Assume that you have been tasked by your employer to develop an incident response plan. Create a list of stakeholders for the IR planning committee. For each type of stakeholder, provide the reasons for inclusion and the unique aspects or vision that you

profileuser
Chapter4_PrinciplesofIncidentResponseandDisasterRecovery.pdf

Principles of Incident Response and Disaster Recovery, 2nd Edition

Chapter 4 Incident Response: Planning

Objectives

• Describe the process used to organize the incident response planning process

• Describe the activities and deliverables used to develop an incident response policy, including how policy affects the incident response planning process and how policy can be implemented to support incident response practices

• Explain the techniques that can be employed when forming a security incident response team

Principles of Incident Response and Disaster Recovery, 2nd Edition 2

Objectives (cont’d.)

• List the skills and components required to devise an incident response plan

• Discuss some of the concerns and trade-offs to be managed when assembling the final incident response plan

Principles of Incident Response and Disaster Recovery, 2nd Edition 3

Introduction

• Contingency planning (CP) – Addresses everything to prepare for the unexpected

• Incident response (IR): element of CP – Focus: detect and evaluate the severity of emerging

unexpected events • Documented escalation process

– Used when other CP process elements activated • IR process phases

– Preparation, detection and analysis, containment, eradication and recovery, and post-incident activity

Principles of Incident Response and Disaster Recovery, 2nd Edition 4

The IR Planning Process

• Contingency planning management committee (CPMT) – Completes each business impact analysis component – Transfers information to subordinate committees

• IR committee, disaster recovery (DR) committee, business continuity (BC) committee

– Provides information that may overlap • Attack information • Attack prioritization information • Attack scenario end cases

Principles of Incident Response and Disaster Recovery, 2nd Edition 5

The IR Planning Process (cont’d.)

• Committee members begin their subordinate plans – Incident planning stages

• Form the IR planning committee • Develop the IR planning policy • Integrate the BIA • Identify preventive controls • Organize the Computer Security Incident Response

Team (CSIRT) • Create IR strategies and procedures • Develop the IR plan • Ensure plan testing, training, exercises, maintenance

Principles of Incident Response and Disaster Recovery, 2nd Edition 6

Principles of Incident Response and Disaster Recovery, 2nd Edition 7

The IR Planning Process (cont’d.)

• IR planning process organization – Begins with staffing the IR planning committee

• IR team organized as a separate entity – Begins by identifying and engaging collection of

stakeholders • Representative collection of individuals • Have a stake in the successful and uninterrupted

operation of the information infrastructure • Used to collect vital information on the roles and

responsibilities of the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 8

The IR Planning Process (cont’d.)

• Typical stakeholders – General management – IT and InfoSec management – Organizational departments

• Legal department • Human resources department (HR) • Public relations (PR) • Departments with an information security overlap

– General end users, key business partners, contractors, temporary employee agencies, consultants

Principles of Incident Response and Disaster Recovery, 2nd Edition 9

Forming the IR Planning Team

• Incident response planning team (IRP team) – Performs planning and development activities – Built by executive leadership

• Information technology (IT) involvement • Information security involvement • CPMT organizational management representatives • Team leader: liaison between IR team and CPMT • Champion: chief information officer (CIO) or vice

president of IT – Should meet regularly to develop IR plan, structure,

develop, and train CSIRT Principles of Incident Response and Disaster Recovery, 2nd Edition 10

Developing the Incident Response Policy

• IR policy – First deliverable prepared by the IRP committee – Defines team operations – Articulates response to various types of incidents – Advises end users on how to contribute to the

effective response • Rather than contributing to the problem at hand

– Similar in structure to other organization policies

Principles of Incident Response and Disaster Recovery, 2nd Edition 11

Principles of Incident Response and Disaster Recovery, 2nd Edition 12

Principles of Incident Response and Disaster Recovery, 2nd Edition 13

Developing the Incident Response Policy (cont’d.)

• In developing the policy: – Critical to involve those who actually use the policies – Include interaction and review by other CP teams

• Aids in developing clear, consistent, uniform policy elements and structure

– Look at policies from other agencies and organizations

Principles of Incident Response and Disaster Recovery, 2nd Edition 14

Developing the Incident Response Policy (cont’d.)

• Policy information sources – Organization charts for the enterprise and specific

business functions – Topologies for organizational or constituency systems

and networks – Critical system and asset inventories – Existing DR or BC plans and any existing IR plans – Existing guidelines for notifying the organization of a

physical security breach – Any parental or institutional regulations – Any existing security policies and procedures

Principles of Incident Response and Disaster Recovery, 2nd Edition 15

Building the Computer Security Incident Response Team

• Loose or informal CSIRT association – Consists of IT and InfoSec staffers

• Informed if attack detected on information assets • Formal CSIRT implementation

– Team of people and supporting policies, procedures, technologies, and data

• Prevent, detect, react to, and recover from incident that could potentially damage information

• At some level CSIRT team member come from all organization members – Every action could cause or avert an incident

Principles of Incident Response and Disaster Recovery, 2nd Edition 16

Incident Response Planning

• Incident response plan (IR plan) – Detailed set of processes and procedures

• Anticipate, detect, and mitigate unexpected event effects that might compromise information resources and assets

• Adverse events: organization viewpoint – Unexpected activities occurring periodically

Principles of Incident Response and Disaster Recovery, 2nd Edition 17

Incident Response Planning (cont’d.)

• Incident: contingency planning viewpoint – Adverse event threatening security of organization’s

information – Adverse event: natural or human made – Occurs when adverse event affects information

resources and/or assets • Causes actual damage or other disruptions

• Incident response (IR) – Set of procedures

• Commence when incident detected – Must be carefully planned and coordinated

Principles of Incident Response and Disaster Recovery, 2nd Edition 18

Incident Response Planning (cont’d.)

• IR plan activation – Occurs when incident causes minimal damage

• According to criteria set in advance • Activated with little or no disruption to operations

• Information security incident – Three required characteristics

• Directed against information assets owned or operated by the organization

• Has realistic chance of success • Threatens information resources and assets

confidentiality, integrity, or availability Principles of Incident Response and Disaster Recovery, 2nd Edition 19

Incident Response Planning (cont’d.)

• IR procedures – Reactive measures; not considered preventive control

• Excluding efforts taken to prepare for such actions • Chief information security officer (CISO)

– Responsible for creating organization’s IR plan – Creates CSIRT by selecting members from each

community of interest – Should clearly document and communicate roles and

responsibilities • May include an alert roster

Principles of Incident Response and Disaster Recovery, 2nd Edition 20

Incident Response Planning (cont’d.)

• IRP team and CSIRT – Develop series of predefined incident responses

• IR plan creation – Part of the multistep CP process completed by IR

team – Integral IR procedures begin to take shape – For every potential attack scenario IR team creates

the incident plan – Incident plan made up of three sets of incident-

handling procedures • Address steps taken before, during, & after incident

Principles of Incident Response and Disaster Recovery, 2nd Edition 21

Planning for the Response During the Incident

• IR planning activities – Begin with the middle: the actual incident response

• Most important phase – Reaction to the incident (“during the incident”) – Team needs quick and easy access to specific

procedures • Must identify, contain, and terminate the incident

Principles of Incident Response and Disaster Recovery, 2nd Edition 22

Triggering the IR Plan

• Viable attack scenario end cases – Examined in turn by IR team and CSIRT

representatives • Understand actions needed to react to the incident

– Discussion begins with the trigger • Circumstance causing IR team activation and IR plan

initiation

Principles of Incident Response and Disaster Recovery, 2nd Edition 23

Triggering the IR Plan (cont’d.)

• Trigger situations or circumstances – Phone call from a user to the help desk about unusual

computer or network behavior – Notification from systems administrator about unusual

server or network behavior – Notification from an intrusion detection device – Review of system log files indicating an unusual

pattern of entries – Loss of system connectivity – Device malfunctions

Principles of Incident Response and Disaster Recovery, 2nd Edition 24

Triggering the IR Plan (cont’d.)

• Once indicator reported: – IR team leader or IR duty officer determines IR plan

activation – IR duty officer

• CSIRT team member (not the team leader) • Currently performing team leader responsibilities • Scanning information infrastructure for signs of an

incident – Team members notified once potential incident

detected • Move forward with IR plan

Principles of Incident Response and Disaster Recovery, 2nd Edition 25

The Reaction Force

• IRP team determines individuals needed to respond to each particular end case – Unique team for each attack scenario end case – Team leader specified in IR plan – Resources and skill sets added as necessary – IR plan specifies the scribe (archivist or historian)

• Develops and maintains event log used in reviewing actions during the after-action review

– CSIRT reaction force • The resulting incident team

Principles of Incident Response and Disaster Recovery, 2nd Edition 26

Actions Taken “During the Incident”

• Reacting to a particular incident – Determining what must be done

• Example: malware infestation – Verify virus presence – Confirm presence and determine extent of exposure – Quarantine infestation

• Disconnect infected systems from network • Look for evidence of continued spread

– Continue to look for “flare-ups” – Begin the next phase: decontamination

Principles of Incident Response and Disaster Recovery, 2nd Edition 27

Actions Taken “During the Incident” (cont’d.)

• Example: malware infestation (cont’d.) – Last phase: “actions during”

• Disinfect systems by running anti-malware software, searching for spyware

• Functional and up-to-date anti-malware detects and documents new malware presence

• “Actions during” phase complete once all signs of contamination eliminated

Principles of Incident Response and Disaster Recovery, 2nd Edition 28

Planning for “After the Incident”

• “Actions after” phase – Begins once incident contained

• Lost or damaged data restored • Systems scrubbed of infection • Essentially everything restored to its previous state

– IR plan • Describes stages to recover from most likely incident • Details the protection from follow-on incidents,

forensics analysis, after-action review events – Follow-on attacks

• Identification should be of great concern Principles of Incident Response and Disaster Recovery, 2nd Edition 29

Planning for “After the Incident” (cont’d.)

• Forensic analysis – Systematically examining information assets for

evidentiary material providing insight into how incident transpired

• Use an individual trained in forensic analysis – May be used in civil or criminal proceedings

• After-action review (AAR) – Detailed examination of events – Key players review and verify notes, documentation – Update plan and train future staff – IR team action closed

Principles of Incident Response and Disaster Recovery, 2nd Edition 30

Planning for “Before the Incident”

• Also called “before actions” • Planners implement good IT and information

security practices • Includes preventive measures

– Manage risks associated with a particular attack – Preparations of the IR team

• Routine rehearsal maintains a state of readiness to respond to attacks – CSIRT training, IR plan testing, selecting and

maintaining CSIRT tools, training system users

Principles of Incident Response and Disaster Recovery, 2nd Edition 31

Training the CSIRT

• National training programs focusing on IR tools and techniques – SANS Institute national conferences

• http://www.sans.org • SANSFIRE: specifically focused on IR

– Microsoft, Cisco, and Sun – Department of Homeland Security (DHS) and the US

CERT • http://www.fbcinc.com/gfirst

• Organization training programs – Includes mentoring-type training

Principles of Incident Response and Disaster Recovery, 2nd Edition 32

Training the CSIRT (cont’d.)

• Professional reading program – Self-created list of trustworthy information sources

• No dedicated IR journals or magazines – SANS Information Security Reading Room

• http://www.sans.org/rr – Computer Security Officer

• http://www.csoonline.com – SC Magazine

• http://www.scmagazine.com – Information Security Magazine

• http://informationsecurity.techtarget.com Principles of Incident Response and Disaster Recovery, 2nd Edition 33

Training the CSIRT (cont’d.)

• Online resources for IR – Forum of Incident Response and Security Teams

(FIRST): http://www.first.org – U.S. Computer Emergency Readiness Team (US

CERT): http://www.us-cert.gov – CERT Coordination Center (CERT CC) at Carnegie

Mellon University: http://www.cert.org – NIST Computer Security Resource Center (CSRC)

• http://csrc.nist.gov – Honeypots.net: http://www.honeypots.net

Principles of Incident Response and Disaster Recovery, 2nd Edition 34

Training the CSIRT (cont’d.)

• IR plan testing – Key part of CSIRT training – Strategies

• Desk check, structured walk-through, simulation, parallel testing, full interruption, war gaming

• Desk check – Individual reviews plan and creates list of correct and

incorrect components • Structured walk-through

– Walk through steps taken during an actual event

Principles of Incident Response and Disaster Recovery, 2nd Edition 35

Training the CSIRT (cont’d.)

• Simulation – Potential participant individually simulates the

performance of each task • Stops short of the actual physical tasks required

• Parallel testing – Act as if actual incident occurred

• Perform required tasks and executes necessary procedures without interfering with the normal operations of the business

• Must ensure procedures performed do not halt operations of the business functions

Principles of Incident Response and Disaster Recovery, 2nd Edition 36

Training the CSIRT (cont’d.)

• Full interruption – Individuals follow each and every procedure – Often performed after normal business hours

• In organizations that cannot afford to disrupt or simulate disruption of business functions

• War gaming – Simulation of attack and defense activities

• Uses realistic networks and information systems • The exercise of IR plans is an important element • National competitions at conferences and collegiate

level Principles of Incident Response and Disaster Recovery, 2nd Edition 37

Training the CSIRT (cont’d.)

• Common war-gaming variations – Capture the flag, king of the hill, computer simulations – Defend the flag, online programming-level war games

• CIA and U.S. military war games – Train and test troops in information security and

information warfare tactics • Hackers have war games (http://roothack.org) • Minimum test:

– Periodic walk-through (chalk talk) of each CP component plans

Principles of Incident Response and Disaster Recovery, 2nd Edition 38

Principles of Incident Response and Disaster Recovery, 2nd Edition 39

Principles of Incident Response and Disaster Recovery, 2nd Edition 40

Training the Users

• Security education training and awareness (SETA) – Responsible for training users

• Tasks to instruct – What is expected of them – How to recognize an attack – How to report a suspected incident, and whom to

report it to – How to mitigate the damage of attacks on the desktop

Principles of Incident Response and Disaster Recovery, 2nd Edition 41

Training the Users (cont’d.)

• Tasks to instruct (cont’d.) – Good information security practices

• Keeping antivirus/anti-malware software up to date • Using spyware detection software • Keeping operating system and applications up to date

with patches and updates • Not opening suspect e-mail attachments • Avoiding social engineering attacks • Not downloading and installing unauthorized software

or software from untrusted sources • Protecting passwords and classified information

Principles of Incident Response and Disaster Recovery, 2nd Edition 42

Training the Users (cont’d.)

• Training for general users – Allows users to ask questions and receive specific

guidance • Provide training on technical details of how to do jobs

securely – Allows the organization to emphasize key points – Employee orientation

• Convenient time to conduct training

Principles of Incident Response and Disaster Recovery, 2nd Edition 43

Training the Users (cont’d.)

• Training for managerial users – May have same requirements as general user – Managers expect more personal training – Managers often resist organized training

• Champion can exert influence • Training for technical users

– Training for IT staff, security staff, technically competent general users

• More detailed than general user or managerial training • May require consultants or outside training

organizations Principles of Incident Response and Disaster Recovery, 2nd Edition 44

Training Techniques and Delivery Methods

• Successful training elements – Good training techniques – Thorough subject area knowledge

• Selection of training delivery method – Not always based on the best outcome for the trainee – Often based on budget, time frame, organization

needs

Principles of Incident Response and Disaster Recovery, 2nd Edition 45

Principles of Incident Response and Disaster Recovery, 2nd Edition 46

Principles of Incident Response and Disaster Recovery, 2nd Edition 47

Assembling and Maintaining the Final IR Plan

• Draft plan – Used for preliminary staff training and evaluating plan

effectiveness – If any errors or difficulties are discovered

• Remedied as draft plan matures • Commence final assembly

– Once desired plan maturity is achieved, drafts are reviewed and tested

Principles of Incident Response and Disaster Recovery, 2nd Edition 48

Assembling and Maintaining the Final IR Plan (cont’d.)

• Final plan creation – Testing process does not stop: test semiannually – Modified plans retested at the earliest opportunity

• Final IR plan document created – Once all individual IR plan components drafted and

tested • IR plan format and content

– Organization dependent – Ensure IR plan developed, tested, and placed in

easy-to-access location

Principles of Incident Response and Disaster Recovery, 2nd Edition 49

Assembling and Maintaining the Final IR Plan (cont’d.)

• Recommended practices for physical IR plan – Select a uniquely colored binder – Place reflective tape on spine of binder – Place classified document cover sheet in slipcover – Place an index on the first inside page – Use common tab and label the index for documents – Organize the contents – Attach copies of relevant documents in the back – Add additional documents as needed – Store in a secure but easily reachable location

Principles of Incident Response and Disaster Recovery, 2nd Edition 50

Principles of Incident Response and Disaster Recovery, 2nd Edition 51

Summary

• CP prepares organization for the unexpected • CPMT completes BIA components, and identifies

information flow and subordinate committee responsibility – Incident planning has multiple stages

• Organizing the IR planning process begins with IRP team staffing and identifying stakeholders

• IRP team first deliverable: IR policy • CSIRT prevents, detects, reacts to, and recovers

from an incident

Principles of Incident Response and Disaster Recovery, 2nd Edition 52

Summary (cont’d.)

• IR plan anticipates, detects, and mitigates unexpected event effects – Activated when incident causes minimal damage – Includes three sets of incident-handling procedures

• IRP team determines individuals needed to respond – Ensures CSIRT prepared to respond to incident

• Key part CSIRT training: testing the IR plan • Final IR plan document created

– Once all individual IR plan components drafted and tested

Principles of Incident Response and Disaster Recovery, 2nd Edition 53

  • Principles of Incident Response and Disaster Recovery, 2nd Edition
  • Objectives
  • Objectives (cont’d.)
  • Introduction
  • The IR Planning Process
  • The IR Planning Process (cont’d.)
  • Slide Number 7
  • The IR Planning Process (cont’d.)
  • The IR Planning Process (cont’d.)
  • Forming the IR Planning Team
  • Developing the Incident Response Policy
  • Slide Number 12
  • Slide Number 13
  • Developing the Incident Response Policy (cont’d.)
  • Developing the Incident Response Policy (cont’d.)
  • Building the Computer Security Incident Response Team
  • Incident Response Planning
  • Incident Response Planning (cont’d.)
  • Incident Response Planning (cont’d.)
  • Incident Response Planning (cont’d.)
  • Incident Response Planning (cont’d.)
  • Planning for the Response During the Incident
  • Triggering the IR Plan
  • Triggering the IR Plan (cont’d.)
  • Triggering the IR Plan (cont’d.)
  • The Reaction Force
  • Actions Taken “During the Incident”
  • Actions Taken “During the Incident” (cont’d.)
  • Planning for “After the Incident”
  • Planning for “After the Incident” (cont’d.)
  • Planning for “Before the Incident”
  • Training the CSIRT
  • Training the CSIRT (cont’d.)
  • Training the CSIRT (cont’d.)
  • Training the CSIRT (cont’d.)
  • Training the CSIRT (cont’d.)
  • Training the CSIRT (cont’d.)
  • Training the CSIRT (cont’d.)
  • Slide Number 39
  • Slide Number 40
  • Training the Users
  • Training the Users (cont’d.)
  • Training the Users (cont’d.)
  • Training the Users (cont’d.)
  • Training Techniques and Delivery Methods
  • Slide Number 46
  • Slide Number 47
  • Assembling and Maintaining the Final IR Plan
  • Assembling and Maintaining the Final IR Plan (cont’d.)
  • Assembling and Maintaining the Final IR Plan (cont’d.)
  • Slide Number 51
  • Summary
  • Summary (cont’d.)