16 Dec Essentials of Incident Response: 01. Preparation – People
This blog series has been updated here.
In the first post of this series, I gave an overview of the steps associated with the IR process. Starting with this post, I will cover each one in more depth, and identify topics for further development. If you have particular topics that you’d like to have on that list, please drop me a note at rdavidson AT Syncurity DOT net. I’d love to hear from you!
— “Fortune favors the prepared mind” 
While it may not seem to be a step in the response process, Preparation is key to success in the steps that follow, and is critical for an effective response. If you pay attention to this one before you’re in the middle of an incident, you’ll be able to respond more quickly and effectively in the midst of chaos. This is also where you’ll implement most of the lessons learned when you work on that last process step.
Keep in mind that the goal of incident response is always to get back up and running (securely) as soon as possible while keeping all your stakeholders’ interests safe. It’s also important for the organization to demonstrate that it is following a standard of due care. As the general population becomes more aware of breaches and the need for a response, and as organizations install technology to alert them of intrusions more quickly, this will be especially important.
Preparation takes different forms as it affects different aspects of the process, so let’s use a common taxonomy — people, process, and technology, keeping in mind that they are interrelated. The first is the most important, so I’ll devote this entry to that one; we’ll cover process and technology in the next post.
The first aspect of the Preparation phase is identifying and assigning roles and responsibilities. In practice, the specific tasks performed during a response to a particular incident will depend on other factors, such as the severity of the incident, the details of the environment, and tools you have available. However, it’s still possible to proactively specify some general areas of responsibility and assign people to them. Generally, it’s a good idea to keep the official team as small as possible and add particular players as appropriate. Teams can also be organized in different models, depending on the organization – centralized, distributed, federated, or even virtual. The important metric is that the model works for the organization using it.
Some possible roles include
- Team leader – this role can conceivably be played by one of the other members of the team, but it’s critical to identify a point person. During the heat and stress of an incident is not the time to insist on consensus; someone must be identified as the accountable point of contact.
- Helpdesk personnel – because many responses will involve dealing with the end user(s), it’s a good idea to have a someone from the help desk team identified as a point of contact. In the case of a central IR team responsible for multiple sites, deskside support at the remote site(s) can be tasked to collect data, reimage computers, reinstall software, etc.
- System administrator(s) – depending on the IT organization, and the details of the incident, this could include firewall, mail, web, IDS and other administrators.
- Corporate security, legal, human resources, public relations and other corporate functions – their actual involvement will depend on the situation, but the representatives should be identified in advance. Where incidents have legal ramifications, the team should follow proper chain of custody procedures, and only authorized personnel should perform interviews or examine evidence.
- Business partner(s) – IT is an enabling function, and a cyber incident will inevitably affect the core business that it enables. Accordingly, a point of contact in each supported business area should be identified, for communication and decision-making on the part of the business. Proactively establishing this line of communication will save heartache down the road, and not just in emergencies.
- External partners – this can include supply chain partners, external legal counsel, third-party responders, and/or law enforcement. They won’t be part of every incident, but especially in the case of law enforcement, it’s well worth the time to create and nurture these relationships before you need them. If you don’t have a connection with your local/regional Infragard chapter, for instance, you may be missing out on important information and alerts.
- Subject matter experts – Depending on the depth of response desired, and the resources available, SMEs can provide deep technical information and support for IR. Examples of SMEs include host forensic analysts, network forensic analysts, firewall and IDS/IPS analysts, malware analysts and reverse engineers. Many organizations choose to outsource these skills, remembering that the primary goal of response is to get the business back up and running quickly and securely.
Not all these players will be involved in every incident, but each of them needs to know his/her role and responsibility when duty calls. Regular practice, in the form of exercises 2-3 times/year, is key to maintaining readiness. Exercises should be realistic and varied so that responses don’t become rote.
All the people involved in the process should be trained in their respective areas of expertise, so they can function as a team. In addition, the team members should be good communicators. “At no time is it more important for people to be communicating and formulating a shared perspective than when a crisis occurs. The uninterrupted flow of actionable knowledge in times of crisis is an imperative to ensure human safety and community, corporate, and organizational resilience.” 
In the next installment, I will discuss the processes and technologies that are essential to the preparation phase of the incident response process. Your comments and feedback are welcome.
 One popular translation of “Dans les champs de l’observation le hasard ne favorise que les esprits préparés.” From Louis Pasteur’s lecture at Université Lille, 7 December 1854.
 “Outsourcing Incident Response Communications to Improve Operational Resilience” http://www.scribd.com/doc/3678071/Outsourcing-IncidentResponse-Communications-A-Managed-Services-Approach.
Copyright 2014, Ray Davidson and Syncurity Networks.