Section 13 - Describing the Incident Response Plan
Lessons learned
The incident response team analyzes how and why the incident happened and performs an FMEA against it.
Eradication and recovery
The incident response team investigates to find the origin of the incident. The root cause of the problem and all traces of potentially malicious code are removed, which may also involve changing passwords for accounts, hardening systems, and so on
Reporting
- The incident response plan should include provisions concerning incident reporting. The reporting should also be immediate and occur at predefined intervals that are based on the incident severity - Contracts or other agreements may need to be put into place before external discussions occur. An example is an NDA to protect the confidentiality of the most sensitive information of the organization.
Primary incident response policy elements (7)
-Mission, strategies, and goals -Incident response approach -Buy-in from senior management -Communication -Metrics -Review -Organization missions
CAT 2
-Name: Denial of Service (DoS) -Description: An attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or applications by exhausting resources. This activity includes being the victim or participating in the DoS. -Reporting Timeframe: Within 2 hours of discovery and detection, if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.
CAT 0
-Name: Exercise/Network Defense Testing -Description: This category is used during state, federal, national, and international exercises and approved activity testing of internal and external network defenses or responses. -Reporting Timeframe: Not applicable; this category is for internal use of each agency during exercises.
CAT 4
-Name: Improper Usage -Description: A person violates acceptable computing use policies. -Reporting Timeframe: Weekly
CAT 6
-Name: Investigation -Description: Unconfirmed incidents that are potentially malicious or anomalous activity that is deemed by the reporting entity to warrant further review. -Reporting Timeframe: Not applicable; this category is for the use of each agency to categorize a potential incident that is currently being investigated.
CAT 3
-Name: Malicious Code -Description: Successful installation of malicious software (for example, virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are not required to report malicious logic that has been successfully quarantined by antivirus software. -Reporting Timeframe: Daily Note: Within 1 hour of discovery and detection if widespread across agency.
CAT 5
-Name: Scans/Probes/Attempted Access -Description: This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. -Reporting Timeframe: Monthly Note: If system is classified, report within 1 hour of discovery.
CAT 1
-Name: Unauthorized Access -Description: In this category, an individual will gain logical or physical access without permission to a federal agency network, system, application, data, or other resource -Reporting Timeframe: Within 1 hour of discovery and detection.
Impersonation (common method of attack)
An attack involving replacement of something benign with something malicious—for example, spoofing, MITM attacks, rogue wireless APs, and SQL injection attacks that involve impersonation
Other (common method of attack)
An attack that does not fit into another category
Attrition (common method of attack)
An attack that employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS that is intended to impair or deny access to a service or application, or a brute-force attack against an authentication mechanism
Web (common method of attack)
An attack that is executed from or against a website or web-based application—for example, an XSS attack that is used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware
External or removable media (common method of attack)
An attack that is executed from removable media or a peripheral device—for example, malicious code spreading onto a system from an infected USB flash drive
Email (common method of attack)
An attack that is executed via an email message or attachment—for example, exploit code that is disguised as an attached document or a link to a malicious website in the body of an email message
Improper usage (common method of attack)
Any incident resulting from violation the acceptable usage policies of an organization by an authorized user—for example, a user who installs file-sharing software that leads to the loss of sensitive data, or a user who performs illegal activities on a system
The US-CERT places security events into one of seven incident categories from
CAT 0 to CAT 6.
Containment
Incident containment is perhaps the hardest and most important decision that is made during an incident. -Without taking the time initially to understand each facet of containment, documenting them, testing them, and knowing the available fallback options, it is likely that the incident response team will falter in making such a critical decision.
Metrics
Metrics measure the incident response capability and its effectiveness. Time to detection, which is known as dwell time, is one of the most critical metrics in the organization
Buy-in from senior management
Once an organization develops the incident response plan, the plan must have management approval before it can be implemented.
Incident response approach
Organizations need to have a functional CSIRT that is composed of trained and dedicated incident responders who are committed to the role without a myriad of other IT or security responsibilities
incident response life cycle (7)
Preperation Identification Analysis Containment Eradication and REcovery Lessons Learned Reporting
FMEA (Failure Mode and Effects Analysis)
Qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process.
Communication
Representing the reporting phase of the incident response life cycle, the incident response team will continuously communicate with the rest of the organization and with other organizations.
Preparation
The goal of the preparation phase is to get the company team and resources ready to handle a security incident. 1. Educating the users and IT staff to respond to computer and network security incidents quickly and correctly. 2. Developing and maintaining all the proper documentation, such as network diagrams, configuration standards, change control documentation, and so on. 3. Planning for the logged and captured data retention period, who does what during an incident, and setting up the proper roles and responsibilities (RACI).
Analysis
The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step that is taken.
Loss or theft of equipment (common method of attack)
The loss or theft of a computing device or media that is used by the organization, such as a laptop, smart phone, or authentication token
Review
The organization should review the incident response plan at least annually to ensure that the organization is maturing the incident response capability and fulfilling the goals for incident response.
Mission, strategies, and goals
The organizational mission, strategies, and goals for incident response determine the structure of the incident response capability.
Organization missions
This element describes how the incident response policy supports the overall missions of the organization.
HIPPA
U.S. legislation that provides data privacy and security provisions for safeguarding medical information and ensures patient confidentiality for all health care-related data.
Here are four basic questions that each organization must answer when determining their incident response plan (4):
What are the assets that are being protected? What are the threats to the assets? How are threats detected? How will the organization respond to threats?
Identification
When a true positive incident has been detected, the incident response team is activated. During the investigation process, the SOC analyst or the incident response team may also contact the CERT/CC (or other security intelligence sources), which tracks Internet security activity and has the most current threat information.
What is a benefit of having an effective incident response plan?
faster recovery from security incidents
Sarbanes-Oxley Act of 2002 (SOX)
legislation that was passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.
What should be the long-term result after the incident response plan matures and becomes more effective?
lower dwell time
PHI
privacy rule protects all individually identifiable health information that is held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. -The past, present, or future physical or mental health or condition of the individual -The provision of health care to the individual -The past, present, or future payment for the provision of health care to the individual -Individually identifiable health information includes many common identifiers (full name, maiden name of mother, birth date, X-ray, fingerprint, driver license number, social security number, and so on).