Critical Control 18: Incident Response Capabilities
Last Updated: 2011-10-28 11:11:19 UTC
by Mark Baggett (Version: 2)
Some time ago I was brought in to help an organization create their Incident Response Team. Working together we defined an incident response procedure, assigned the various roles and responsibilities, worked with executive management to ensure the appropriate supporting policies and controls were in place and 'let her rip'. A few people in the management team had initially commented that they didn't see a need for all of the formality as the organization had never experienced even a minor breach in security. The first few months went by and everything seemed to be working fine. The head of the Incident response team wrote up a summary of all the incidents for the last thirty days and distributed it to all employees at the end of each month. Most of the incidents were pretty innocuous. A virus infection here or there, a targeted web attack that was thwarted by mod_proxy, or other malicious but minor deviations from the norm. Then, on the third month, someone reported a corporate laptop was lost by an employee. I'm told that after that report was distributed to all employees, the email account that was designated for reporting incidents got two separate emails asking if they should be reporting lost or stolen company assets. They were told yes. The following month 5 laptops were reported lost or stolen. The next month 6 laptops were reported lost of stolen. Over the first year of the incident response teams existence 2.5 laptops were reported lost or stolen every month. Prior to having an incident response team the organization had "never had a laptop lost or stolen". So was the creation of an IRT (Incident Response Team) responsible for the theft of all those laptops? Of course not! If you don't measure risk you can't manage it. If you don't have a formal process for capturing and responding to incidents you will not know they are occurring. No matter your size, you should have internal incident response capabilities. As they say, a failure to plan is a plan for failure. Here are some tips for ensuring the success of your organizations incident response capabilities.
Write down your incident handling procedures. If it is written down then it is easier to explain to the business why your are doing what you are doing in the heat of battle. If you don't have a written procedure you can use the NIST guideline as a framework. http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf
Document the roles and responsibilities of people on your incident response team. This will often include representatives from Legal, Human Resources, Public Relations, Compliance your Executive Sponsor and the usual suspect in the networking and information technology engineering groups along with your security team.
Management support is critical to the success of most business initiatives. It is especially important when dealing with potentially politically explosive issues that are often associated with security incidents. Maintaining excellent and frequent communications with your executive management is critical to the success of your team.
Establish requirements for all personnel to report suspicious incidents to the incident response team.
Generate a regular report that summarizes the incidents that have occurred and how you handled them. Distribute the report to all employees in the organization.
Require all incident responders to report in within a predefined amount of time once an incident has been declared. Periodically test the team to make sure everyone can be reached in a timely manner. Once you have your team together, conduct training exercises with various scenarios that test the teams ability to access and identify evidence on various systems throughout the networks they are responsible for protecting.
If you would like more information here are some helpful resources:
Mark Baggett - Handler on Duty