13- Describing the Incident Response Plan
2 tasks typically done during Incident Response Life Cycle
1. Document network topologies 2. Monitor security intelligence sources for latest threat info
Review
The organization should review the incident response plan at least annually to ensure that the organization is maturing the incident response capability, and fulfilling the goals for incident response.
CAT 6
Unconfirmed incidents that are potentially malicious or anomalous activity that is deemed by the reporting entity to warrant further review. Reporting not necessary.
Eradication and recovery possible tasks
-all traces of potentially malicious code are removed -changing passwords for accounts -user account changes -patching software -hardening systems -Data and software are restored from clean backup files
Incident response plan is used to
-prevent or minimize disruption of critical computing services -minimize loss of proprietary & confidential info -facilitate info exchange among groups responsible for security incidents
Preparation may include
1. Educating users to respond to security incidents quickly & correctly. 2. Developing & maintaining documentation, e.g., network diagrams, configuration standards. 3. Planning for data retention period, who does what during an incident, and setting up proper roles & responsibilities (RACI)
Incident Response Life Cycle [PIA CERLR]
1. Preparation 2. Identification 3. Analysis 4. Containment 5. Eradication & Recovery 6. Lessons Learned 7. Reporting
Analysis may include
1. Which networks, systems, or applications are affected? 2. Who or what originated the incident? 3. What tools or attack methods are being used? 4. Which vulnerabilities are being exploited?
Decision points for containment may include:
1. scope of incident? 2. type of device? 3. network reachability of device affected by the incident? 4. How quickly can the IR team can get containment in place? 5. How quickly is containment needed?
CAT 4
A person violates acceptable computing use policies. Timeframe to report is weekly.
FMEA- Failure Mode and Effects Analysis
A tool created in a spreadsheet to help anticipate what might go wrong with a product/process. This includes documenting how incident was handled, recommendations for better future response, & how to prevent a recurrence.
US-CERT 7 incident categories
CAT 0 Exercise/Network Defense Testing CAT 1 Unauthorized Access CAT 2 Denial of Service (DoS) CAT 3 Malicious Code CAT 4 Improper Usage CAT 5 Scans/Probes/Attempted Access CAT 6 Investigation
Lessons learned task
FMEA [Failure Mode and Effects Analysis]
Metrics
Metrics measure the incident response capability and its effectiveness. Time-to-detection, which is known as dwell time, is one of the most critical metrics in the organization. Dwell time is the concept that a host is compromised at a point in time and the compromise is not detected until some further point in time. Organizations should aim to continually decrease dwell time.
Communication
Representing the reporting phase of the incident response life cycle, the incident response team will continuously communicate with the rest of the organization and with other organizations.
During identification
SOC analyst or IR team may contact CERT/CC or other security intelligence sources, which track Internet security activity & have most current threat info.
CAT 3
Successful installation of malicious software (for example, virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are not required to report malicious logic that has been successfully quarantined by antivirus software. Timeframe to report is daily or within 1 hour of discovery/detection if widespread across agency
CAT 5
This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Timeframe to report is monthly, except if system is classified, report within one (1) hour of discovery
Organization missions
This element describes how the incident response policy supports the overall missions of the organization.
Reporting
To CIO, the head of information security, the system owner, HR, public affairs, the legal department, and law enforcement
AAR- After Action Report
another term for "Lessons Learned"
CAT 2
attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Timeframe to report is Within 2 hours of discovery/detection, if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.
The hardest and most important decision that is made during an incident=
containment
Benefit of a good incident response plan
faster recovery from security incidents
Incident classifications are typically based on
incident severity.
CAT 1
individual will gain logical or physical access without permission to a federal agency network, system, application, data, or other resource. Timeframe is Within 1 hour of discovery/detection
What should be the long term result after incident response plan matures and becomes more effective?
lower dwell time
HIPAA
protects PHI- protected health info
SOX- Sarbannes-Oxley
protects company's financial data and ensures its integrity
PCI DSS
protects credit card holder account data
The incident response plan
provides info to enable efficient recovery from security incidents
RACI=
responsible, accountable, consulted, and informed
CAT 0
used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. No timeframe because it's confidential.
What is needed in regard to incident response policy
•Buy-in from senior management before implementation •Communication •Metrics •Regular Review •Organization missions
Attack vectors
•External/removable media •Attrition: brute-force methods •Web: e.g., XSS •Email •Impersonation: e.g., spoofing, MITM •Improper usage: violation of acceptable usage policies by an authorized user. •Loss or theft of equipment •Other: attack that doesn't fit into another category.
Incident Response Policy Elements
•Mission, strategies, goals: determine the structure of the IR capability. •Incident response approach: need a team committed to IR role without a myriad of other IT or security responsibilities.
4 basic questions that each organization must answer when determining their incident response plan
•What are the assets that are being protected? •What are the threats to the assets? •How are threats detected? •How will the organization respond to threats?
