Security Ripcord

Incident Response without an Incident Response Plan

October 8th, 2006 cutaway Posted in InGuardians, Incident Response, Security Catalysts | No Comments » 868 views

Check out the original post at the The Security Catalyst Community.  I please post any comments to the original article and not here. 

When an organization decides to designate a person to handle security for their information resources the first thing that individual is going to realize is that they to not have a procedure to use when if there is a security incident. Whether the incident is a virus infection or an unauthorized disclosure of information the organization needs a method to respond so that there is a risk assessment, incident management, and follow-up that considers security as well as business continuity. Although seemingly easy it quickly becomes a large task to spin up brand new incident response procedures from scratch. Luckily there are many resources out there to assist security professionals creating an incident response plan for their organization.

The following are what I consider to be good information resources to get started on an incident response plan:

  1. Read a book titled, “Incident Response & Computer Forensics, Second Edition” (ISBN: 007222696X) by Kevin Mandia, Chris Prosise, Matt Pepe, and Scott Larson. This book will familiarize you with the basic steps, terminology, and tools utilized when responding to an incident. This is a great resource for anybody who has not been exposed to incident response.
  2. For more detail on setting up an incident response plan take a look at the SANS book store (http://store.sans.org) for the “Computer Security Incident Handling Step-By-Step.” You can see a brief excerpt from the book at https://store.sans.org/samples/incidenthandling_sample.pdf.
  3. As you are creating your response plan you will find that there is a lot of documentation involved. Instead of starting from scratch you can use the SANS incident handling forms located at http://www.sans.org/score/incidentforms/index.php?portal=327e9b8f50ffeb4c9d90867b082d6d05.
  4. With a basic incident response plan in place you are going to need to understand the “enemy” better and prepare defenses within your environment. Although I have not had a chance to read this book yet I have purchased it because of the great reviews it has received. It is titled “Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses” (ISBN: 0131481045) and it is written by two well known and respected security instructors Edward Skoudis and Tom Liston. You can check out the website for this book and other resources by these and other security instructors at http://www.counterhack.net/Counter%20Hack/Welcome.html
  5. Lastly, you should check out the comments to this article to see if anybody has posted references to other helpful resources. If you have one, POST IT.

Okay, enough with resources. What should you do “right now” if you have an incident and do not have a incident response plan ready to implement? Well, here are a few steps to get you moving down the right path.

  1. Remain calm and do not make assumptions. There may be a perfectly logical explanation once you have gathered all of the information available and have had a chance review everything in a less stressful environment.
  2. Do a quick risk assessment to help determine the level of response:
    • can anybody be hurt by what is happening?
    • do the systems involved contain sensitive information?
    • will what is happening affect the rest of the environment or other networks outside of our environment?
    • should the systems be shutdown or should they be left running and just unplug the network card?
  3. Decide who is in charge and the other people who are going to need to be initially involved. Examples:
    • Team leader
    • System/network administrators
    • Legal counsel
  4. Get one team member to start thinking about and working with other administrators to get everything back up and running. The ultimate goal of an incident response is to help maintain business continuity. Do not, however, begin implementing any steps that might affect the information on the systems involved prior to deciding if they need to be forensically copied in their current state.
  5. Determine if this is going to be an incident that involves a crime. If so, notify the proper authorities immediately as they will have methods and means to handle the incident. If you do not know who to call, contact your local police department and they will be able to point you in the right direction.
  6. Start documenting everything. Even if you do not have an official form create a new notebook and designate a person to maintain the “case notes.”
    1. How the incident was detected.
    2. Any actions taken in response to the incident.
    3. Any conversation you have with somebody outside of the organization.
    4. Any interviews with persons involved.
    5. Get a camera and start taking pictures of the systems involved before any change is made. Examples:
      • Front and back of system(s)
      • Cables
      • Serial numbers
      • Hard drive lights
      • Server heads-up displays
      • System and bios time
  7. Create a “chain of custody” form for controlling anything that may be perceived as “evidence.”
    • As the evidence is controlled by a new individual document it on this form.
    • Try to contain “evidence” in a secure location with at least two methods of physical access control.
  8. Start gathering and centralizing log files from firewalls, routers, IDS, switches, etc.
  9. Determine if you are going to need to bring in a third party to assist with the incident response and/or computer forensics.
    • A good state by state list is located at the “Computer Forensics Companies” web site: http://www.computerforensicscompanies.com/statelist.html.
  10. Take your time and relax. It is okay to make mistakes or to not know an answer. If you have gotten this far you are doing great.
  11. Once you have finished sit down with the team and go over the lessons learned. Use this experience to create a more detailed incident response plan as you will, probably, now have more managerial buy-in to allocate time to this project.

Okay, eleven steps are more than a few. Hopefully these will get you over the hump of the first incident response and moving forward towards creating a detailed plan for future incidents.

Go forth and do good things.
Cutaway

Technorati Tags , ,
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

«
»