Difference between revisions of "Incident Response"
(→Communications) |
(→Communications) |
||
| Line 71: | Line 71: | ||
IBM's Security Intelligence Reports [https://securityintelligence.com/building-the-best-incident-response-team/ the following list of team members] | IBM's Security Intelligence Reports [https://securityintelligence.com/building-the-best-incident-response-team/ the following list of team members] | ||
| − | *Legal counsel to provide oversight and guidance on steps to take or not take; | + | *'''Legal counsel''' to provide oversight and guidance on steps to take or not take; |
| − | *Executive management for decision-making at the executive/board level; | + | *'''Executive management''' for decision-making at the executive/board level; |
| − | *IT and security teams for technical guidance and execution of the initial incident response phases; | + | *'''IT and security teams''' for technical guidance and execution of the initial incident response phases; |
| − | *Compliance for assistance with incident oversight and follow up, including any breach notification or reporting that may be required; | + | *'''Compliance''' for assistance with incident oversight and follow up, including any breach notification or reporting that may be required; |
| − | *Business operations for guidance and communications across departments and teams; | + | *'''Business operations''' for guidance and communications across departments and teams; |
| − | *Human resources for facilitating internal communications and assisting with user-centric security policies that may have been violated; | + | *'''Human resources''' for facilitating internal communications and assisting with user-centric security policies that may have been violated; |
| − | *Public relations expertise from someone who has experience in this area and a prepared message; | + | *'''Public relations''' expertise from someone who has experience in this area and a prepared message; |
| − | *Outside consultants who can provide incident response, forensics and security testing expertise; | + | *'''Outside consultants''' who can provide incident response, forensics and security testing expertise; |
| − | *Vendors such as internet service providers (ISPs), cloud service providers and managed security service providers (MSSPs); and | + | *'''Vendors''' such as internet service providers (ISPs), cloud service providers and managed security service providers (MSSPs); and |
| − | *Business partners that have close technical ties to your environment. | + | *'''Business partners''' that have close technical ties to your environment. |
| − | This is a good starting point for building effective communications across the organization. | + | This is a good starting point for building effective communications across the organization. This author would '''add the following''': |
| + | *'''Privacy''' to provide Subject Matter Experience on privacy regulations and reporting requirements; | ||
| + | *'''Data Governance''' to provide Subject Matter Experience on data owners, locations and impact to the organization | ||
| + | *'''Application owners''' to provide impact assessments, containment and recovery capabilities | ||
| + | *'''Business Continuity and Disaster Recovery Teams''' to help the organization evaluate and mitigate impact from both containment and recovery operations | ||
== Documentation == | == Documentation == | ||
Revision as of 15:38, 23 October 2018
Contents
Objective
- "A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that is assigned the responsibility for coordinating and supporting the response to a computer security event or incident. CSIRTs can be created for nation states or economies, governments, commercial organizations, educational institutions, and even non-profit entities. The goal of a CSIRT is to minimize and control the damage resulting from incidents, provide effective guidance for response and recovery activities, and work to prevent future incidents from happening." (Robin Ruefle, 2007)
The CSIRT or Incident response team can be considered a risk management function that responds appropriately to an incident, protecting the organization from further impact and directing recovery. It may also be considered a part of Operations.
Process
NIST SP 800-61r2 details this process, which can be broken down into several steps:
- Detect
- Contain
- Eradicate
- Recover
- Lessons Learned
Adding to this, it is recommended to have a process for Table Top exercises.
These are pragmatic and work well in an environment. When implementing Incident Response teams, it is advisable to seriously consider using a simple process first and build complexity based on lessons learned.
Tooling
Some tools which may be considered including
- Reporting system for users to report incidents
- A central repository for collecting large files from numerous locations
- Out of band communications channels, if needed
- Screen sharing and phone bridge information
- Communication templates
- The Documentation should including policy supporting the requirement to report incidents within a specified time frame. Refer to any regulatory compliance that you may need to adhere to.
Forensics teams, whether staffed internally, through a vendor or hybrid model, will likely require additional tools.
Ticketing
While a ticketing system for Continuous Monitoring, or that which is in use for Security Incident Investigations, may be applicable, the most important part of Incident Response is to track numerous activities which are assigned to various parties. Some organizations use the Enterprise ticketing system for Incident Response tasks if they are able to. Critical data elements for ticketing are:
- The task name
- The task description
- The assignee
- When the task was assigned
- Notes
- Any required logs
Ideally, the ticketing system will collect all this information under one project, epic or other overarching organization which allows for metrics. In mature organizations, the amount of time spent on the tasks can be collecting allowing for more robust reporting.
Incident Coordinators must track these assignments and validate their completion. The collection of these tasks in a ticketing system is ideal and reduces Enterprise Amnesia
Reporting
Reporting the status of the incident will be discussed under the Communications Section.
Each organization must adapt their reporting to their needs, however some good starting points for reporting are:
- How many incidents are occurring, grouped by severity & criticality
- What organizational units are affected by incidents
- What the type of incident was (e.g. Policy Violation vs. Malware Infection)
- Mean Time to Contain (MMTC) - which is the amount of time between when the organization discovered an incident was occurring and when the incident was declared contained.
Staffing
NIST SP 800-61r2 discusses Centralized, Distributed and Coordinating as Team types.
Regardless of the team composition, it is advisable to consider no less than one individual who is accountable for the CSIRT Process and is an Incident Coordinator with an assigned backup. Depending on the size of the organization, more than one coordinator may be required.
The Coordinator must be empowered through the accountability to request that Ancillary teams perform in response to an incident. That coordinator also acts as a conduit for Communications to Senior Management and directs response according to any input from the response team.
In Federated models of CSIRT, the CSIRT owner becomes a collection point whereby the Federated teams should be required to report their incidents above an established severity and criticality so that such incidents may be tracked. The organization should not be surprised by a severe incident which a subsidiary or federated team is responding to.
Budgeting
In the beginning, the most important budget is that of the CSIRT owner and Coordinator. Whether that role is a Full Time Employee (FTE) or a partial FTE, there will be impact to the staffing of the organization. Factoring that in and having a checkpoint to review the number and severity of incidents is a good practice to consider.
Communications
During an Incident, there are several important factors to consider for Communicating in addition to any that your team has identified.
- Have a planned Communication template with minimum data elements which will be reported on. These should including the state of the incident, its severity, who is responding and next expected communication.
- Establish communication cadence based on severity and criticality at regular intervals.
- Ensure that there is a forum, bridge, chat session or similar medium where required team members can join during an incident with ease
- Anticipate the need to
As with all the material here, use your own judgement.
IBM's Security Intelligence Reports the following list of team members
- Legal counsel to provide oversight and guidance on steps to take or not take;
- Executive management for decision-making at the executive/board level;
- IT and security teams for technical guidance and execution of the initial incident response phases;
- Compliance for assistance with incident oversight and follow up, including any breach notification or reporting that may be required;
- Business operations for guidance and communications across departments and teams;
- Human resources for facilitating internal communications and assisting with user-centric security policies that may have been violated;
- Public relations expertise from someone who has experience in this area and a prepared message;
- Outside consultants who can provide incident response, forensics and security testing expertise;
- Vendors such as internet service providers (ISPs), cloud service providers and managed security service providers (MSSPs); and
- Business partners that have close technical ties to your environment.
This is a good starting point for building effective communications across the organization. This author would add the following:
- Privacy to provide Subject Matter Experience on privacy regulations and reporting requirements;
- Data Governance to provide Subject Matter Experience on data owners, locations and impact to the organization
- Application owners to provide impact assessments, containment and recovery capabilities
- Business Continuity and Disaster Recovery Teams to help the organization evaluate and mitigate impact from both containment and recovery operations
Documentation
- Documenting the process and presenting that process to stakeholders is a helpful tactic. Getting their input and alignment is also helpful.
- A policy which identifies that reporting incidents is mandatory and the time frame by which those incidents must be reported is helpful.
- Have an Incident Response plan
- Consider starting with simplicity and alignment
- Documenting the evaluation criteria for severity and criticality is helpful
Lessons Learned | Pain Points
- Lean and agile can work.
- Establish communication protocols in advance, this can be quite helpful
- Simple is better than complex and complex is better than complicated.
Citations
Robin Ruefle. 2007. Defining Computer Security Incident Response Teams. Retrieved from https://www.us-cert.gov/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams
Additional Reading
NIST SP 800-61r2 Mitre Cyber Exercise Playbook Key Roles and Responsibilities
