Basic Incident Response Plan
Basic Incident Response Plan
I thought I’d share with everyone a diagram I created when asked to present a general overview of incident response. First, let me define what it is.
Incident response is the act of finding a security breach, minimizing organizational damages, resolving issues, and investigating the event. Regarding computers, this can be a daunting task requiring many man hours and a variety of software tools. This will be an overview of a response effort.
Once an intrusion detection system has identified a breach of a network’s protective measures or an intruder’s malicious code, a decision has to be made. Do the damages warrant legally pursuing the attacker, or is the organization better served by eliminating the problem and recovering operations as soon as possible? Some institutions would argue that it is more financially feasible to just eliminate the problem and recover operations ASAP. Look at it this way. If someone steals a candy bar from a department store, is it worth calling the police department and going to court? Probably not, but if a $300 gaming system goes missing from storage each week, an investigation is certainly needed.
Regardless of which path is chosen, the responder needs to isolate the area under investigation, document every aspect of the discovery phase, remove infected systems from the functional network, and eliminate any active threats.
Incident Response Overview
I created the flow chart below to highlight the overall process of incent response. Dependant on the severity of the breach, a company may decide to bypass the “Pursue Attacker” branch and go straight to recovering operations as soon as possible.
Incident Response Investigation
Should an organization decide to pursue charges against a hacker whom unlawfully penetrated a network, the utmost care of evidence is needed. The first step is to determine if in fact a crime has been committed. If an intrusion is confirmed and damages have been incurred, notify law enforcement of the crime. Next, identify the extent of the attack and isolate the infected systems for evidence gathering. Always document all the commands and steps taken during the discovery process for the investigator. Once the investigation is complete and valid evidence obtained, the restoration of the attacked machines can begin.
Most organizations utilizing a network of computers will have redundant backup systems. Restoring lost data and recovering machines will often make use of this valuable practice. It is not uncommon to have a distribution image of a system, already including the hardening of the operating system and other protective security measures, in order to quickly reintegrate a computer from scratch. The more difficult approach would be to manually attempt to clean the infections left by an attacker.
The next step is to evaluate the forensic evidence and assess the source of the intrusion. This will allow the network security officers to effectively patch the vulnerability and improve defensive control protocols. A revision of the distribution media, network administration, and security configuration documentation should incorporate the new safeguards to prevent a reoccurrence of the incident. Finally, reporting the vulnerability to any appropriate software developers and information security knowledge channels will improve the collaborative effort against attacks.
I hope you enjoyed this overview and have a better understanding of the general practices of incident response.
Don’t forget to be vigilant and report any suspicious activity that could possible come from within the organization.
