incident response managementtest your incident response plan at least annually. • this can be...
TRANSCRIPT
Incident Response Management
NALIT PDS 2018Mike Norris, Washington
Benjamin Franklin
“By failing to prepare, you are preparing to
fail.”
Incident Response
➢Standards
➢Team
➢Run books
➢Exercises
We’ll Cover . . .
Standards
Standards
Lifecycle Figure from NIST SP 800-61r2
Incident Management Team
• Incident Manager
• Incident Technical Team Lead
• Technical Owners
• Subject Matter Experts
• Leadership
• Third Parties
IR Roles and Responsibilities
Accountable for:
• Managing the engagement end to end.
• Developing and updating run books and standards.
• Communication and following communication plans.
• Ensuring adequate resources.
• Documentation.
• Evidence collection.
An Incident Manager should not also be the Technical Lead.
Incident Manager
• Leads the technical engagement.
• Coordinates technical activities.
• Advises the Incident Manager on risks and incident severity.
• Coordinates with the Incident Manager on needs and resources.
• Follows the run books and IR plans.
• Gathers the evidence according to standards.
• Assigns tasks and directs team members.
Incident Technical Lead
Technology Owner
• Is responsible for their piece of the technology – provides information, does detailed analysis, and executes tasks.
Subject Matter Expert
• Provides guidance and direction on their particular subjects. • Subjects can include but are not limited to the following:
• Legislative processes• Communications• Technologies• Architecture• Training• Security• Forensics
Incident Support
• Leadership are your final decision makers, and leadership will
be diverse in a legislative environment.
• It is important to work with leadership to identify their comfort
level, their role and how much they want to be involved.
• Leadership roles include:
• Risk acceptance
• Insurance decisions
• Communication decisions
• Media decisions
• Budget decisions
• Schedule decisions
• Staff decisions
Leadership
• Third-party involvement will differ from incident to incident.
• Roles include:
• Communications
• Staff augmentation
• Legal Team and Insurance Team
• System vendors
• Security firms
• Call centers
• Public Information Officers
• Other state agencies
• Internet Service Providers
Third Parties
Processes
• Use what you have:
• If you have disaster recovery processes that overlap, use them.
• If you have deployed incident management processes,
incorporate them.
• Use customer communication templates.
• Differences:
• Cybersecurity IR must be contained to a select few.
• Evidence must be collected in a manner that could hold up in a
court case.
• Users’ privacy and organization data must be maintained and
secured.
• Processes, plans, and tools must be guarded
Don’t Recreate the Wheel
Run Books
• Benefits
• Ensure required activities and steps are followed.
• Save time and focus efforts.
• Provide legal counsel or auditors the steps you took or
should take in the event of an incident.
• Considerations
• Start with the common events or threats that cause the most
risk.
• Don’t go into the weeds – stay high level until you have
tested your plans.
• Include any third-party contact information.
• Make sure you have multiple copies of the plan and team
members can access the plans from offsite locations.
Why Have Run Books
Exercises
Test your incident response plan at least annually.
• This can be accomplished via table-top exercises.
• Live exercises can be conducted with the following parameters:
1. All exercises must have rules of engagement.
2. No production systems outside the scope of the engagement should be affected.
3. No data should be corrupted or irrecoverable.
4. If the exercise will affect production systems, communicate with customers
about what to expect.
• If an incident occurs during the year, it should be documented and can count as an
exercise.
IR Exercises
• Best practices from CERT
• https://www.us-cert.gov/bsi/articles/best-practices/incident-
management/defining-computer-security-incident-response-
teams
• NIST standard
• https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
• Courses
• https://digital-forensics.sans.org/training
• https://www.infosecinstitute.com/courses/incident-response-
and-network-forensics-training-boot-camp/
References
Questions?