Incident Response Phases Part 1 of 3 - USALearning

Incident Response Phases Part 1 of 3

Table of Contents

Incident Response Phases............................................................................................................... 2 IR Preparation -1 ............................................................................................................................. 3 IR Preparation - 2 ............................................................................................................................ 7 Identification/Detection -1 ........................................................................................................... 10 Identification/Detection -2 ........................................................................................................... 13 Notices .......................................................................................................................................... 18

Page 1 of 18

Incident Response Phases

Incident Response Phases

15

**015 In this case, we're talking about incident response and how digital forensics gets integrated within it. So, we'll go through the phases of incident response.

Page 2 of 18

IR Preparation -1

IR Preparation -1

Incident Response (IR) Plan is a living document that prescribes how the incident response will take place.

? Processes and Procedures ? Communication Plan ? Measurement metrics

Having a risk assessment and identification of assets in advance of an incident.

Tools and collection media should be prepared in advance.

**016 Okay. So, this preparation, IR preparation, is when you already have a team.

having a plan, a solid, well thought out plan, is critical. It's a living document, meaning it should be updated regularly. It should be looked at. Certain things become obsolete. Certain things become more important. You want to be looking for these things.

And this is slightly different, but it actually does affect the digital forensics capability or digital forensics team as well, how they will interact

16

Page 3 of 18

with the incident response. They may actually be a part of the native team. Or they may join up with an incident response team. So, it kind of depends. And sometimes there could be a mish-mash, if you will, if for whatever reason, one incident remote incident response team needs a local digital forensics team. So, that sort of stuff should be decided and documented well within the incident response plan.

These processes, the procedures, the communication plans, very, very important. Who gets told about what when things are happening? This should go all the way up to the C suite. We're talking CEO, CIO type folks. When are they notified? Who else do you bring in, legal counsel? Do you bring in HR? Are you talking to those folks as things happen?

Sometimes, the communications team-- and I'm talking about the folks who actually interact with-- if you have a company, the people who interact with the mass media. Sometimes, you have to get ahead of this and talk about it if you have a corporation that's big enough and they're publicly traded so this could affect their stock. So, all of that should be part of the incidence response plan. People who are doing this should know where to go and who to speak to.

And a measurement of metrics, part of the metrics that we're talking about, how much time, man hours are you spending on doing this cost-

Page 4 of 18

wise. The time can obviously, depending on the average hourly wage, if you will, can be figured that way too. But you're talking about cost for purchasing more things, new equipment, new software, travel. So, all that measurement metrics should be put into the plan so people know going in. When the bell rings, if you will, they know immediately to start keeping track of these specific metrics so they can quantify what it is that's happened and how much it's actually cost the company.

And then having a risk assessment ahead of time and identification of assets in advance, this is very important. and I've found, and maybe if you all have dealt with other customers as well, maybe Ty has, a lot of times the people that we deal with do not necessarily know what is the most important within their company. Now, they know their business. But I'm talking about do you know if that server or that server has the most important data on it. If that one gets compromised, and this one doesn't, do you care? And do you know the difference? Would you know? A lot of times they do not know the difference on this.

So, doing this risk assessment, it's like what is the most important. What happens when this box gets popped and this one doesn't? Or what if this entire subnet gets hit? Is this the most important? Well, no that's archive of really old historical things. Then you know. And that will

Page 5 of 18

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download