![Page 1: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/1.jpg)
Incident Response Management
NALIT PDS 2018Mike Norris, Washington
![Page 2: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/2.jpg)
Benjamin Franklin
“By failing to prepare, you are preparing to
fail.”
Incident Response
![Page 3: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/3.jpg)
➢Standards
➢Team
➢Run books
➢Exercises
We’ll Cover . . .
![Page 4: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/4.jpg)
Standards
![Page 5: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/5.jpg)
Standards
Lifecycle Figure from NIST SP 800-61r2
![Page 6: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/6.jpg)
Incident Management Team
![Page 7: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/7.jpg)
• Incident Manager
• Incident Technical Team Lead
• Technical Owners
• Subject Matter Experts
• Leadership
• Third Parties
IR Roles and Responsibilities
![Page 8: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/8.jpg)
Accountable for:
• Managing the engagement end to end.
• Developing and updating run books and standards.
• Communication and following communication plans.
• Ensuring adequate resources.
• Documentation.
• Evidence collection.
An Incident Manager should not also be the Technical Lead.
Incident Manager
![Page 9: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/9.jpg)
• Leads the technical engagement.
• Coordinates technical activities.
• Advises the Incident Manager on risks and incident severity.
• Coordinates with the Incident Manager on needs and resources.
• Follows the run books and IR plans.
• Gathers the evidence according to standards.
• Assigns tasks and directs team members.
Incident Technical Lead
![Page 10: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/10.jpg)
Technology Owner
• Is responsible for their piece of the technology – provides information, does detailed analysis, and executes tasks.
Subject Matter Expert
• Provides guidance and direction on their particular subjects. • Subjects can include but are not limited to the following:
• Legislative processes• Communications• Technologies• Architecture• Training• Security• Forensics
Incident Support
![Page 11: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/11.jpg)
• Leadership are your final decision makers, and leadership will
be diverse in a legislative environment.
• It is important to work with leadership to identify their comfort
level, their role and how much they want to be involved.
• Leadership roles include:
• Risk acceptance
• Insurance decisions
• Communication decisions
• Media decisions
• Budget decisions
• Schedule decisions
• Staff decisions
Leadership
![Page 12: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/12.jpg)
• Third-party involvement will differ from incident to incident.
• Roles include:
• Communications
• Staff augmentation
• Legal Team and Insurance Team
• System vendors
• Security firms
• Call centers
• Public Information Officers
• Other state agencies
• Internet Service Providers
Third Parties
![Page 13: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/13.jpg)
Processes
![Page 14: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/14.jpg)
• Use what you have:
• If you have disaster recovery processes that overlap, use them.
• If you have deployed incident management processes,
incorporate them.
• Use customer communication templates.
• Differences:
• Cybersecurity IR must be contained to a select few.
• Evidence must be collected in a manner that could hold up in a
court case.
• Users’ privacy and organization data must be maintained and
secured.
• Processes, plans, and tools must be guarded
Don’t Recreate the Wheel
![Page 15: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/15.jpg)
Run Books
![Page 16: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/16.jpg)
• Benefits
• Ensure required activities and steps are followed.
• Save time and focus efforts.
• Provide legal counsel or auditors the steps you took or
should take in the event of an incident.
• Considerations
• Start with the common events or threats that cause the most
risk.
• Don’t go into the weeds – stay high level until you have
tested your plans.
• Include any third-party contact information.
• Make sure you have multiple copies of the plan and team
members can access the plans from offsite locations.
Why Have Run Books
![Page 17: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/17.jpg)
Exercises
![Page 18: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/18.jpg)
Test your incident response plan at least annually.
• This can be accomplished via table-top exercises.
• Live exercises can be conducted with the following parameters:
1. All exercises must have rules of engagement.
2. No production systems outside the scope of the engagement should be affected.
3. No data should be corrupted or irrecoverable.
4. If the exercise will affect production systems, communicate with customers
about what to expect.
• If an incident occurs during the year, it should be documented and can count as an
exercise.
IR Exercises
![Page 19: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/19.jpg)
• Best practices from CERT
• https://www.us-cert.gov/bsi/articles/best-practices/incident-
management/defining-computer-security-incident-response-
teams
• NIST standard
• https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
• Courses
• https://digital-forensics.sans.org/training
• https://www.infosecinstitute.com/courses/incident-response-
and-network-forensics-training-boot-camp/
References
![Page 20: Incident Response ManagementTest your incident response plan at least annually. • This can be accomplished via table-top exercises. • Live exercises can be conducted with the following](https://reader033.vdocument.in/reader033/viewer/2022042310/5ed7f885c64afa2ac7587ac6/html5/thumbnails/20.jpg)
Questions?