Building an Incident Response Plan

Threat Classification

External/Removable Media Attrition Web Email Impersonation Improper Usage Loss of Theft of Equipment Unknown Other

Data Types

When a security incident affects the confidentiality or integrity of sensitive information, cybersecurity analysts should assign a data impact rating Categories: None, Privacy Breach, Proprietary Breach, Integrity Loss

An event

observable occurrence in a system or network

NIST Recommendations to improve the effectiveness of incident analysis

1. Profile networks and systems to measure the characteristics of expected activity 2. Understand normal behavior of users, systems, networks and applications 3. Create a logging policy that specifies the information that must be logged by systems. applications and network devices 4. Perform event correlation to combine information from multiple sources 5. Synchronize clocks across servers, workstations and network devices 6. Maintain an organization-wide knowledge base that contains critical information about systems and applications 7. Capture network traffic as soon as an incident is suspected 8. Filter information to reduce clutter 9. Seek assistance from external sources

Measures to determine incident severity

1. Scope of impact 2. Types of data involved in the incident

Containment, Eradication, and Recovery goals

1. Select a containment strategy appropriate to the incident circumstances 2. Implement the selected containment strategy to limit the damage caused by the incident 3. Gather additional evidence, as needed to support the response effort and potential legal action 4. Identify the attacker(s) and attacking system(s) 5. Eradicate the effects of the incident and recover normal business operation

NIST recommends that incident response policies should contain these elements:

1. Statement of management commitment 2. Purpose and objectives of the policy 3. Scope of the policy 4. Definition of cybersecurity incidents and related terms 5. Organizational structure and definitions of roles, responsibilities and level of authority 6. Prioritization or severity rating scheme for incidents 7. Performance measures for CSIRT 8. Reporting and contact forms

An adverse event

Any event that has negative consequences. Example malware on a system, server crash

Functional Impact

Degree of impairment that it causes to the organization. They may vary based on the criticality of the systems or processes affected by the incident as well as the organization's ability to continue providing services to users as an incident unfolds and in the aftermath of the incident 4 Categories: None, Low, Medium, High

Procedures

Details, tactical information the CSIRT members need when responding to an incident. They represent the collective wisdom of the team members and SME collected during periods of calm and ready to be applied in the event of an actual incident.

Preparation Phase

Its not a one and done planning process. There is a loop from post incident activity phase to the preparation phase. Whenever the organization is not actively involved in an incident response effort, they should be planning for the next incident Every orgs incident response toolkit should include: 1. digital forensic workstation 2. backup devices 3. Laptops for data collection 4. Spare server and networking equipment 5. Blank removable media 6. Portable printer 7. Forensic and packet capture software 8. Bootable USB media containing trusted copies of forensic tools 9. Office supplies and evidence collection materials

What happens in Post incident Activity

Lessons Learned Review. Some of the questions that need to be discussed: 1. Exactly what happened and at what times? 2. How well did staff and management perform in responding to the incident? 3. Were the documented procedures followed?

Economic Impact

None - Not expect to experience any financial impact Low - The organization expects to experience a financial impact of $10,000 or less Medium - The organization expects to experience a financial impact of more than $10,000 but less than $500,000 High - More than $500,000

A Security Event

Observable occurrence that relates to a security function. For example an admin changing permission on a shared folder

Phases of Incident Response

Preparation, Detection, Containment/Eradication and Recovery and Post incident activity Its not a sequence of steps there can be loops and overlap

Computer security incident response teams

Responsible for responding to computer security incidents that occur within an org by following standardized response procedures and incorporating their subject matter expertise and professional judgement

Detection and Analysis

Security Event Indicators: 1. Alerts that originate from IDS and IPS systems , security information and event management systems, antivirus software, file integrity checking software, and third-party monitoring services 2. Logs generated by OS, services, apps, network devices, and network flows 3. Publicly available information about new vulnerabilities 4. People from inside the org or external sources who report suspicious activity

Recoverability Effort

The time that services will be unavailable. This may be expressed at the function of the amount of downtime experienced by the service or the time required to recover from the incident Categories : Regular, Supplemented, Extended, Not Recoverable

Playbook

Used by CSIRT to know the specific procedures they will follow in the event of a specific type of cybersecurity incident

A security incident

Violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Ex, accidental loss of sensitive info, intrusion into a computers system, use of a keylogger, DDOS attack