Incident Response Plan
This incident response plan defines what constitutes a security incident and outlines the incident response phases. This incident response plan document discusses how information is passed to the appropriate personnel, assessment of the incident, minimising damage and response strategy, documentation, and preservation of evidence. The incident response plan will define areas of responsibility and establish procedures for handing various security incidents. This document discusses the considerations required to build an incident response plan.
This policy is designed to protect the organizational resources against intrusion.
3.0 Incident Response Goals
- Verify that an incident occurred.
- Maintain or Restore Business Continuity.
- Reduce the incident impact.
- Determine how the attack was done ir the incident happened.
- Prevent future attacks or incidents.
- Improve security and incident response.
- Prosecute illegal activity.
- Keep management informed of the situation and response.
4.0 Incident Definition
An incident is any one or more of the following:
- Loss of information confidentiality (data theft)
- Compromise of information integrity (damage to data or unauthorized modification).
- Theft of physical IT asset including computers, storage devices, printers, etc.
- Damage to physical IT assets including computers, storage devices, printers, etc.
- Denial of service.
- Misuse of services, information, or assets.
- Infection of systems by unauthorized or hostile software.
- An attempt at unauthorized access.
- Unauthorized changes to organizational hardware, softwaare, or configuration.
- Reports of unusual system behavior.
- Responses to intrusion detection alarms.
5.0 Incident Planning
In the incident response plan, do the following:
- Define roles and responsibilities
- Establish procedures detailing actions taken during the incident.
- Detail actions based on type of incident such as a virus, hacker intrusion, data theft, system destruction.
- Procedures should consider how critical the threatened system or data is.
- Consider whether the incident is ongoing or done.
6.0 Incident Response Life cycle
- Incident Preparation
- Policies and Procedures
- Computer Security Policies - These involve many policies including password policies, intrusion detection, computer property control, data assessment, and others.
- Incident Response Procedures
- Backup and Recovery Procedures
- Implement policies with security tools including firewalls, intrusion detection systems, and other required items.
- Post warning banners against unauthorized use at system points of access.
- Establish Response Guidelines by considering and discussing possible scenarios.
- Train users about computer security and train IT staff in handling security situations and recognizing intrusions.
- Establish Contacts - Incident response team member contact information should be readily available. An emergency contact procedure should be established. There should be one contact list with names listed by contact priority.
- Test the process.
- Discovery - Someone discovers something not right or suspicious. This may be from any of several sources:
- Intrusion detection system
- A system administrator
- A firewall administrator
- A business partner
- A monitoring team
- A manager
- The security department or a security person.
- An outside source.
- Notification - The emergency contact procedure is used to contact the incident response team.
- Analysis and Assessment - Many factors will determine the proper response including:
- Is the incident real or peceived?
- Is the incident still in progress?
- What data or property is threatened and how critical is it?
- What is the impact on the business should the attack succeed? Minimal, serious, or critical?
- What system or systems are targeted, where are they located physically and on the network?
- Is the incident inside the trusted network?
- Response Strategy - Determine a response strategy.
- Is the response urgent?
- Can the incident be quickly contained?
- Will the response alert the attacker and do we care?
- Containment - Take action to prevent further intrusion or damage and remove the cause of the problem. May need to:
- Disconnect the affected system(s)
- Change passwords.
- Block some ports or connections from some IP addresses.
- Prevention of re-infection
- Determine how the intrusion happened - Determine the source of the intrusion whether it was email, inadequate training, attack through a port, attack through an unneeded service, attack due to unpatched system or application.
- Take steps to prevent an immediate re-infection which may include one or more of:
- Close a port on a firewall
- Patch the affected system
- Shut down the infected system until it can be re-installed
- Re-install the infected system and restore data from backup. Be sure the backup was made before the infection.
- Change email settings to prevent a file attachment type from being allow through the email system.
- Plan for some user training.
- Disable unused services on the affected system.
- Restore Affected Systems - Restore affected systems to their original state. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. Depending on the situation, restoring the system could include one or more of the following
- Re-install the affected system(s) from scratch and restore data from backups if necessory. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system.
- Make users change passwords if passwords may have been sniffed.
- Be sure the system has been hardened by turning off or uninstalling unused services.
- Be sure the system is fully patched.
- Be sure real time virus protection and intrusion detection is running.
- Be sure the system is logging the correct items
- Documentation - Document what was discovered about the incident including how it occurred, where the attack came from, the response, whether the response was effective.
- Evidence Preservation - Make copies of logs, email, and other documentable communication. Keep lists of witnesses.
- Notifying proper external agencies - Notify the police if prosecution of the intruder is possible.
- Assess damage and cost - Assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
- Review response and update policies - Plan and take preventative steps so the intrusion can't happen again.
- Consider whether an additional policy could have prevented the intrusion.
- Consider whether a procedure or policy was not followed which allowed the intrusion, then consider what could be changed to be sure the procedure or policy is followed in the future.
- Was the incident response appropriate? How could it be improved?
- Was every appropriate party informed in a timely manner?
- Were the incident response procedures detailed and cover the entire situation? How can they be inproved?
- Have changes been made to prevent a re-infection of the current infection? Are all systems patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
- Have changes been made to prevent a new and similar infection?
- Should any security policies be updated?
- What lessons have been learned from this experience?