Omar Chaudhry - Cybersecurity Specialist

about - blog - cv

Handling an Incident Response: Crucial Points & Phases

Author Note

“This is my own work, has been done solely by me and is not used for any other purposes other than to show my expertise in the field and inform enthusiasts of the subject. Any other usage is strictly prohibited.” -Omar Chaudhry

Abstract

Incident Response is the backbone to any conflict among an enterprise’s Security Operations Center. In this paper, I address crucial points and phases necessary for an effective way to handle an incident, whether it is a hardware malfunction or a deliberate cyber-attack. Based on the results from the SANS 2018 Incident Response Survey and a deep dive analysis of the common vulnerabilities, I conclude that the most crucial components of an Incident Response require assembling and establishing an Incident Response team, defining the organization’s response to an incident, notifying external agencies, updating policies for the future and containing the damage sustained.

Introduction

Given the increasing number of cyber-attack incidents in many different markets and to many different organizations, organizations have started to realize that their system administrators alone cannot keep their systems safe with the kind of attacks being experienced currently (RICHARD, 2013). This has led many organizations to adopt major security policies as part of their mainstream management policies (Maness & Valeriano, 2015). Furthermore, more laws and regulations require organizations to have better policies to protect their clients' data and general information systems.

Attacks have now become a matter of when and not if it can happen. Before anticipating an attack, the best method of dealing with cyber-related attacks is by avoiding them. However, it is almost impossible to prevent these attacks, as they are always imminent. Preventing the attack and minimizing its impact on the system infrastructure always starts by implementing the policies and security procedures that govern the protection of the organization’s system infrastructure in a meticulous way (Wu & Irwin, 2013). Many reported attacks are initiated or facilitated by employees who have not baselined the network before performing risky system operations, giving leeway to attackers in the process.

Preparation Before an Incident

The security policies and procedures by the organization’s IT department may not be useful if they do not get the support of the top management of the organization (Singer & Friedman, 2014). These policies should have the authorization and support of the management. The security team should also baseline the network, pointing out the vulnerabilities in the system. Such checks should be done by authorized and certified system experts, who will check and install the latest system patches in the system infrastructure (Wright, 2011). All staff should undergo training to use the system efficiently and safely. This training can be supplemented by security policies, such as requiring users and staff to use strong passwords that would be difficult to crack for attackers. Furthermore, the organization should always remind users of the legal consequences of cybercrime. These warnings help the organization to gather pieces of evidence of an attack and pursue criminal prosecutions (Cybersecurity Guidelines and Best Practices for Emergency Services, n.d.). Performance and traffic should be constantly monitored, ensuring that nothing is out of the ordinary.

Any change in user traffic should be reported to the security experts, who will advise on the best approach to prevent attacks that may arise from such activities. All the system logs and logging mechanisms should also be monitored constantly, including the OS system logs and the system intrusion logs (Wu & Irwin, 2013). This will keep all attempted intrusions checked and acted upon if need be. The system's backups and operational procedures should be checked, verifying their operational status and security policies, including the personnel authorized to access them. Backup systems are significant when dealing with cyber-attacks by providing alternative data holding stations as the main system is under attack.

Creating an Incident Response Team

Establishing an Incident Response (IR) team is a vital part of an organization’s preparedness in dealing with a threat that risks the system’s safety. The IR team comprises of different members who have defined roles and responsibilities when handling an incident (Maness & Valeriano, 2015). A fully functional and efficient computer security incidence response team is a process that should be undertaken with care.

This begins with highlighting the objectives of the team, which will give a primer of responsibilities for the different team members. The basic duties of the Incident Response team include monitoring the organization’s systems for breaches, identifying potential breaching locations, and resolving them quickly to avoid and minimize threats to the systems. The team also acts as a common communication platform, where they receive notifications about potential system breaches and distributing important information to the stakeholders on how to best improve the security of the system.

The team is tasked with documenting every security breach attempt and incident, which will guide them in developing improved response procedures. This team is responsible for raising security awareness in the organization, offering training programs for the organization employees who interact with the system as well as the end-users, to ensure that data breach incidences do not occur more frequently. This includes the auditing of the systems for vulnerabilities and penetrations, ensuring that the security features of the systems are up to date and can withstand attempted penetration from outside. After establishing clear objectives and roles of the IR team, the team must be trained. The training includes the handling, security, and access of the critical tools used in their responsibilities without jeopardizing the security of the systems.

Keeping up with new venerability techniques and processes used by hackers is also tantamount to a successful IR team. This allows them to research new patches that will be used in safeguarding the system against such potential attacks (Maness & Valeriano, 2015). The IR team should also research and develop new technologies that will bolster the security of the organization’s systems. This means the team should have access to all the necessary information and communication channels with stakeholders in the company. Other important contacts for the Incident Response team include the internet service provider and the relevant authorities, who will be contacted when an incident occurs in the system. The organization’s legal counsel should help the Incident Response team to use the correct procedures when communicating with law enforcement after an incident, ensuring that it can collect and preserve the evidence of a breach. This will aid in the prosecution of the suspected hackers (RICHARD, 2013).

All emergency information of the system should be stored in a centralized location that is not connected to any network and is offline. One computer might be dedicated as storage for all the system emergency information, including passwords, IP addresses, firewall configuration, copies of system certification keys, emergency contacts, and escalation processes, among other emergency information. These pieces of information must be kept offline and physically secure, probably in the server room, where there is limited access (Lee, 2015). The IR team should be an integral part of an organization’s IT security team, but the structure and membership of the IR team may vary from one organization to another depending on risk management strategies. The aim is to create a system that is greater than the sum of the individual members.

An Incident Response team leader will be in charge of the activities and review the activities of the group. The team leader will also lead the process of changing policies and procedures of dealing with incidences in the future, following previous reviews that may necessitate such changes. Another leading member is the incident lead, who spearheads the team’s responses to an incident. The incident lead assumes total responsibility and leadership through the response to an incident, and all communication about the incident or related events is relayed through them. The nature, style of leadership, and roles of the incident lead may vary from one organization to another and the varying nature of security incidents experienced (Wright, 2011).

Apart from the response team leaders and designated incident leads, other members of the Incident Response team tackle a variety of external factors in their own specialized skillset. The IT contact is in charge of all communications between the incident lead and the rest of the IT group in the organization, ensuring that both teams are working smoothly to resolve an occurring incident. While they may not have the technical expertise to directly handle security breaches, the IT contacts chose the best personnel in the IT department to deal with incidences as they happen (Lee, 2015).

A registered and practicing lawyer who is familiar with Incident Response policies designs the best legal procedures for dealing with an incident that will ensure the lowest possible liability for the organization and the maximum potential to prosecute the attackers. The legal representative ensures that the system check and security upgrades operations do not put the organization in legal jeopardy. Additionally, they ensure that such operations do not violate the agreements and terms of service that the customers had agreed to (Kim, 2014). There could be legal implications of shutting down a system without alerting the customers or failing to shut down the system during an attack leading to a breach and loss of valuable customers’ data. Lastly, a public relations officer is tasked with protecting the public image of the organization. They may not be the face in front of the cameras during media briefings, but they draft the messages that would best portray a positive image of the company (Wright, 2011).

Defining an Incident Response Plan

Once the IR team and their objectives are established, the response plan must be defined. This contains all the processes and procedures that should be followed by the Incident Response team in the event of an incident. Although most of the actions contained in the response plan are executed by the IR team, the IT department should be fully aware of what to do internally in the case of an incident (Kim, 2014). The response plan should be readily accessible to all the team members, with each team member reviewing the plan individually, understanding every part of the plan. This will ensure that in the event of an incident occurring, the right procedures will be followed well, resulting in a more efficient response to the incident that will significantly minimize the damage to the system infrastructure.

The process of handling an incident by the Incident Response team starts with making a complete initial assessment of the incident, communicating the incident, containing the damage and avoiding further risk, identifying the level of compromise suffered by the system, protecting the necessary evidence, notifying external agencies and stakeholders where possible, executing a recovery of the compromised systems, documenting the incident, assessing the damage incurred as a result of the incident and finally reviewing and updating their security policies after the incident (Kent & Dang, 2006).

Post-Incident Communication & Damage Containment

Once the analysis of the perceived threat is determined to be a genuine attack, this should be immediately communicated to the team. The whole team should be made aware of the breach, and any necessary contact with non-members of the team is determined and established. The team determines who needs to be contacted outside the response team and the IT department, such as a departmental manager. This ensures efficient coordination between the different players who will be involved in subverting the attack. The team will determine who needs to be briefed on the incident, depending on the extent of the damage caused (Wright, 2011). This could range from specific individuals in the organization to the entire employees, customers, and other end-users of the system.

The swiftness of the team varies depending on the nature of the attack and the type of organization. However, there are standard practices that are almost consistent in all organizations, such as prioritizing the safety of everyone affected by the attack. After ensuring that no life is endangered, the next step should be safeguarding sensitive data, which will be predetermined by the Incident Response team with the help of the IT officials. The IR team should then focus on securing the organization’s software and hardware components against the attack. Limiting disruption of the systems computing processes is not a priority at this stage, as keeping a system running through an attack could result in greater compromise and loss of data and system resources.

Post-incident, the attackers must know that the IR team is aware of their activities. This helps by identifying the attackers’ entry points into the system and makes it easier for them to be shut out. Next, the team should perform a cost-benefit analysis of shutting down the affected system operations offline versus continuing operations. The IT department should consider building new systems with newer disks and consider keeping the old disks for legal prosecution. The efficiency of the system's recovery will depend on the nature and extent of the compromise suffered by the system. It is necessary to determine whether it will be economical and beneficial to rebuild the affected system or just start building a new system.

For criminal prosecution of the attackers, the team and experienced forensic data analysts have to make multiple copies of the system attacks and dedicate some of the copies for legal purposes. To successfully prosecute cyber-attack cases, it is important to collect and preserve all evidence per the jury's requirements of evidence submission. Every page of the submission document must be dated and signed to meet the basic requirements of admission as evidence in a court of law.

Notifying External Agencies & Updating Policies

External agencies such as law enforcement agencies should be notified if necessary and if they can help with the recovery efforts or with the prosecution of the perpetrators. These external agencies can help with the technical recovery of the affected systems and provide important information about recovery from similar attacks and preventing similar future attacks (Costigan & Hennessy, 2016). In some situations, the media might have to be briefed about the sustained attacks, and this would be the role of the public relations department. The public relations department will strive to maintain a positive organizational image in the public domain (RICHARD, 2013). When the recovery process is complete, the Incident Response policies should be thoroughly reviewed and may be modified to reduce the chances of future attacks. The aim of performing this review is to identify opportunities for improvement of recovery strategies. This may lead to the development of entirely new response management strategies by the Incident Response Team and the organization at large.

Conclusion

Organizations have had difficulties in dealing with cyber-attacks which may override the current recovery policies and systems in place. Most IT and Incident Response teams may overestimate their readiness, limiting the potential of what the Incident Response team can achieve. Challenges may also be experienced in identifying the particular resources that are affected by the incident, as well as performing forensic procedures to unearth those responsible for the breach. However, as long as an Incident Response includes an established IR team, a clearly defined response to an incident, well-informed external agencies, proper damage control, and updated policies for the future, any enterprise can confidently maintain operations with the expectation of an oncoming cyber-attack.

References

Costigan, S. & Hennessy, M. (2016). Cybersecurity: A Generic Reference Curriculum. NATO.

ISBN 978-9284501960.(n.d.). https://www.sans.org/reading-room/whitepapers/analyst/noisy-there-results-2018-incident-response-survey-38660.

27035-2, I. (n.d.). Information technology -- Security techniques -- Information security incident management – Guidelines to plan and prepare for incident response .

Common Vulnerability Scoring System version 3.1 User Guide. (n.d.). https://www.first.org/cvss/v3-1/cvss-v31-user-guide_r1.pdf.

Computer Security Incident Handling Guide . ((2004),). NIST Special Publication 800-61,.

Creating a computer security incident response team: a process for getting started. Retrieved from http:// www.cert.org/csirts/Creating-A-CSIRT.html. ((2006, February 27)).

Cybersecurity Guidelines and Best Practices for Emergency Services. (n.d.). https://eena.org/wp-content/uploads/Cybersecurity-Guidelines-and-Best-Practices-for-Emergency-Services-1.pdf.

Kent, K. C., & Dang, H. ( (2006). ). Guide to integrating forensic techniques into incident response. . NIST. https://doi.org/10.6028/NIST.SP.800-86.

Responding to IT security incidents. ( (2011).). Retrieved from http://technet.microsoft.com/enus/library/cc700825.aspx.

RICHARD, B. (2013. ). THE PRACTICE OF NETWORK SECURITY MONITORING: Understanding Incident Detection and Response. . ISBN 978-1-59327-509-9.

Wright, C. ((2011)). SANS Institute InfoSec Reading Room: Incident Handler’s Handbook. . Retrieved from https://www.sans.org/reading-room/whitepapers/incident/incidenthandlers-handbook-33901.

← back