Building an Incident Response Plan
Threat Classification
External/Removable Media Attrition Web Email Impersonation Improper Usage Loss of Theft of Equipment Unknown Other
Data Types
When a security incident affects the confidentiality or integrity of sensitive information, cybersecurity analysts should assign a data impact rating Categories: None, Privacy Breach, Proprietary Breach, Integrity Loss
An event
observable occurrence in a system or network
NIST Recommendations to improve the effectiveness of incident analysis
1. Profile networks and systems to measure the characteristics of expected activity 2. Understand normal behavior of users, systems, networks and applications 3. Create a logging policy that specifies the information that must be logged by systems. applications and network devices 4. Perform event correlation to combine information from multiple sources 5. Synchronize clocks across servers, workstations and network devices 6. Maintain an organization-wide knowledge base that contains critical information about systems and applications 7. Capture network traffic as soon as an incident is suspected 8. Filter information to reduce clutter 9. Seek assistance from external sources
Measures to determine incident severity
1. Scope of impact 2. Types of data involved in the incident
Containment, Eradication, and Recovery goals
1. Select a containment strategy appropriate to the incident circumstances 2. Implement the selected containment strategy to limit the damage caused by the incident 3. Gather additional evidence, as needed to support the response effort and potential legal action 4. Identify the attacker(s) and attacking system(s) 5. Eradicate the effects of the incident and recover normal business operation
NIST recommends that incident response policies should contain these elements:
1. Statement of management commitment 2. Purpose and objectives of the policy 3. Scope of the policy 4. Definition of cybersecurity incidents and related terms 5. Organizational structure and definitions of roles, responsibilities and level of authority 6. Prioritization or severity rating scheme for incidents 7. Performance measures for CSIRT 8. Reporting and contact forms
An adverse event
Any event that has negative consequences. Example malware on a system, server crash
Functional Impact
Degree of impairment that it causes to the organization. They may vary based on the criticality of the systems or processes affected by the incident as well as the organization's ability to continue providing services to users as an incident unfolds and in the aftermath of the incident 4 Categories: None, Low, Medium, High
Procedures
Details, tactical information the CSIRT members need when responding to an incident. They represent the collective wisdom of the team members and SME collected during periods of calm and ready to be applied in the event of an actual incident.
Preparation Phase
Its not a one and done planning process. There is a loop from post incident activity phase to the preparation phase. Whenever the organization is not actively involved in an incident response effort, they should be planning for the next incident Every orgs incident response toolkit should include: 1. digital forensic workstation 2. backup devices 3. Laptops for data collection 4. Spare server and networking equipment 5. Blank removable media 6. Portable printer 7. Forensic and packet capture software 8. Bootable USB media containing trusted copies of forensic tools 9. Office supplies and evidence collection materials
What happens in Post incident Activity
Lessons Learned Review. Some of the questions that need to be discussed: 1. Exactly what happened and at what times? 2. How well did staff and management perform in responding to the incident? 3. Were the documented procedures followed?
Economic Impact
None - Not expect to experience any financial impact Low - The organization expects to experience a financial impact of $10,000 or less Medium - The organization expects to experience a financial impact of more than $10,000 but less than $500,000 High - More than $500,000
A Security Event
Observable occurrence that relates to a security function. For example an admin changing permission on a shared folder
Phases of Incident Response
Preparation, Detection, Containment/Eradication and Recovery and Post incident activity Its not a sequence of steps there can be loops and overlap
Computer security incident response teams
Responsible for responding to computer security incidents that occur within an org by following standardized response procedures and incorporating their subject matter expertise and professional judgement
Detection and Analysis
Security Event Indicators: 1. Alerts that originate from IDS and IPS systems , security information and event management systems, antivirus software, file integrity checking software, and third-party monitoring services 2. Logs generated by OS, services, apps, network devices, and network flows 3. Publicly available information about new vulnerabilities 4. People from inside the org or external sources who report suspicious activity
Recoverability Effort
The time that services will be unavailable. This may be expressed at the function of the amount of downtime experienced by the service or the time required to recover from the incident Categories : Regular, Supplemented, Extended, Not Recoverable
Playbook
Used by CSIRT to know the specific procedures they will follow in the event of a specific type of cybersecurity incident
A security incident
Violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Ex, accidental loss of sensitive info, intrusion into a computers system, use of a keylogger, DDOS attack