According to a recent survey of incident responders by the SANS Institute (Torres, 2014), the lack of formal incident response (IR) plans and defined team structures is a primary roadblock to efficient handling of security incidents. In this series, I will discuss the components of an IR plan and what you can do to better prepare your company for the inevitable.
The incident response process can be divided into individual steps, as described by numerous authorities including NIST (Cichonski, Millar, Grance, & Scarfone, 2012) and SANS. I will use the SANS terminology in this series. According to that nomenclature, the 6 steps are
- Preparation – In an ideal world, these are actions taken prior to exposure to a hostile environment, such as the Internet. Most companies already operate in a hostile environment – they have both an Internet presence and employees (i.e., insider threats) – but these activities will still increase the effectiveness of the remaining steps, and raise the level of security maturity.
- Identification – Most organizations experience “events” all the time. These can be anything from pings and port scans to spear phishing attacks. The critical activity in this step is the determination that an “event” should be classified as an “incident”. This decision depends on the business, and I will discuss some of the considerations in a future post.
- Containment – Once you have determined that there is an incident – something is amiss in your environment – the first priority is to prevent it getting worse. In EMT terms, “stop the bleeding”. In some instances, you may choose to pause at this step to observe the actions of an intruder before going on to the next step. The primary goal at this point is to gain control over the situation.
- Eradication – The goal of this step is to completely remove any activity related to the intrusion from your environment. As malware and malicious activity becomes more sophisticated, this step is becoming more difficult, and the level of effort required may be extreme (e.g. “Nuke from high orbit” may no longer be a reliable solution.) The “persistent” aspect of the APT can make this step a challenge.
- Remediation – This step goes beyond removal of the infection, to restoring the environment to its original functionality. It may also be appropriate to add defensive controls to avoid a repeat of the incident and/or to provide quicker alerts.
- Lessons Learned – Not surprisingly, this step is frequently skipped, but it is critical to improving your organization’s security posture. One model for this step is the process used by military organizations (Combined Arms Command, Department of the Army, 1993). The goal is to gather any useful information from the most recent engagement and implement improvements so that the team can respond more effectively next time.
Over the next several weeks, I will address each step in the process more completely, and flesh out some of the details. The best IR process is one that is customized to your organization, but these basics will give you a good start toward addressing some of the biggest gaps in your process.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). Computer Security Incident Handling Guide. SP800-61 rev2 . US Dept of Commerce. Retrieved 11 16, 2014, from http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Combined Arms Command, Department of the Army. (1993, September 30). A Leader’s Guide to After Action Reviews. Retrieved November 16, 2014, from http://www.au.af.mil/au/awc/awcgate/army/tc_25-20/tc25-20.pdf
Torres, A. (2014, August). Incident Response: How to Fight Back. (J. Williams, Ed.) Retrieved from http://www.sans.org/reading-room/whitepapers/incident/incident-response-fight_35342