Incident Response Management

NALIT PDS 2018Mike Norris, Washington

Benjamin Franklin

“By failing to prepare, you are preparing to

fail.”

Incident Response

➢Standards

➢Team

➢Run books

➢Exercises

We’ll Cover . . .

Standards

Standards

Lifecycle Figure from NIST SP 800-61r2

Incident Management Team

• Incident Manager

• Incident Technical Team Lead

• Technical Owners

• Subject Matter Experts

• Leadership

• Third Parties

IR Roles and Responsibilities

Accountable for:

• Managing the engagement end to end.

• Developing and updating run books and standards.

• Communication and following communication plans.

• Ensuring adequate resources.

• Documentation.

• Evidence collection.

An Incident Manager should not also be the Technical Lead.

Incident Manager

• Leads the technical engagement.

• Coordinates technical activities.

• Advises the Incident Manager on risks and incident severity.

• Coordinates with the Incident Manager on needs and resources.

• Follows the run books and IR plans.

• Gathers the evidence according to standards.

• Assigns tasks and directs team members.

Incident Technical Lead

Technology Owner

• Is responsible for their piece of the technology – provides information, does detailed analysis, and executes tasks.

Subject Matter Expert

• Provides guidance and direction on their particular subjects. • Subjects can include but are not limited to the following:

• Legislative processes• Communications• Technologies• Architecture• Training• Security• Forensics

Incident Support

• Leadership are your final decision makers, and leadership will

be diverse in a legislative environment.

• It is important to work with leadership to identify their comfort

level, their role and how much they want to be involved.

• Leadership roles include:

• Risk acceptance

• Insurance decisions

• Communication decisions

• Media decisions

• Budget decisions

• Schedule decisions

• Staff decisions

Leadership

• Third-party involvement will differ from incident to incident.

• Roles include:

• Communications

• Staff augmentation

• Legal Team and Insurance Team

• System vendors

• Security firms

• Call centers

• Public Information Officers

• Other state agencies

• Internet Service Providers

Third Parties

Processes

• Use what you have:

• If you have disaster recovery processes that overlap, use them.

• If you have deployed incident management processes,

incorporate them.

• Use customer communication templates.

• Differences:

• Cybersecurity IR must be contained to a select few.

• Evidence must be collected in a manner that could hold up in a

court case.

• Users’ privacy and organization data must be maintained and

secured.

• Processes, plans, and tools must be guarded

Don’t Recreate the Wheel

Run Books

• Benefits

• Ensure required activities and steps are followed.

• Save time and focus efforts.

• Provide legal counsel or auditors the steps you took or

should take in the event of an incident.

• Considerations

• Start with the common events or threats that cause the most

risk.

• Don’t go into the weeds – stay high level until you have

tested your plans.

• Include any third-party contact information.

• Make sure you have multiple copies of the plan and team

members can access the plans from offsite locations.

Why Have Run Books

Exercises

Test your incident response plan at least annually.

• This can be accomplished via table-top exercises.

• Live exercises can be conducted with the following parameters:

1. All exercises must have rules of engagement.

2. No production systems outside the scope of the engagement should be affected.

3. No data should be corrupted or irrecoverable.

4. If the exercise will affect production systems, communicate with customers

about what to expect.

• If an incident occurs during the year, it should be documented and can count as an

exercise.

IR Exercises

• Best practices from CERT

• https://www.us-cert.gov/bsi/articles/best-practices/incident-

management/defining-computer-security-incident-response-

teams

• NIST standard

• https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

• Courses

• https://digital-forensics.sans.org/training

• https://www.infosecinstitute.com/courses/incident-response-

and-network-forensics-training-boot-camp/

References

Questions?