Incident Response Phases Part 1 of 3 - USALearning

Incident Response Phases Part 1 of 3

Table of Contents

Incident Response Phases............................................................................................................... 2 IR Preparation -1 ............................................................................................................................. 3 IR Preparation - 2 ............................................................................................................................ 7 Identification/Detection -1 ........................................................................................................... 10 Identification/Detection -2 ........................................................................................................... 13 Notices .......................................................................................................................................... 18

Page 1 of 18

Incident Response Phases

Incident Response Phases

15

**015 In this case, we're talking about incident response and how digital forensics gets integrated within it. So, we'll go through the phases of incident response.

Page 2 of 18

IR Preparation -1

IR Preparation -1

Incident Response (IR) Plan is a living document that prescribes how the incident response will take place.

? Processes and Procedures ? Communication Plan ? Measurement metrics

Having a risk assessment and identification of assets in advance of an incident.

Tools and collection media should be prepared in advance.

**016 Okay. So, this preparation, IR preparation, is when you already have a team.

having a plan, a solid, well thought out plan, is critical. It's a living document, meaning it should be updated regularly. It should be looked at. Certain things become obsolete. Certain things become more important. You want to be looking for these things.

And this is slightly different, but it actually does affect the digital forensics capability or digital forensics team as well, how they will interact

16

Page 3 of 18

with the incident response. They may actually be a part of the native team. Or they may join up with an incident response team. So, it kind of depends. And sometimes there could be a mish-mash, if you will, if for whatever reason, one incident remote incident response team needs a local digital forensics team. So, that sort of stuff should be decided and documented well within the incident response plan.

These processes, the procedures, the communication plans, very, very important. Who gets told about what when things are happening? This should go all the way up to the C suite. We're talking CEO, CIO type folks. When are they notified? Who else do you bring in, legal counsel? Do you bring in HR? Are you talking to those folks as things happen?

Sometimes, the communications team-- and I'm talking about the folks who actually interact with-- if you have a company, the people who interact with the mass media. Sometimes, you have to get ahead of this and talk about it if you have a corporation that's big enough and they're publicly traded so this could affect their stock. So, all of that should be part of the incidence response plan. People who are doing this should know where to go and who to speak to.

And a measurement of metrics, part of the metrics that we're talking about, how much time, man hours are you spending on doing this cost-

Page 4 of 18

wise. The time can obviously, depending on the average hourly wage, if you will, can be figured that way too. But you're talking about cost for purchasing more things, new equipment, new software, travel. So, all that measurement metrics should be put into the plan so people know going in. When the bell rings, if you will, they know immediately to start keeping track of these specific metrics so they can quantify what it is that's happened and how much it's actually cost the company.

And then having a risk assessment ahead of time and identification of assets in advance, this is very important. and I've found, and maybe if you all have dealt with other customers as well, maybe Ty has, a lot of times the people that we deal with do not necessarily know what is the most important within their company. Now, they know their business. But I'm talking about do you know if that server or that server has the most important data on it. If that one gets compromised, and this one doesn't, do you care? And do you know the difference? Would you know? A lot of times they do not know the difference on this.

So, doing this risk assessment, it's like what is the most important. What happens when this box gets popped and this one doesn't? Or what if this entire subnet gets hit? Is this the most important? Well, no that's archive of really old historical things. Then you know. And that will

Page 5 of 18

help an incident response team react as well.

So, identifying the important assets in advance of any incident, so you know exactly which IPs. When you hear these IP addresses, should you be concerned? You should know that. And this is assuming this is a local team that knows its actual area. If you're a remote team, sometimes that's harder. That's the kind of information gathering that you do when you show up. It's like okay, you've talked about these IPs. What does that mean? Are these important boxes? What are they? Oh, they're infrastructure pieces. They're your routers and your switches. Now, it could be much more important. It might not be as important, depending on how you find out or what you find out.

And then of course the tools and collection media should be prepared in advance. This seems again relatively obvious. Ostensibly, it is. But there are many times where somebody borrowed this tool, somebody borrowed this hard drive, and they did not return it. So, staying on top of that on a regular basis should be a part of the incident response plan as well.

Page 6 of 18

IR Preparation - 2

IR Preparation -2

Define structure of the IR Team. ? Centralized ? one team for the organization ? Distributed ? multiple teams, determined by location or function

Train members of the IR team for their tasks as well as cross-train in different roles.

Conduct practice events and exercises regularly to prepare and hone skills.

**017 Okay. So, preparation two here is part of the policy and the plan. The structure of the teams should be defined. You could have a centralized team that does everything for the entire organization. Or you could have either mini teams or multiple teams depending on the size of the organization. And depending on their function, or their location, set them up in such a way that it helps the response time and the efficiency of your response team be the best that it can possibly be.

We talked about this before, training members on the incident response team for the tasks that they'll be

17

Page 7 of 18

responsible for and talking about cross training the members so they can do multiple roles if need be because, again, people take leave. People leave. People take jobs, different jobs. So, it's not always the same people that will be doing your incident response.

And this is pretty key. Conduct practice events and exercises. You can train and train and train, but having something to validate your training is so, so important. It can show you exactly where there are gaps in your training and what you've thought. Exercising can be simple drills that you throw at particular people. Or it could be a full-fledged exercise, an operational exercise that starts with a compromise or something. And you tabletop it with even people as high as the C suite. And you work your communications channels up and down to see if hey, I assume that Jeffrey was going to do this for me. And then he goes, "No, I assumed I was not." So, you find out all these things when you actually conduct your exercises and you practice. And you practice together as a group.

So, I'd like to really emphasize that exercising and practicing. It's a difficult thing to sell, in general, because many of us that are security professionals already know that IT security doesn't make any money. We're the fires extinguishers of the world. They need to have us because we need to be there. But we actually don't make any money for the

Page 8 of 18

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download