Incident Response Planning - Stakeholders (Due 19 April) (5 Pages) (4 References)

Incident Response Planning and Incident Detection Introduction

Incident Response Planning

Incident response planning deals with the identification of, classification of, and response to an incident.

Attacks are only classified as incidents if they are directed against an information asset; have a realistic

chance of success; or could threaten the confidentiality, integrity, or availability of information

resources. Incident response (IR) is the set of activities taken to plan for, detect, and correct the impact

of an incident on information resources. IR consists of the planning, detection, reaction, and recovery.

Planning for an incident requires a detailed understanding of the scenarios developed for business

continuity. Predefined responses enable the organization to react quickly and effectively to the detected

incident. The IR team consists of those individuals who must be present to handle the systems and

functional areas that can minimize the impact of an incident as it takes place. The designated IR teams

act to verify the threat, determine the appropriate response, and coordinate the actions necessary to

deal with the situation.

Incident Detection

Individuals sometimes notify systems administrators, security administrators, or their managers of an

unusual occurrence. The most common occurrence is a complaint about technology support, which is

often delivered to the help desk. The mechanisms that could potentially detect an incident include host-

based and network-based intrusion detection systems, virus detection software, systems administrators,

and even end users. Only by carefully training the user, the help desk, and all security personnel on the

analysis and identification of attacks can the organization hope to quickly identify and classify an

incident. Once an attack is properly identified, the organization can effectively execute the

corresponding procedures from the IR plan. Incident classification is the process of examining a

potential incident, or incident candidate, and determining whether the candidate constitutes an actual

incident.

Possible indicators of incidents are presence of unfamiliar files, presence or execution of unknown

programs or processes, unusual consumption of computing resources, unusual system crashes, activities

at unexpected times, presence of new accounts, reported attacks, etc.

Incident reaction consists of actions outlined in the IR plan that guide the organization in attempting to

stop the incident, mitigate the impact of the incident, and provide information for recovery from the

incident. In reacting to the incident, there are actions that must occur quickly, including notification of

key personnel and documentation of the incident. Most organizations maintain alert rosters for

emergencies. An alert roster contains contact information for the individuals who should be notified in

an incident. There are two types of alert rosters: sequential and hierarchical. A sequential roster is

activated as a contact person calls each and every person on the roster. A hierarchical roster is activated

as the first person calls a few other people on the roster, who, in turn, call a few other people, and so

on. The incident is documented as an incident to ensure that the event is recorded for the organization’s

records in order to know what happened, how it happened, and what actions were taken. A critical

component of incident reaction is to stop the incident or contain its scope or impact. Before an incident

can be contained, the affected areas of the information and information systems must be determined.

In general, incident containment strategies focus on two tasks: stopping the incident and recovering

control of the systems. The organization can stop the incident and attempt to recover control through

different strategies. If the incident originates outside the organization, the simplest and most

straightforward approach is to cut the affected circuits. Compromised accounts or server(s) should be

disabled. Only as a last resort should there be a full stop of all computers and network devices in the

organization. The bottom line is that containment consists of isolating the channels, processes, services,

or computers and removing the losses from that source of the incident.

To recover from the incident, people must stay focused on the task ahead and make sure that necessary

personnel begin recovery operations as per the IR plan. Incident damage assessment determines the

scope of the breach of the confidentiality, integrity, and availability of information and information

assets during or just after an incident. Related to the task of incident damage assessment is the field of

computer forensics. Computer forensics is the process of collecting, analyzing, and preserving computer-

related evidence. Evidence is a physical object or documented information that proves an action that

has occurred or identifies the intent of a perpetrator. Computer evidence must be carefully collected,

documented, and maintained to be acceptable in formal or informal proceedings.