IM Processes: Prepare, Sustain, and Improve

Table of Contents

Notices ............................................................................................................................................ 2

Incident Management Processes: Prepare/Sustain/Improve ....................................................... 2

Incident Response Starts Before an Incident Occurs ...................................................................... 3

Mission of the Prepare Process ...................................................................................................... 4

The Prepare/Sustain/Improve Process ........................................................................................... 5

Who Is Involved in the Prepare/Sustain/Improve Process? ........................................................... 6

Best Practices .................................................................................................................................. 8

Sample Communications Plan ...................................................................................................... 10

Page 1 of 10

Notices

19Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Incident Management Processes: Prepare/Sustain/Improve

5Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Incident Management Processes:

IntroductionPrepare/Sustain/ImproveProtect InfrastructureDetect EventsTriage EventsRespond

**005 With incident management

processes, there are a collection of

subprocesses. The first one we're

Page 2 of 10

going to talk about is prepare-

sustain-improve.

Incident Response Starts Before an Incident Occurs

6Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Incident Response Starts Before an Incident Occurs

**006 Just like building the fire

company and starting the fire

company before the first fire, incident

response starts before that first

incident occurs. This diagram shows

all of the processes associated with

incident management, and we're

going to focus on the Prepare part,

establishing an incident management

capability and process. Security

awareness training. Incident

reporting guidelines and forms.

Notification lists. Expertise matrix,

and nondisclosure for people who are

involved in an event that has certain

characteristics. Incident handling

tools. An incident tracking system.

The original media and backups in

case you have to rebuild the system,

and response policies and

procedures. All of these need to be

Page 3 of 10

dealt with before you even begin to

deal with incidents.

Mission of the Prepare Process

7Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

To create an incident management capability that supports the mission and goals of the

constituency

To improve and/or sustain an existing incident management capability that supports the

mission and goals of the constituency

Mission of the Prepare Process

**007 It's important to know you're

going with a prepared process. This

slide talks about the mission, where

you're trying to create an incident

management capability that supports

the mission and the goals of the

constituency. Again, it is vitally

important to support where the

constituency is trying to go, and then

also to improve and sustain an

existing capability that also supports

those mission and goals of the

constituency.

Page 4 of 10

The Prepare/Sustain/Improve Process

8Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

The Prepare/Sustain/Improve Process

Contains a number of subprocesses:

• Coordinate Planning and Design - Identify CSIRT requirements

- Establish CSIRT vision

- Obtain Sponsorship and Funding for the CSIRT

- Develop CSIRT Implementation Plan

• Coordinate Implementation - Develop CSIRT Policies, Procedures, and Plans

- Establish CSIRT Incident Management Criteria

- Deploy Defined CSIRT Resources

• Evaluate CSIRT Capability- Conduct Postmortem Review

- Determine CSIRT Process Modifications

- Implement CSIRT Process Modifications

**008 The prepare-sustain-improve

process consists of these items.

Coordinate the planning and the

design of the incident management

and CSIRT capability, which involves

identifying the CSIRT requirements,

establishing the vision, obtaining

sponsors and funding, and it's really

important to have a good quality

stream of funding so that the CSIRT

doesn't die prematurely. Developing

a CSIRT implementation plan. Then

once you've gotten to that point, you

can coordinate the implementation,

developing policies, procedures and

plans, establishing the incident

management criteria, and then

deploying those resources. And

finally, evaluating the CSIRT. Is it

meeting the needs? Have the needs

changed? What needs to change as

a result of that? If processes and

policies and procedures don't match

what the constituency needs, don't

Page 5 of 10

hesitate to throw them out and start

over again. That's simply the nature

of this business. So these are the

main points, the main subprocesses,

within the Prepare phase.

Who Is Involved in the Prepare/Sustain/Improve Process?

9Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Who Is Involved in the Prepare/Sustain/Improve Process?

This process may include a variety of different staff with different roles and responsibilities:

• development team (key stakeholders)

• senior managers, business owners/operators

• IT system and network operations staff

• administrative operational staff

• constituency representatives

• CSIRT staff

• other relevant parties, as appropriate- legal

- human resources

- public relations

- law enforcement

- external third-party providers (MSSPs)

- subject matter experts

**009 Here's a list of people that

are likely to be involved in this part of

the process. You may have the

development team, key stakeholders,

senior management. It's always

important to have that buy-in,

especially from business owners and

operators so they know what you're

providing, what you're doing and

what's going on-- no surprises.

You're going to have to have buy-in

from the IT system and the network

operations staff who you'll work

closely with to actually prepare and

sustain and improve the network

capabilities and the system

Page 6 of 10

capabilities used throughout the

constituency.

You're going to have administrative

operational staff who should be

involved; representatives of the

constituency. Again, no surprises.

Everybody needs to be involved so

they know what's going on. The

CSIRT staff should be involved, they

should all be involved, and other

parties that need to be involved are

the legal staff within the

organization, HR, public relations,

perhaps law enforcement, some

external third-parties like managed

security service providers, and finally

some subject matter experts that you

may bring in under certain

circumstances-- for example,

malware analysis or forensics. All of

these groups of people need to be

involved in this process.

Page 7 of 10

Best Practices

10Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Best Practices

Performing incident

management as efficiently

and effectively as possible

may require various

decisions to be made

ahead of time.

This can include determining if and when

• law enforcement will be involved

• forensics evidence will be collected

• systems can be isolated or shutdown

It can also include identifying

• a communications plan

• points of contact with other internal and external groups

• secure communication mechanisms

• data classifications of materials handled

And having access to

• critical system inventory information

• network topologies

• network baselines

**010 When an incident comes

along, the whole key is to recover

from that incident as quickly as

possible, because typically what's the

case during an incident is the

organization is not functioning in its

full capacity and generating revenue

at the level that it was used to

generating it. So it's important to

compress the time as much as is

possible of an incident so as to

continue the business at hand. So

the way to deal with this is to have

all of these things in place in advance

so that you can, as efficiently, as

effectively as possible, handle that

incident. In some cases, you can

make some of those decisions in

advance. For example, are you going

to include law enforcement? Are you

going to include some forensic

examiners who will need to be

brought in to collect evidence, if you

Page 8 of 10

are in fact going to go in a direction

of law enforcement.

What happens with systems that are

affected? Are they isolated? Are

they shut down? Are they turned

off? Are they rebuilt? Someone

needs to decide that in most cases,

and that probably depends on a

system-by-system basis based on the

risk analysis of the importance of

those systems to the business.

You also need to have a

communications plan-- how you get

information to people, who gets told,

what they get told, etcetera,

etcetera. Having points of contact

within your organization and to

external groups. Having a secure

mechanism to communicate-- secure

fax, secure telephone, encrypted

email communications-- and then

classification of the materials to be

handled for the data. You also have

to know what you're dealing with.

What are the critical systems around

the constituency? What are the most

important? What are less important?

What's the topology of the network?

If someone broke into System A, it's

on a different network from System

B; it's less likely that they may be

broken into, or more likely,

depending on that. And also network

baselines. Again, what's normal?

You can't tell what's abnormal if you

don't know what normal is.

So these things all help to efficiently

and effectively deal with an incident,

reducing downtime, reducing an

update or an upheaval in the

Page 9 of 10

economy of the business, in the flow

of financial capabilities.

Sample Communications Plan

11Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Sample Communications Plan

Type of Activity Organization and POC Information Timeframe

Critical Incident (incident

affecting critical service)

CIO Office

CIO POC

Contact Information

immediately

Critical Service Business Owner

Business POC

Contact Information

immediately

Helpdesk

Helpdesk Contact Info

within 1 hour

PII incident Breach Notification Group

Contact Information

within 1 hour

Data owner

POC

Contact Information

immediately

Human Resources

Contact Information

Within 24 hours

**011 Communicating to the

appropriate parties is very important.

So here's a sample communication

plan to talk about the type of

incidents, who should be notified,

and some timeframes in which they

could be notified. This is simply an

exemplar, but the point is you need

to decide, for each type of activity

that your CSIRT is going to deal with,

who needs to be notified and when

they need to be notified, and then

have this well known amongst your

CSIRT staff and also well known

among the constituency so that you

are setting expectations. Set those

expectations and then meet them.

Page 10 of 10