Incident Management and Response

CISO Tasks1. Develop & implement processes for detecting, identifying, analyzing

and responding to information security incidents2. Establish escalation & communication processes & lines of authority3. Develop plans to respond to & document information security

incidents4. Establish capability to investigate information security incidents 5. Develop process to communicate with internal parties & external

organizations 6. Integrate information security incident response plans with disaster

recovery (DRP) & business continuity plan (BCP)7. Organize, train, equip teams to respond to information security

incidents8. Periodically test & refine information security incident response plans9. Manage response to information security incidents10. Conduct reviews to identify causes of information security incidents,

develop corrective actions & reassess risk

Definition

What is incident management and response?• Incident management is the capability to effectively

manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits

• Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs).

Incident Management and Response Overview

• Purpose = manage impact of unexpected disruptive events to acceptable levels

• Possible disruptions may be –Technical–Physical –Environmental

• Any type of incident that can significantly affect organization’s ability to operate or that may cause damage must be considered by the CISO

Outcomes of Incident Management and Response

• Outcomes of good incident management & response include organization that

− Can deal effectively with unanticipated events− Has sufficient detection & monitoring capabilities− Has well defined severity & declaration criteria as well as

defined escalation & notification processes− Has response capabilities that demonstrably support

business strategy− Proactively manages risks of incidents appropriately− Periodically tests its capabilities − Provides monitoring & metrics to gauge performance of

incident management & response capabilities

Scope & Charter of Incident Management

• Scope/charter document –Formally establishes IMT–Documents its responsibility to manage & respond to

security incidents

• Sections of charter should include:–Mission–Scope–Organizational structure–Information flow–Services provided

Responsibilities

• Incident response goals include:− Containing effects of incident (damage & losses do not escalate

out of control)

− Notifying appropriate people for purpose of recovery or to provide needed information

− Recovering quickly & efficiently from security incidents− Minimizing impact of info security incident− Responding systematically & decreasing likelihood of

recurrence− Balancing operational & security processes− Dealing with legal & law enforcement-related issues

Senior Management Commitment

• Senior management is critical to success of incident management & response

• Incident management & response– Is component of risk management– Needs same level of support from senior

management

Desired State

• Incident management & response requires:− Well-developed monitoring capabilities for key controls− Personnel trained in assessing situation, capable of

providing triage, managing effective responses − Managers that have made provisions to capture all

relevant information & apply previously learned lessons− Managers who

• Know when disaster is imminent• Have well-defined criteria• Have experience, knowledge, and authority to invoke disaster recovery

processes necessary to maintain or recover operational status

Challenges in Developing an Incident Management Plan

• Challenges may be result of− Lack of management buy-in & organizational

consensus − Mismatch to organizational goals & structure− IMT member turnover − Lack of communication process − Complex & wide plan

Policies and Standards

• Documented set of incident response policies, standards and procedures is important to:

− Ensure incident management activities are aligned to IMT mission

− Set correct expectations− Provide guidance for operational needs− Maintain consistency & reliability of services

Personnel

• IMT usually consists of − CISO (who usually leads the team)

− Steering committee/advisory board

− Permanent/dedicated team members

− Virtual/temporary team members

• Composition of incident response staff will vary from team-to-team & will depend on number of factors such as:– Mission & goals of incident response program – Nature & range of services offered – Available staff expertise – Constituency size & technology base – Anticipated incident load – Severity or complexity of incident reports – Funding

Roles and Responsibilities

Roles and Responsibilities (continued)

Roles and Responsibilities (continued)

SkillsBasic skills for incident response team members can be separated into 2 groups:

• Personal skills– Communication– Presentation skills– Ability to follow policies and procedures– Team skills– Integrity– Self understanding– Coping with stress– Problem solving– Time management

• Technical skills– Technical foundation skills—Require basic understanding of underlying

technologies used by organization– Incident handling skills—Require understanding of techniques, decision

points & supporting tools required in daily activities

Current State of Incident Response Capability

Ways to identify current state of incident response capability include:

• Survey of senior management, business managers and IT representatives

• Self-assessment

• External assessment or audit

History of Incidents

• Past incidents provide valuable information on trends, types and business impacts− Can be used as input for assessment of IMT’s

performance− Used as input to assessment of types of incidents

that must be considered & planned for

Risk Tolerance

• Risk tolerance = same as acceptable risk which must be determined by management

• CISO should be aware that incident management also includes BCP & DRP

• Overall response management = combination of BCP, DRP, continuity of business operations and incident response

Integrating a BIA Into Incident Response

• CISO needs to– Oversee development of response & recovery plans* to

ensure they are properly designed & implemented– Ensure resources required to continue business are

identified & recorded – Identify & validate response and recovery strategies– Obtain senior management approval of strategies– Oversee development of comprehensive response &

recovery plans

* Should be based on BIA

Integrating RTO & RPO Into Incident Response

• RTO = amount of time allowed for recovery of business function or resource after disaster occurs

• Effective incident management = includes resolving incidents with acceptable interruption window (AIW)

• RPO = measurement of point prior to outage to which data are to be restored

• Describes state of recovery that should be achieved to facilitate acceptable outcomes

Elements of an Incident Response Plan

• CIAC & SANS Institute propose following incident response phases:– Preparation – Identification – Containment– Eradication– Recovery – Lessons learned

Elements of an Incident Response Plan

Preparation—prepares organization to develop incident response plan prior to incident. Sufficient preparation facilitates smooth execution.

Activities:• Establishing approach to handle incidents• Establishing policy & warning banners in information systems to deter

intruders & allow information collection• Establishing communication plan to stakeholders• Developing criteria on when to report incident to authorities• Developing process to activate incident management team• Establishing secure location to execute incident response plan• Ensuring equipment needed is available

Elements of an Incident Response Plan

Identification—aims to verify if incident has happened & find out more details about incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as incident.

Activities:• Assigning ownership of incident or potential incident to

incident handler• Verifying reports or events qualify as incident• Establishing chain of custody during identification when

handling potential evidence• Determining severity of incident & escalating it as necessary

Elements of an Incident Response Plan

Containment—After incident has been identified & confirmed, IMT is activated & information from incident handler is shared. Team will conduct detailed assessment & contact system owner or business manager of the affected information systems/assets to coordinate further action. The action taken is to limit the exposure.

Activities:• Activating incident management/response team to contain incident• Notifying appropriate stakeholders affected by incident• Obtaining agreement on actions taken that may affect availability of a

service or risks of the containment process• Getting IT representative & relevant virtual team members involved to

implement containment procedures• Obtaining & preserving evidence• Documenting & taking backups of actions from this phase onward• Controlling & managing communication to public by PR team

Elements of an Incident Response Plan

Eradication—When containment measures have been deployed, it is time to determine root cause of incident & eradicate it. Eradication can be done in number of ways: restoring backups to achieve clean state of system, removing root cause, improving defenses & performing vulnerability analysis to find further potential damage from same root cause.

Activities:• Determining signs & cause of incidents• Locating most recent version of backups or alternative solutions• Removing root cause. In event of worm or virus infection, it can be

removed by deploying appropriate patches & updated antivirus software.• Improving defenses by implementing protection techniques• Performing vulnerability analysis to find new vulnerabilities introduced by

root cause

Elements of an Incident Response Plan

Recovery—ensures affected systems or services are restored to condition specified in RPO. The time constraint is documented in RTO.

Activities:• Restoring operations to normal• Validating that actions taken on restored systems were

successful• Getting involvement of system owners to test system• Facilitating system owners to declare normal operation

Elements of an Incident Response Plan

Lessons learned At end of incident response process, report should always be developed

to share what has happened, what measures were taken & results after plan was executed. Part of report should contain lessons learned that provide IMT & other stakeholders valuable learning points of what could have been done better. These lessons should be developed into plan to enhance incident management capability & documentation of incident response plan.

Activities:• Writing incident report• Analyzing issues encountered during incident response efforts• Proposing improvement based on issues encountered• Presenting report to relevant stakeholders

Organizing, Training and Equipping the Response Staff

• Every IMT member should get following training:− Induction to IMT—basic information about the

team and its operations− Mentoring re. team’s roles, responsibilities and

procedures− On the job training− Formal training

Recovery Planning and Business Recovery Processes

• DRP is traditionally defined as recovery of IT systems when disastrous events

• BCP is defined as recovery of critical business processes necessary to continue or resume operations.

• Each of these planning processes typically includes several main phases, including:– Risk & business impact assessment– Response & recovery strategy definition– Documenting response & recovery plans– Training that covers response a&recovery procedures– Updating response & recovery plans– Testing response & recovery plans– Auditing response & recovery plans

Recovery Strategies

• Most appropriate strategy = one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost

• Development of incident management & response plan = difficult & expensive process that may take considerable time– development of several alternative strategies – prudent to consider outsourcing some or all of the

needed capabilities

Incident Management and Response Teams

Number of teams depends upon size of organization & magnitude of operations - examples include:

• Emergency action team• Damage assessment team• Emergency management team• Relocation team• Security team

Notification Requirements

Plan should include call tree with prioritized list of contacts• Representatives of equipment & software vendors• Contacts within companies have been designated to provide

supplies & equipment or services• Contacts at recovery facilities, including hot site representatives or

predefined network communications rerouting services• Contacts at offsite media storage facilities & contacts within

company who are authorized to retrieve media from offsite facility• Insurance company agents• Contacts at human resources (HR) & contract personnel services• Law enforcement contacts

Periodic Testing of the Response and Recovery Plans

Testing must include:• Developing test objectives• Executing test• Evaluating test• Developing recommendations to improve

effectiveness of testing processes as well as response & recovery plans

• Implementing follow-up process to ensure recommendations are implemented

Testing for Infrastructure and Critical Business Applications

• After test objectives have been defined, CISO must:

− Ensure independent third party observer is present to monitor & evaluate the test 

− Implement tracking process to ensure any recommendations resulting from testing are implemented in timely fashion

− Know about disaster recovery testing for infrastructure & critical business applications

Type of Tests

Tests that are progressively more challenging:• Table-top walk-through of plans• Table-top walk-through with mock disaster scenarios• Testing infrastructure & communication components of plan• Testing infrastructure & recovery of critical applications• Testing infrastructure, critical applications & involvement of

end users• Full restoration & recovery tests with some personnel

unfamiliar with systems• Surprise tests

Ensuring Execution as Required

• Facilitator or director* is needed to

– Direct tasks within plans

– Oversee plan execution

– Liaise with senior management

– Make decisions as necessary

• Defining appropriate recovery strategies & alternatives is important in overall process

* - The CISO often serves as facilitator

Establishing Procedures

If an incident occurs:– Information security staff needs documented procedures so that

information can be properly recorded and preserved – CISO should develop data/evidence preservation procedures– Information systems staff must understand basic procedures, including

taking no action that could change/modify/contaminate potential or actual evidence

Initial response by system administrator should include: •Retrieving information needed to confirm incident•Identifying scope & size of affected environment (e.g., networks, systems, applications)•Determining degree of loss, modification or damage (if any)•Identifying possible path or means of attack

Requirements for Evidence

• CISO must know– Requirements for collecting & presenting evidence– Rules for evidence, admissibility of evidence, and

quality and completeness of evidence– Consequences of any contamination of evidence

following info security incident

Post-event Reviews

• Post-event reviews = critical part of incident management process

• CISO should:– Manage post-event reviews to learn from

completed tasks & to use information to improve IMT’s response procedures

– Consider enlisting help of third-party specialists if detailed forensic skills are needed

Contact Information

Mr. Marc VaelCISA, CISM, CGEIT, CISSP, ITIL Service Manager, Prince2 Foundation

Vice President

ISACA Belgium Chapter

Koningsstraat 109-111

1000 Brussels

Belgium

education@isaca.be

marc@vael.net

November 2011

42ISACA