Search “scholar.google.com” or your textbook. Discuss the technical skills required to have a CSIRT response team consisting of employees with other job duties (i.e., not a full-time CSIRT job category)? Why or why not? What factors will influence their decision?  

Minimum 300 words. no plagiarism please

Principles of Incident Response and Disaster Recovery, 2nd Edition

Chapter 4

Incident Response: Planning

1

1

Objectives

Describe the process used to organize the incident response planning process

Describe the activities and deliverables used to develop an incident response policy, including how policy affects the incident response planning process and how policy can be implemented to support incident response practices

Explain the techniques that can be employed when forming a security incident response team

Principles of Incident Response and Disaster Recovery, 2nd Edition

2

2

Objectives (cont’d.)

List the skills and components required to devise an incident response plan

Discuss some of the concerns and trade-offs to be managed when assembling the final incident response plan

Principles of Incident Response and Disaster Recovery, 2nd Edition

3

3

Introduction

Contingency planning (CP)

Addresses everything to prepare for the unexpected

Incident response (IR): element of CP

Focus: detect and evaluate the severity of emerging unexpected events

Documented escalation process

Used when other CP process elements activated

IR process phases

Preparation, detection and analysis, containment, eradication and recovery, and post-incident activity

Principles of Incident Response and Disaster Recovery, 2nd Edition

4

4

The IR Planning Process

Contingency planning management committee (CPMT)

Completes each business impact analysis component

Transfers information to subordinate committees

IR committee, disaster recovery (DR) committee, business continuity (BC) committee

Provides information that may overlap

Attack information

Attack prioritization information

Attack scenario end cases

Principles of Incident Response and Disaster Recovery, 2nd Edition

5

5

The IR Planning Process (cont’d.)

Committee members begin their subordinate plans

Incident planning stages

Form the IR planning committee

Develop the IR planning policy

Integrate the BIA

Identify preventive controls

Organize the Computer Security Incident Response Team (CSIRT)

Create IR strategies and procedures

Develop the IR plan

Ensure plan testing, training, exercises, maintenance

Principles of Incident Response and Disaster Recovery, 2nd Edition

6

6

Principles of Incident Response and Disaster Recovery, 2nd Edition

7

7

The IR Planning Process (cont’d.)

IR planning process organization

Begins with staffing the IR planning committee

IR team organized as a separate entity

Begins by identifying and engaging collection of stakeholders

Representative collection of individuals

Have a stake in the successful and uninterrupted operation of the information infrastructure

Used to collect vital information on the roles and responsibilities of the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition

8

8

The IR Planning Process (cont’d.)

Typical stakeholders

General management

IT and InfoSec management

Organizational departments

Legal department

Human resources department (HR)

Public relations (PR)

Departments with an information security overlap

General end users, key business partners, contractors, temporary employee agencies, consultants

Principles of Incident Response and Disaster Recovery, 2nd Edition

9

9

Forming the IR Planning Team

Incident response planning team (IRP team)

Performs planning and development activities

Built by executive leadership

Information technology (IT) involvement

Information security involvement

CPMT organizational management representatives

Team leader: liaison between IR team and CPMT

Champion: chief information officer (CIO) or vice president of IT

Should meet regularly to develop IR plan, structure, develop, and train CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition

10

10

Developing the Incident Response Policy

IR policy

First deliverable prepared by the IRP committee

Defines team operations

Articulates response to various types of incidents

Advises end users on how to contribute to the effective response

Rather than contributing to the problem at hand

Similar in structure to other organization policies

Principles of Incident Response and Disaster Recovery, 2nd Edition

11

11

Principles of Incident Response and Disaster Recovery, 2nd Edition

12

12

Principles of Incident Response and Disaster Recovery, 2nd Edition

13

13

Developing the Incident Response Policy (cont’d.)

In developing the policy:

Critical to involve those who actually use the policies

Include interaction and review by other CP teams

Aids in developing clear, consistent, uniform policy elements and structure

Look at policies from other agencies and organizations

Principles of Incident Response and Disaster Recovery, 2nd Edition

14

14

Developing the Incident Response Policy (cont’d.)

Policy information sources

Organization charts for the enterprise and specific business functions

Topologies for organizational or constituency systems and networks

Critical system and asset inventories

Existing DR or BC plans and any existing IR plans

Existing guidelines for notifying the organization of a physical security breach

Any parental or institutional regulations

Any existing security policies and procedures

Principles of Incident Response and Disaster Recovery, 2nd Edition

15

15

Building the Computer Security Incident Response Team

Loose or informal CSIRT association

Consists of IT and InfoSec staffers

Informed if attack detected on information assets

Formal CSIRT implementation

Team of people and supporting policies, procedures, technologies, and data

Prevent, detect, react to, and recover from incident that could potentially damage information

At some level CSIRT team member come from all organization members

Every action could cause or avert an incident

Principles of Incident Response and Disaster Recovery, 2nd Edition

16

16

Incident Response Planning

Incident response plan (IR plan)

Detailed set of processes and procedures

Anticipate, detect, and mitigate unexpected event effects that might compromise information resources and assets

Adverse events: organization viewpoint

Unexpected activities occurring periodically

Principles of Incident Response and Disaster Recovery, 2nd Edition

17

17

Incident Response Planning (cont’d.)

Incident: contingency planning viewpoint

Adverse event threatening security of organization’s information

Adverse event: natural or human made

Occurs when adverse event affects information resources and/or assets

Causes actual damage or other disruptions

Incident response (IR)

Set of procedures

Commence when incident detected

Must be carefully planned and coordinated

Principles of Incident Response and Disaster Recovery, 2nd Edition

18

18

Incident Response Planning (cont’d.)

IR plan activation

Occurs when incident causes minimal damage

According to criteria set in advance

Activated with little or no disruption to operations

Information security incident

Three required characteristics

Directed against information assets owned or operated by the organization

Has realistic chance of success

Threatens information resources and assets confidentiality, integrity, or availability

Principles of Incident Response and Disaster Recovery, 2nd Edition

19

19

Incident Response Planning (cont’d.)

IR procedures

Reactive measures; not considered preventive control

Excluding efforts taken to prepare for such actions

Chief information security officer (CISO)

Responsible for creating organization’s IR plan

Creates CSIRT by selecting members from each community of interest

Should clearly document and communicate roles and responsibilities

May include an alert roster

Principles of Incident Response and Disaster Recovery, 2nd Edition

20

20

Incident Response Planning (cont’d.)

IRP team and CSIRT

Develop series of predefined incident responses

IR plan creation

Part of the multistep CP process completed by IR team

Integral IR procedures begin to take shape

For every potential attack scenario IR team creates the incident plan

Incident plan made up of three sets of incident-handling procedures

Address steps taken before, during, & after incident

Principles of Incident Response and Disaster Recovery, 2nd Edition

21

21

Planning for the Response During the Incident

IR planning activities

Begin with the middle: the actual incident response

Most important phase

Reaction to the incident (“during the incident”)

Team needs quick and easy access to specific procedures

Must identify, contain, and terminate the incident

Principles of Incident Response and Disaster Recovery, 2nd Edition

22

22

Triggering the IR Plan

Viable attack scenario end cases

Examined in turn by IR team and CSIRT representatives

Understand actions needed to react to the incident

Discussion begins with the trigger

Circumstance causing IR team activation and IR plan initiation

Principles of Incident Response and Disaster Recovery, 2nd Edition

23

23

Triggering the IR Plan (cont’d.)

Trigger situations or circumstances

Phone call from a user to the help desk about unusual computer or network behavior

Notification from systems administrator about unusual server or network behavior

Notification from an intrusion detection device

Review of system log files indicating an unusual pattern of entries

Loss of system connectivity

Device malfunctions

Principles of Incident Response and Disaster Recovery, 2nd Edition

24

24

Triggering the IR Plan (cont’d.)

Once indicator reported:

IR team leader or IR duty officer determines IR plan activation

IR duty officer

CSIRT team member (not the team leader)

Currently performing team leader responsibilities

Scanning information infrastructure for signs of an incident

Team members notified once potential incident detected

Move forward with IR plan

Principles of Incident Response and Disaster Recovery, 2nd Edition

25

25

The Reaction Force

IRP team determines individuals needed to respond to each particular end case

Unique team for each attack scenario end case

Team leader specified in IR plan

Resources and skill sets added as necessary

IR plan specifies the scribe (archivist or historian)

Develops and maintains event log used in reviewing actions during the after-action review

CSIRT reaction force

The resulting incident team

Principles of Incident Response and Disaster Recovery, 2nd Edition

26

26

Actions Taken “During the Incident”

Reacting to a particular incident

Determining what must be done

Example: malware infestation

Verify virus presence

Confirm presence and determine extent of exposure

Quarantine infestation

Disconnect infected systems from network

Look for evidence of continued spread

Continue to look for “flare-ups”

Begin the next phase: decontamination

Principles of Incident Response and Disaster Recovery, 2nd Edition

27

27

Actions Taken “During the Incident” (cont’d.)

Example: malware infestation (cont’d.)

Last phase: “actions during”

Disinfect systems by running anti-malware software, searching for spyware

Functional and up-to-date anti-malware detects and documents new malware presence

“Actions during” phase complete once all signs of contamination eliminated

Principles of Incident Response and Disaster Recovery, 2nd Edition

28

28

Planning for “After the Incident”

“Actions after” phase

Begins once incident contained

Lost or damaged data restored

Systems scrubbed of infection

Essentially everything restored to its previous state

IR plan

Describes stages to recover from most likely incident

Details the protection from follow-on incidents, forensics analysis, after-action review events

Follow-on attacks

Identification should be of great concern

Principles of Incident Response and Disaster Recovery, 2nd Edition

29

29

Planning for “After the Incident” (cont’d.)

Forensic analysis

Systematically examining information assets for evidentiary material providing insight into how incident transpired

Use an individual trained in forensic analysis

May be used in civil or criminal proceedings

After-action review (AAR)

Detailed examination of events

Key players review and verify notes, documentation

Update plan and train future staff

IR team action closed

Principles of Incident Response and Disaster Recovery, 2nd Edition

30

30

Planning for “Before the Incident”

Also called “before actions”

Planners implement good IT and information security practices

Includes preventive measures

Manage risks associated with a particular attack

Preparations of the IR team

Routine rehearsal maintains a state of readiness to respond to attacks

CSIRT training, IR plan testing, selecting and maintaining CSIRT tools, training system users

Principles of Incident Response and Disaster Recovery, 2nd Edition

31

31

Training the CSIRT

National training programs focusing on IR tools and techniques

SANS Institute national conferences

http ://www.sans.org

SANSFIRE: specifically focused on IR

Microsoft, Cisco, and Sun

Department of Homeland Security (DHS) and the US CERT

http://www.fbcinc.com/gfirst

Organization training programs

Includes mentoring-type training

Principles of Incident Response and Disaster Recovery, 2nd Edition

32

32

Training the CSIRT (cont’d.)

Professional reading program

Self-created list of trustworthy information sources

No dedicated IR journals or magazines

SANS Information Security Reading Room

http://www.sans.org/rr

Computer Security Officer

http://www.csoonline.com

SC Magazine

http ://www.scmagazine.com

Information Security Magazine

http ://informationsecurity.techtarget.com

Principles of Incident Response and Disaster Recovery, 2nd Edition

33

33

Training the CSIRT (cont’d.)

Online resources for IR

Forum of Incident Response and Security Teams (FIRST): http://www.first.org

U.S. Computer Emergency Readiness Team (US CERT): http://www.us-cert.gov

CERT Coordination Center (CERT CC) at Carnegie Mellon University: http://www.cert.org

NIST Computer Security Resource Center (CSRC)

http :// csrc.nist.gov

Honeypots.net: http://www.honeypots.net

Principles of Incident Response and Disaster Recovery, 2nd Edition

34

34

Training the CSIRT (cont’d.)

IR plan testing

Key part of CSIRT training

Strategies

Desk check, structured walk-through, simulation, parallel testing, full interruption, war gaming

Desk check

Individual reviews plan and creates list of correct and incorrect components

Structured walk-through

Walk through steps taken during an actual event

Principles of Incident Response and Disaster Recovery, 2nd Edition

35

35

Training the CSIRT (cont’d.)

Simulation

Potential participant individually simulates the performance of each task

Stops short of the actual physical tasks required

Parallel testing

Act as if actual incident occurred

Perform required tasks and executes necessary procedures without interfering with the normal operations of the business

Must ensure procedures performed do not halt operations of the business functions

Principles of Incident Response and Disaster Recovery, 2nd Edition

36

36

Training the CSIRT (cont’d.)

Full interruption

Individuals follow each and every procedure

Often performed after normal business hours

In organizations that cannot afford to disrupt or simulate disruption of business functions

War gaming

Simulation of attack and defense activities

Uses realistic networks and information systems

The exercise of IR plans is an important element

National competitions at conferences and collegiate level

Principles of Incident Response and Disaster Recovery, 2nd Edition

37

37

Training the CSIRT (cont’d.)

Common war-gaming variations

Capture the flag, king of the hill, computer simulations

Defend the flag, online programming-level war games

CIA and U.S. military war games

Train and test troops in information security and information warfare tactics

Hackers have war games (http://roothack.org)

Minimum test:

Periodic walk-through (chalk talk) of each CP component plans

Principles of Incident Response and Disaster Recovery, 2nd Edition

38

38

Principles of Incident Response and Disaster Recovery, 2nd Edition

39

39

Principles of Incident Response and Disaster Recovery, 2nd Edition

40

40

Training the Users

Security education training and awareness (SETA)

Responsible for training users

Tasks to instruct

What is expected of them

How to recognize an attack

How to report a suspected incident, and whom to report it to

How to mitigate the damage of attacks on the desktop

Principles of Incident Response and Disaster Recovery, 2nd Edition

41

41

Training the Users (cont’d.)

Tasks to instruct (cont’d.)

Good information security practices

Keeping antivirus/anti-malware software up to date

Using spyware detection software

Keeping operating system and applications up to date with patches and updates

Not opening suspect e-mail attachments

Avoiding social engineering attacks

Not downloading and installing unauthorized software or software from untrusted sources

Protecting passwords and classified information

Principles of Incident Response and Disaster Recovery, 2nd Edition

42

42

Training the Users (cont’d.)

Training for general users

Allows users to ask questions and receive specific guidance

Provide training on technical details of how to do jobs securely

Allows the organization to emphasize key points

Employee orientation

Convenient time to conduct training

Principles of Incident Response and Disaster Recovery, 2nd Edition

43

43

Training the Users (cont’d.)

Training for managerial users

May have same requirements as general user

Managers expect more personal training

Managers often resist organized training

Champion can exert influence

Training for technical users

Training for IT staff, security staff, technically competent general users

More detailed than general user or managerial training

May require consultants or outside training organizations

Principles of Incident Response and Disaster Recovery, 2nd Edition

44

44

Training Techniques and Delivery Methods

Successful training elements

Good training techniques

Thorough subject area knowledge

Selection of training delivery method

Not always based on the best outcome for the trainee

Often based on budget, time frame, organization needs

Principles of Incident Response and Disaster Recovery, 2nd Edition

45

45

Principles of Incident Response and Disaster Recovery, 2nd Edition

46

46

Principles of Incident Response and Disaster Recovery, 2nd Edition

47

47

Assembling and Maintaining the Final IR Plan

Draft plan

Used for preliminary staff training and evaluating plan effectiveness

If any errors or difficulties are discovered

Remedied as draft plan matures

Commence final assembly

Once desired plan maturity is achieved, drafts are reviewed and tested

Principles of Incident Response and Disaster Recovery, 2nd Edition

48

48

Assembling and Maintaining the Final IR Plan (cont’d.)

Final plan creation

Testing process does not stop: test semiannually

Modified plans retested at the earliest opportunity

Final IR plan document created

Once all individual IR plan components drafted and tested

IR plan format and content

Organization dependent

Ensure IR plan developed, tested, and placed in easy-to-access location

Principles of Incident Response and Disaster Recovery, 2nd Edition

49

49

Assembling and Maintaining the Final IR Plan (cont’d.)

Recommended practices for physical IR plan

Select a uniquely colored binder

Place reflective tape on spine of binder

Place classified document cover sheet in slipcover

Place an index on the first inside page

Use common tab and label the index for documents

Organize the contents

Attach copies of relevant documents in the back

Add additional documents as needed

Store in a secure but easily reachable location

Principles of Incident Response and Disaster Recovery, 2nd Edition

50

50

Principles of Incident Response and Disaster Recovery, 2nd Edition

51

51

Summary

CP prepares organization for the unexpected

CPMT completes BIA components, and identifies information flow and subordinate committee responsibility

Incident planning has multiple stages

Organizing the IR planning process begins with IRP team staffing and identifying stakeholders

IRP team first deliverable: IR policy

CSIRT prevents, detects, reacts to, and recovers from an incident

Principles of Incident Response and Disaster Recovery, 2nd Edition

52

52

Summary (cont’d.)

IR plan anticipates, detects, and mitigates unexpected event effects

Activated when incident causes minimal damage

Includes three sets of incident-handling procedures

IRP team determines individuals needed to respond

Ensures CSIRT prepared to respond to incident

Key part CSIRT training: testing the IR plan

Final IR plan document created

Once all individual IR plan components drafted and tested

Principles of Incident Response and Disaster Recovery, 2nd Edition

53

53

"Get 15% discount on your first 3 orders with us"
Use the following coupon
FIRST15

Order Now