MANAGING INCIDENT RESPONSE By: Ben Holmquist

2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response Incident Recovery

3 Key Terms & Understanding An incident is an unexpected event occurring when an attack, whether natural or human-made, affects information resources and/or assets, causing actual damage or disruption to a business’s assets. An incident response plan (IRP) is a detailed set of processes that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. Then, the set of procedures, policies, and guidelines that commence at the detection of an incident is the incident response (IR).

4 Key Terms & Understanding It is important to point out that an IRP is one of three major components of contingency plan (CP). Contingency Planning Incident Response Disaster Recovery Business Continuity

5 Personnel and Plan Preparation In a large business or organization the delegation of tasks is essential to maintaining effective operations. When looking at the makeup of an IRP, a company’s CISO assumes responsibility for the creation of it. With the aid of other managers and systems administrators on the contingency planning (CP) team, the CISO should select members from each community of interest to form an independent IR team, which executes the IRP.

6 Personnel and Plan Preparation Contingency planners should follow this six-step process when creating each of the three CP components [IRP, DRP, and BCP]: 1.Identify the mission-or business-critical functions 2.Identify the resources that support the critical functions 3.Anticipate potential contingencies or disasters 4.Select contingency planning strategies 5.Implement the selected strategy 6.Test and revise contingency plans

7 Personnel and Plan Preparation In regards to step four, for every incident, the CP team creates three sets of incident-handling procedures: 1.During the incident: The planners develop and document the procedures that must be performed during the incident. 2.After the incident: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased. 3.Before the incident: The planners draft a third set of procedures which are tasks that must be performed to prepare for the incident.

8 Incident Detection It is the responsibility of the IR team to determine if an incident is a valid incident or is just the product of “normal” system use. Incident candidates can be detected and tracked by end- users through several means; intrusion detection systems (IDS), host- and network-based virus detection software, and systems administrators. It is essential end-users, help desk staff, and all security personnel are properly trained in incident reporting, so in the event of an actual incident the IR team is properly notified and can effectively execute IRP procedures.

9 Incident Detection Overloaded networks, computers, or servers, misbehaving computers systems or software packages may be hard to distinguish from an actual incident. Therefore, managers must insure IT professionals receive training to detect possible, probable, and definite indicators.

10 Incident Detection Possible Indicators: - Presence of unfamiliar files - Presence or execution of unknown programs or processes - Unusual consumption of computing resources - Unusual system crashes

11 Incident Detection Probable Indicators: - Activities at unexpected times - Presence of new accounts - Reported attacks - Notification from a host- or network-based intrusion detection system (IDS)

12 Incident Detection Definite Indicators: - Use of dormant accounts - Changes to logs - Presence of hacker tools - Notifications by business partner - Notification by hacker

13 Incident Response Once an actual incident has been confirmed and properly classified, the IR team needs to be directed to move from the detection phase to the reaction phase. An IR is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident. An IR is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident. Three key steps include:  Notification of Key personnel  Documentation of an Incident  Incident Containment strategies

14 Incident Response  Notification of key Personnel: - Alert Roster = document of contact information -sequential or hierarchical roster - Alert message = scripted description of incident and what components of IRP to implement

15 Incident Response  Documenting an Incident - Who, What, When, Where, Why, and How - Serves as a case study - improvements in IR and IRP - provide legal protection - future training simulations

16 Incident Response  Incident Containment Strategies - Disabling compromised user accounts - Reconfiguring a firewall to block the problem traffic - Temporarily disabling the compromised process or service - Taking down the conduit application or server—for example, the server - Stopping all computers and network devices

17 Incident Recovery Incident damage assessment = The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets - System logs - Intrusion detection logs - Configuration logs - Documentation from the actual incident

18 Incident Recovery The recovery process includes the following steps:  Identify and resolve vulnerabilities that allowed the incident to occur and spread.  Address the safeguards that failed to stop or limit the incident – install, replace, or upgrade them.  Evaluate monitoring capabilities – improve detection and reporting methods, or install new monitoring capabilities  Restore systems backups

19 Incident Recovery Incident recovery process steps (cont.):  Restore the services and processes in use – compromised services and processes must be examined, cleaned, then restored.  Continuously monitor the system to prevent incident from happening again. -Don’t allow your system to become the hackers playground.  Restore confidence in member’s of the organization by ensuring them appropriate measures have been taken to resolve the matter.

20 Incident Recovery Finally, before an organization can return to routine duties it is management’s responsibility to see that an after-action review (AAR) is conducted. - Detailed examination of events from detection to final recovery. - All parties involved give input on positives and negatives of the entire IR process. - Management should give a summary to bring the IR team’s actions to a close.

21 Managing Incident Response ??QUESTIONS??

22 REFERENCES Fitzgerald, J., & Dennis, A. (2007). Business Data Communications and Networking (9th ed.). Crawfordsville: Hermitage. Pipkin, D.L. (2000). Information Security: Protecting the Global Enterprise. Upper Saddle, NJ: Prentice Hall PTR. Taylor, L. (2002). Incident Response Planning and Management. Intranet Journal. Retrieved April 15, 2007, from Whitman, M. E., & Mattord, H. J. (2004). Management of Information Security. Boston: Thomson.