1.1. Incident Response: Lesson
1.1. Incident Response: Lesson
1.1. Incident Response: Lesson
Lesson
An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
Incidents
In the haystack of events, organizations must find the "needles" that are the security incidents. Events
are isolated and disconnected, but incidents add the context that enables security administrators to
gain understanding and take action.
It can be defined as a set of events or conditions requiring response and closure. Incidents comprise
not only the significant threats that jeopardize business and require intervention.
They include more mundane situations that occur on a daily basis, and only threaten the business if
no action is taken. Examples of these routine situations include “low and slow” port scans and some
varieties of email worms. Most organizations face thousands of instances of the latter types of threats,
together with the higher profile blended threats like Code Red, Nimda, and Klez.
Besides attacks, known system vulnerabilities or discovered policy violations are also incidents that
require a response in order to protect the business. When related events (e.g. attacks, vulnerabilities,
and policy violations) are viewed together, the true nature (or type) of the incident becomes evident.
Attrition (brute force methods that compromise, degrade, or destroy systems, networks or
services)
Website or web based application
Other factors
251
Student Handbook – Security Analyst SSC/N0902
• Functional impact (current and likely future negative impact to business functions)
• Information impact (effect on the confidentiality, integrity, and availability of the
organization’s information)
• Recoverability from the incident (time and types of resources that must be spent
on recovering from the incident)
Organizations prioritize information security incidents based on the weightages they give to each of
the above categories for a particular incident. For example, an organization that deals with massive
amounts of personal identifying information (PII) might weight information impact more heavily than
recoverability impact, while an emergency response agency might prioritize functional impact to
ensure the continued delivery of emergency services.
252
Student Handbook – Security Analyst SSC/N0902
Incident Information
253
Student Handbook – Security Analyst SSC/N0902
Handling incidents
There are five important incident handling phases:
Preparation: establishing and training an incident response team, and acquiring the necessary
tools and resources.
Detection and analysis: detecting security breaches and alerting organization during any
imminent attack.
Containment: mitigating the impact of the incident by containing
Eradication and recovery: carrying out detection and analysis cycle to eradicate incident and
ultimately initiate recovery.
Post-incident activity: preparing detailed report of the cause and cost of the incident and future
preventive measures against similar attacks.
Organizations should have a plan to respond to various types of incidents detailing various aspects of
incident handling including the above.
Incident Response Plan is an organization’s foundation to a formal, focused and coordinated approach
for incident response.
The objective of instating an incident response plan is to provide the roadmap for implementing the
incidence response capability. The incident response plan acts as a defence mechanism against
hackers, malware, human error and a series of other security threats.
The intervention of an incident response plan can be the structure to building an organization’s
incident response capability. Emphasis on computing security policies and practices are the main
objectives of most organization in their overall risk management strategies. Elements that are
recommended as important to an incident response plan are:
254
Student Handbook – Security Analyst SSC/N0902
incident response team’s communication with the rest of the organization and with other
organizations
metrics for measuring the incident response capability and its effectiveness
roadmap for maturing the incident response capability (regular reviews, audits and tests etc.)
how the program fits into the overall organization
Developing an incident response plan checklist can minimize the threat of security breach in the form
of attacks in websites and servers, or inadvertent leakage of share sensitive data etc. Instating a
structure that ensures the latest developments are captured, understood, evaluated as threats to the
business, documented and distributed will help ensure an effective incident response. An incident
response plan checklist should be an amalgamation of the following key practices:
255
Student Handbook – Security Analyst SSC/N0902
Integrity of business security demands the presence of an effective incidence response team and the
latter can be achieved through the selection of appropriate structure and staffing models. Typically, a
designated incident response team or personnel function as the first point of contact (POC) in a
situation involving security breach in an organization. The incident handlers may then analyse the
incident data, determine the impact of the incident, and act appropriately to limit the damage and
restore normal services. The incident response team’s success depends on the participation and
cooperation of individuals throughout the organization. Therefore, an organization must create a core
team, identify suitable individuals, discuss incident response team models, and provide advice on
selecting an appropriate model.
Listed below are range of various tool kit, systems and instrumentation that may be useful in an
incident response:
Incident handler communications and facilities: these may include contact information of team
members and others within the organization and external, on-call information matrix, incident
reporting mechanisms such as phone numbers, email addresses, online forms, etc. Incident
tracking systems; smartphones for round-the-clock communication; use of encryption software
for internal team members; security materials storage facility etc.
Incident analysis hardware and software: digital forensic workstations and/ or backup devices to
create disk images, preserve log files and save other relevant incident data etc. Laptops; spare
workstations; servers; networking equipment or the virtualized equivalents for storing and trying
out malware; blank removable media; packet sniffers and protocol analyzers; digital forensic
software; evidence gathering accessories such as digital cameras, audio recorders, chain of
custody forms etc.
Incident analysis resources: port lists, including commonly used ports and Trojan horse ports;
documentation for Oss; applications; protocols etc. Network diagrams and lists of critical assets
such as database servers; current baselines of expected network system and application activity;
cryptographic hashes of critical files to speed incident analysis, verification and eradication.
Incident mitigation software: access to images of clean OS and application installations for
restoration and recovery purposes.
256
Student Handbook – Security Analyst SSC/N0902
Through a routine evaluation of system logs, a Determine the actions that would help
system administrator discovers that XYZ’s data prevent this type of incident (preparation).
has been exfiltrated from the system by an Determine the controls in place that
unauthorized user account. would help identify this incident, along
A remote user has lost his/her laptop. The with procedures on how to report the
user’s job function required that XYZ’s incident (detection and analysis).
information be stored on the laptop. How to prevent further damage
(containment),
After a recent office move, it is discovered that How to clean the system (eradication).
a locked cabinet containing XYZ’s information is How to restore the system in a secure
missing. manner (recovery).
257
Student Handbook – Security Analyst SSC/N0902
Summary
An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
These can be classified into:
o Malicious code incidents
o Network reconnaissance incidents
o Unauthorised access incidents
o Inappropriate usage incidents
o Multiple component incidents
Impact of information security incidents can be classified into:
o Functional impact
o Information impact
o Recoverability from the incident
Signs of security incident: Two main types of signs of an incident are:
o Precursors: It is technically a sign that an incident may occur in the future.
o Indicator: A sign that an incident may have occurred or may be occurring now.
There are five important incident handling phases:
o Preparation
o Detection and analysis
o Containment
o Eradication and recovery
o Post-incident activity
Incident Response Plan is an organization’s foundation to a formal, focused and coordinated
approach for incident response.
Central Incident Response team: a functional model for small organizations with limited or no
geographic presence wherein a single incident response team handles core security computing.
Distributed Incident Response team: this model is effective for large organizations (e.g. one
team per division) and for organizations with major computing resources at distant locations
(e.g. one team per geographic region, one team per major facility).
A jumpkit is a portable case instrumental to incident response teams and it contains items such
as laptop, appropriate software such as packet sniffers, digital forensics, back up devices, blank
media etc.
258
Student Handbook – Security Analyst SSC/N0902
Practical activities:
Activity 1:
Collate information on various types of information security incidents from the internet
and populate the various categories of incidents mentioned in the unit with examples
of each. Present a few details of these incidents, if possible.
Activity 2:
Visit various company sites, and find out their incident response plans and list out
various components of it.
Activity 3:
Work in a group to create an incident response plan for the training institute and
modify it as they progress through this module.
a. ________________________________________
b. ________________________________________
Q. A portable case instrumental to incident response teams and it contains items such as laptop,
appropriate software such as packet sniffers, digital forensics, back up devices, blank media etc. is
known as a ________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
259
Student Handbook – Security Analyst SSC/N0902
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Which of the following is not a category of security incidents? Mark all that apply.
a) Malicious code
b) Network usage
c) CSIRT
d) Inappropriate usage
e) Precursor
f) Multiple component
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
260
Student Handbook – Security Analyst SSC/N0902
UNIT II
Incident Response
- Roles and Responsibilities
261
Student Handbook – Security Analyst SSC/N0902
Lesson Plan
You need to know and understand: KA4. Peer group, faculty group PCs/ tablets/ laptops
KA4. limits of your role and and industry experts. Availability of labs (24/7)
responsibilities and who to seek guidance Internet with Wi-Fi (min 2
from where required. KA6. Performance evaluation Mbps dedicated)
from faculty and industry with Access to all security
KA6. who to involve when investigating reward points. sites like ISO, PCI DSS,
and co-ordinating responses to
Center for Internet
information security incidents and how KA11. Online exam and rewards
to contact them. points based on reviews from Security etc.
the forums. Security Templates from
KA11. how to assign and escalate ITIL & ISO
information on information security KA12. Faculty and peer review.
incidents.
KB5, KB6, KB7. Going through
KA12. different methods and techniques the security standards over
used when working with others. internet by visiting sites like ISO,
PCI DSS etc. and understand
KB5. common issues and incidents of various methodologies and
information security that may require usage of algorithms.
action and whom to report these.
Learn about CIA triad relating to
KB6. how to obtain and validate latest threats and vulnerabilities.
information related to information
security issues.
262
Student Handbook – Security Analyst SSC/N0902
Lesson
A single employee, with one or more designated alternates should be in charge of incident response.
In a fully outsourced model, this person oversees and evaluates the outsourcer’s work. All other
models generally have a team manager and one or more deputies who assume authority in the
absence of the team manager. Every team member should have good problem solving skills and
critical thinking abilities.
An incident response team member should possess technical skills, such as system administration,
network administration, programming, technical support or intrusion detection. An incident
response team should be a combination of skilled members in the area of technology (e.g. operating
systems and applications) and other technical areas such as network intrusion detection, malware
analysis or forensics.
A team member in an incident response unit is expected to have the basic understanding of the
technologies used and their applications. The individual should be capable of comprehending
and handling the following security incidents:
the type of incident activity that is being reported or seen by the community.
the way in which incident response team services are being provided (the level and
depth of technical assistance provided to the constituency).
the responses that are appropriate for the team (e.g. what policies and procedures or
other regulations must be considered or followed while undertaking the response).
the level of authority the incident response team has in taking any specific actions when
applying technical solutions to an incident reported to the incident response team.
maintain, enhance and expand proficiency in technical areas and security disciplines as well as
less technical topics such as the legal aspects of incident response.
incentivize participation in staff conferences.
promote deeper technical understanding.
engage external technical knowledge facilitator with deep technical knowledge in needed areas
to impart learning and development.
provide opportunities to perform other tasks in non-functional areas.
rotate staffing of members across functions to gain new technical skills.
263
Student Handbook – Security Analyst SSC/N0902
create a mentoring program to enable senior technical staff to help less experienced staff learn
incident handling.
develop incident handling scenarios and conduct team discussions.
After successfully selecting a functional core team, it is best followed that team members be further
integrated and modelled into appropriate staffing based on the magnitude of incident response and
size of the organization. Find details of the three types of staffing methods below:
In house employees
Partially outsourced
Fully outsourced
Therefore, an organization must consider the following factors before selecting an appropriate
incident response team structures:
The need for 24/7 availability: real-time availability is considered one of the best for
incident response options because the longer an incident last, the more potential there is for
damage and loss.
Full-time versus part-time team members: organizations with limited funding, staffing or
incident response needs may have only part-time incident response team members, serving
as more of a virtual incident response team. An existing group such as the IT help desk can
act as a first POC for incident reporting and perform initial investigation and data collection.
Employee morale: segregate administrative work and core incident response to minimize
stress on employees and to help boost morale.
Cost: implement sufficient funding for training and skills development of incident response
team members the area of work function demands broader knowledge of IT.
Staff expertise: incident handling requires specialized knowledge and experience in several
technical areas. The breadth and depth of knowledge required varies based on the severity
of the organization’s risks.
Outsourced
In the case of outsourced work, the organization must consider not only the current quality
(breadth and depth) of the outsourcer’s work, but also efforts to ensure the quality of future
work.
Document line of work or authority of outsourced incident response work appropriately and
ensure actions for these decision points are handled.
Divide incident response responsibilities and restrict access to sensitive information.
Provide regularly updated documents that define what incidents outsources is concerned
about.
Create correlation among multiple data sources.
Maintain basic incident response skills in-house.
264
Student Handbook – Security Analyst SSC/N0902
Defining the relationship between incident response, incident handling, and incident management
Incident handling refers to the several phases of incident response process i.e. preparation,
detection and analysis, containment, eradication and recovery and post-incident activity required in
adequate handling of an incident.
Incident management is term used to describe the overall computing security management to
detect the occurrence of incident, initiate and handle an incident response and prevent any future
re-occurrences.
Routine operational procedures and tasks required to co-ordinate and respond to information
security incidents
Prepare to handle incidents.
Use incident analysis hardware and software.
Use incident analysis resources.
Use of incident mitigation software.
Management responsible for coordinating incident response among various stakeholders,
minimizing damage, and reporting to Congress, OMB, the General Accounting Office (GAO),
and other parties.
Information security staff members may be needed during certain stages of incident handling
(prevention, containment, eradication and recovery). For example, to alter network security
controls (e.g. firewall rule sets).
265
Student Handbook – Security Analyst SSC/N0902
IT technical experts (e.g. system and network administrators) can ensure that the appropriate
actions are taken for the affected system, such as whether to disconnect an attacked system.
Coordinate with relevant legal experts to review incident response plans, policies and
procedures to ensure their compliance with law and federal guidance, including the right to
privacy.
Ensure that incident response policies and procedures and business continuity processes are
in sync.
Coordinate with Physical Security and Facilities Management to access facilities during
incident handling.
Start to create a documented action script that will outline your response steps so your IR Manager
can follow them consistently. Your script should show steps similar to the following:
STEP # ACTION
1 Incident announced
2 IR Manager alerted
3 IR Manager begins information gathering from affected site
4 IR Manager begins tracking and documentation of incident
IR Manager invokes Assessment Team
5
(Details of call bridge or other communication mechanism)
266
Student Handbook – Security Analyst SSC/N0902
References: Students are encouraged to read more on Roles and Responsibilities in IR team of any
Organization from following references.
http://www.cert.org/csirts/Creating-A-CSIRT.html
http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
267