Incident Response & First Responders. Being in information security sales, we’ve all taken the call from a client who’s been breached. They’re usually in a bit of panic, high pitched voice, short, staccato sentences. Best thing to do is calm them down, and advise them they’ve already taken the best first step, which is to call their information security partner! We’ll throw on our superman (or woman, I’m not biased) costume and be there in 10 minutes!
Seriously, we’d rather take that panicked call immediately, versus getting the call after their system administrator has been tinkering with the system for the past couple of hours trying their hand at amateur CSI. Now the crime scene has been trampled all over, and even though the system admin had good intentions, they may have inadvertently spread whatever the hacker planted throughout their entire network.
Some key components to a good Incident Response Plan:
Phase 1 – Preparation and Training
- Establish baseline security levels
- Assign roles and responsibilities
- Train personnel
- Perform day-to-day monitoring
Phase 2 – Identification
- Suspected incident detected
- IRT (Incident Response Team)
- First responder assessment
- Determine type of threat(s)
- Determine affected resources
- Eliminate false positives
Phase 3 – Containment
- Monitor and/or stop hostile activity
- Isolate affected resource(s)
- Ensure integrity of data
- Ensure availability of critical services
Phase 4 – Eradication
- Incident response (IR) manager notified
- IR manager assessment
- Decide appropriate response
- Notify reserve & brief IRT resources
- Perform Incident Response
Phase 5 – Recovery
- Patch
- Alert
- Prosecute
- HR actions
- Return to normal operations
Phase 6 – Report & Follow-up
- Document incident information and brief
- Review and document lessons learned
- Improve policies, guidelines and procedures
- Improve infrastructure as warranted
Notice Phase 1 – Prepare and Train. Having a team trained and prepared to be First Responders is key when an incident is occurring. And, if the situation ever gets to Phase 5 – Recovery and you’re heading into court to potentially prosecute, well a nice clean, quarantined environment for the Forensic Examiner to do their work doesn’t seem like such a bad idea.
Moral of the story: Know your Incident Response phone # to call and call it quickly. Train your staff on how to respond to an incident. First Responder Training for IT staff can be vital when information security is under attack.
And, just think – you won’t be in a panic when you make the call to your security partner because your First Responders (your own well-trained staff) has kept the incident nicely contained, and your evidence preserved for the Forensic Investigation. All the better to get the bad guy!
Now that’s good CSI.
Nancy Sykora
Sr. Account Executive