Considerable damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response plans in place. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.
NIST Special Publication 800-61 contains detailed guidelines for creating and running an incident response team.
1. Quick wins: Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.
2. Quick wins: Assign job titles and duties for handling computer and network incidents to specific individuals.
3. Quick wins: Define management personnel who will support the incident handling process by acting in key decision-making roles.
4. Quick wins: Devise organization-wide standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting should also include notifying the appropriate Community Emergency Response Team in accordance with all legal or regulatory requirements for involving that organization in computer incidents.
5. Quick wins: Assemble and maintain information on third-party contact information to be used to report a security incident (i.e., maintain an e-mail address of firstname.lastname@example.org or have a web page http://organization.com/security).
6. Quick wins: Publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
7. Configuration/Hygiene: Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team.
IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8
Incident Response and Disaster Recovery Plans
After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents.
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining the incident handling process and how prepared organizations are in the event that an incident occurs. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: Incident handling policies and procedures educate workforce members as to their responsibilities during an incident
Step 2: Some workforce members designated as incident handlers
Step 3: Incident handling policies and procedures educate management as to their responsibilities during an incident
Step 4: Incident handlers participate in incident handling scenario tests
Step 5: Incident handlers report incidents to management
Step 6: The organization's management reports incidents to outside law enforcement and the appropriate computer emergency response team, if necessary.