles of Incident Response and Disaster Recovery, 2nd Edition 26
Actions Taken “During the Incident”
• Reacting to a particular incident – Determining what must be done
• Example: malware infestation – Verify virus presence – Confirm presence and determine extent of exposure – Quarantine infestation
• Disconnect infected systems from network • Look for evidence of continued spread
– Continue to look for “flare-ups” – Begin the next phase: decontamination
Principles of Incident Response and Disaster Recovery, 2nd Edition 27
Actions Taken “During the Incident” (cont’d.)
• Example: malware infestation (cont’d.) – Last phase: “actions during”
• Disinfect systems by running anti-malware software, searching for spyware
• Functional and up-to-date anti-malware detects and documents new malware presence
• “Actions during” phase complete once all signs of contamination eliminated
Principles of Incident Response and Disaster Recovery, 2nd Edition 28
Planning for “After the Incident”
• “Actions after” phase – Begins once incident contained
• Lost or damaged data restored • Systems scrubbed of infection • Essentially everything restored to its previous state
– IR plan • Describes stages to recover from most likely incident • Details the protection from follow-on incidents,
forensics analysis, after-action review events – Follow-on attacks
• Identification should be of great concern Principles of Incident Response and Disaster Recovery, 2nd Edition 29
Planning for “After the Incident” (cont’d.)
• Forensic analysis – Systematically examining information assets for
evidentiary material providing insight into how incident transpired
• Use an individual trained in forensic analysis – May be used in civil or criminal proceedings
• After-action review (AAR) – Detailed examination of events – Key players review and verify notes, documentation – Update plan and train future staff – IR team action closed
Principles of Incident Response and Disaster Recovery, 2nd Edition 30
Planning for “Before the Incident”
• Also called “before actions” • Planners implement good IT and information
security practices • Includes preventive measures
– Manage risks associated with a particular attack – Preparations of the IR team
• Routine rehearsal maintains a state of readiness to respond to attacks – CSIRT training, IR plan testing, selecting and
maintaining CSIRT tools, training system users
Principles of Incident Response and Disaster Recovery, 2nd Edition 31
Training the CSIRT
• National training programs focusing on IR tools and techniques – SANS Institute national conferences
• http://www.sans.org • SANSFIRE: specifically focused on IR
– Microsoft, Cisco, and Sun – Department of Homeland Security (DHS) and the US
CERT • http://www.fbcinc.com/gfirst
• Organization training programs – Includes mentoring-type training
Principles of Incident Response and Disaster Recovery, 2nd Edition 32
Training the CSIRT (cont’d.)
• Professional reading program – Self-created list of trustworthy information sources
• No dedicated IR journals or magazines – SANS Information Security Reading Room
• http://www.sans.org/rr – Computer Security Officer
• http://www.csoonline.com – SC Magazine
• http://www.scmagazine.com – Information Security Magazine
• http://informationsecurity.techtarget.com Principles of Incident Response and Disaster Recovery, 2nd Edition 33
Training the CSIRT (cont’d.)
• Online resources for IR – Forum of Incident Response and Security Teams
(FIRST): http://www.first.org – U.S. Computer Emergency Readiness Team (US
CERT): http://www.us-cert.gov – CERT Coordination Center (CERT CC) at Carnegie
Mellon University: http://www.cert.org – NIST Computer Security Resource Center (CSRC)
• http://csrc.nist.gov – Honeypots.net: http://www.honeypots.net
Principles of Incident Response and Disaster Recovery, 2nd Edition 34
Training the CSIRT (cont’d.)
• IR plan testing – Key part of CSIRT training – Strategies
• Desk check, structured walk-through, simulation, parallel testing, full interruption, war gaming
• Desk check – Individual reviews plan and creates list of correct and
incorrect components • Structured walk-through
– Walk through steps taken during an actual event
Principles of Incident Response and Disaster Recovery, 2nd Edition 35
Training the CSIRT (cont’d.)
• Simulation – Potential participant individually simulates the
performance of each task • Stops short of the actual physical tasks required
• Parallel testing – Act as if actual incident occurred
• Perform required tasks and executes necessary procedures without interfering with the normal operations of the business
• Must ensure procedures performed do not halt operations of the business functions
Principles of Incident Response and Disaster Recovery, 2nd Edition 36
Training the CSIRT (cont’d.)
• Full interruption – Individuals follow each and every procedure – Often performed after normal business hours
• In organizations that cannot afford to disrupt or simulate disruption of business functions
• War gaming – Simulation of attack and defense activities
• Uses realistic networks and information systems • The exercise of IR plans is an important element • National competitions at conferences and collegiate
level Principles of Incident Response and Disaster Recovery, 2nd Edition 37
Training the CSIRT (cont’d.)
• Common war-gaming variations – Capture the flag, king of the hill, computer simulations – Defend the flag, online programming-level war games
• CIA and U.S. military war games – Train and test troops in information security and
information warfare tactics • Hackers have war games (http://roothack.org) • Minimum test:
– Periodic walk-through (chalk talk) of each CP component plans
Principles of Incident Response and Disaster Recovery, 2nd Edition 38
Principles of Incident Response and Disaster Recovery, 2nd Edition 39
Principles of Incident Response and Disaster Recovery, 2nd Edition 40
Training the Users
• Security education training and awareness (SETA) – Responsible for training users
• Tasks to instruct – What is expected of them – How to recognize an attack – How to report a suspected incident, and whom to
report it to – How to mitigate the damage of attacks on the desktop
Principles of Incident Response and Disaster Recovery, 2nd Edition 41
Training the Users (cont’d.)
• Tasks to instruct (cont’d.) – Good information security practices
• Keeping antivirus/anti-malware software up to date • Using spyware detection software • Keeping operating system and applications up to date
with patches and updates • Not opening suspect e-mail attachments • Avoiding social engineering attacks • Not downloading and installing unauthorized software
or software from untrusted sources • Protecting passwords and classified information
Principles of Incident Response and Disaster Recovery, 2nd Edition 42
Training the Users (cont’d.)
• Training for general users – Allows users to ask questions and receive specific
guidance • Provide training on technical details of how to do jobs
securely – Allows the organization to emphasize key points – Employee orientation
• Convenient time to conduct training
Principles of Incident Response and Disaster Recovery, 2nd Edition 43
Training the Users (cont’d.)
• Training for managerial users – May have same requirements as general user – Managers expect more personal training – Managers often resist organized training
• Champion can exert influence • Training for technical users
– Training for IT staff, security staff, technically competent general users
• More detailed than general user or managerial training • May require consultants or outside training
organizations Principles of Incident Response and Disaster Recovery, 2nd Edition 44
Training Techniques and Delivery Methods
• Successful training elements – Good training techniques – Thorough subject area knowledge
• Selection of training delivery method – Not always based on the best outcome for the trainee – Often based on budget, time frame, organization
needs
Principles of Incident Response and Disaster Recovery, 2nd Edition 45
Principles of Incident Response and Disaster Recovery, 2nd Edition 46
Principles of Incident Response and Disaster Recovery, 2nd Edition 47
Assembling and Maintaining the Final IR Plan
• Draft plan – Used for preliminary staff training and evaluating plan
effectiveness – If any errors or difficulties are discovered
• Remedied as draft plan matures • Commence final assembly
– Once desired plan maturity is achieved, drafts are reviewed and tested
Principles of Incident Response and Disaster Recovery, 2nd Edition 48
Assembling and Maintaining the Final IR Plan (cont’d.)
• Final plan creation – Testing process does not stop: test semiannually – Modified plans retested at the earliest opportunity
• Final IR plan document created – Once all individual IR plan components drafted and
tested • IR plan format and content
– Organization dependent – Ensure IR plan developed, tested, and placed in
easy-to-access location
Principles of Incident Response and Disaster Recovery, 2nd Edition 49
Assembling and Maintaining the Final IR Plan (cont’d.)
• Recommended practices for physical IR plan – Select a uniquely colored binder – Place reflective tape on spine of binder – Place classified document cover sheet in slipcover – Place an index on the first inside page – Use common tab and label the index for documents – Organize the contents – Attach copies of relevant documents in the back – Add additional documents as needed – Store in a secure but easily reachable location
Principles of Incident Response and Disaster Recovery, 2nd Edition 50
Principles of Incident Response and Disaster Recovery, 2nd Edition 51
Summary
• CP prepares organization for the unexpected • CPMT completes BIA components, and identifies
information flow and subordinate committee responsibility – Incident planning has multiple stages
• Organizing the IR planning process begins with IRP team staffing and identifying stakeholders
• IRP team first deliverable: IR policy • CSIRT prevents, detects, reacts to, and recovers
from an incident
Principles of Incident Response and Disaster Recovery, 2nd Edition 52
Summary (cont’d.)
• IR plan anticipates, detects, and mitigates unexpected event effects – Activated when incident causes minimal damage – Includes three sets of incident-handling procedures
• IRP team determines individuals needed to respond – Ensures CSIRT prepared to respond to incident
• Key part CSIRT training: testing the IR plan • Final IR plan document created
– Once all individual IR plan components drafted and tested
Principles of Incident Response and Disaster Recovery, 2nd Edition 53
- Principles of Incident Response and Disaster Recovery, 2nd Edition
- Objectives
- Objectives (cont’d.)
- Introduction
- The IR Planning Process
- The IR Planning Process (cont’d.)
- Slide Number 7
- The IR Planning Process (cont’d.)
- The IR Planning Process (cont’d.)
- Forming the IR Planning Team
- Developing the Incident Response Policy
- Slide Number 12
- Slide Number 13
- Developing the Incident Response Policy (cont’d.)
- Developing the Incident Response Policy (cont’d.)
- Building the Computer Security Incident Response Team
- Incident Response Planning
- Incident Response Planning (cont’d.)
- Incident Response Planning (cont’d.)
- Incident Response Planning (cont’d.)
- Incident Response Planning (cont’d.)
- Planning for the Response During the Incident
- Triggering the IR Plan
- Triggering the IR Plan (cont’d.)
- Triggering the IR Plan (cont’d.)
- The Reaction Force
- Actions Taken “During the Incident”
- Actions Taken “During the Incident” (cont’d.)
- Planning for “After the Incident”
- Planning for “After the Incident” (cont’d.)
- Planning for “Before the Incident”
- Training the CSIRT
- Training the CSIRT (cont’d.)
- Training the CSIRT (cont’d.)
- Training the CSIRT (cont’d.)
- Training the CSIRT (cont’d.)
- Training the CSIRT (cont’d.)
- Training the CSIRT (cont’d.)
- Slide Number 39
- Slide Number 40
- Training the Users
- Training the Users (cont’d.)
- Training the Users (cont’d.)
- Training the Users (cont’d.)
- Training Techniques and Delivery Methods
- Slide Number 46
- Slide Number 47
- Assembling and Maintaining the Final IR Plan
- Assembling and Maintaining the Final IR Plan (cont’d.)
- Assembling and Maintaining the Final IR Plan (cont’d.)
- Slide Number 51
- Summary
- Summary (cont’d.)