You’re going to have a computer security incident. Whether it’s a virus, compromised website, or full-on system compromise, you’ll eventually be forced to react to a security incident in your computing environment. When you find yourself dealing with an incident, you don’t want to be left scrambling. That’s why it’s important to be prepared with an incident response plan.
Before you can define the tactical steps to handle an incident, there are some things you will need in order to be prepared to respond appropriately. At a minimum, you’ll want to do the following:
1. Classify your systems and data. Knowing how to respond to an incident starts with understanding the systems and data that may have been compromised. Build a classification system based on the sensitivity level of the data or system in question. It can be as simple as “Low”, “Medium”, and “High”. You will use this classification to determine how you will respond and with whom you will communicate details of the incident. When classifying your systems and data, you should consider the following:
- Who does the system or data belong to?
- Who will be affected by an incident involving the system or data?
- Are there any legal or regulatory responsibilities associated with the system or data?
- Does the system or data contain trade secrets, personally identifiable information, or other information which may damage your company’s reputation or financial stability if compromised?
- What are the service level targets of the system or data?
2. Identify your response team. Do you know who you can rely on when faced with a security incident? Do they know you’ll be relying on them? Assemble your team now so you don’t have to decide who will work on the issue when you’re involved in a security incident. Your team should understand your environment and possess the skills needed to execute your response plan. If you need to supplement your team with security experts, establish a relationship with a trusted 3rd party now before you have an incident.
3. Develop a communication plan. Identify with whom your response team will communicate the details of the incident. Consider your corporate communication policies and any legal or regulatory disclosure policies when developing the communication plan.
4. Review your documentation. Periodically review your documentation to ensure it’s up to date and accurate. People’s roles and system configurations can change over time, make sure your documentation changes with it. Nothing is more frustrating than being misled by out of date documentation when you’re dealing with a potential crisis.
5. Test restores from backup. Depending on the nature of the incident, you’ll likely be faced with a data recovery operation. If you’re not performing test recoveries of your backups you may be surprised that you can’t recover crucial data when you most need it.
Incident Response Framework
Now that your house is in order, it’s time to develop your response plan. The following steps can be used as a framework to guide your response to a security incident. Specific details may vary based on your environment and the nature of the incident.
1. Identify the incident. Consider this the triage step. You’ll want to quickly collect information about the scope of the incident and prioritize your actions accordingly. Determine whether it’s isolated to a single system, or if it impacts a large part of your environment. Understand the sensitivity level of the affected components. (You’ve classified your data and systems, right?) Determine if the incident could be a false positive. Try to determine the scope of the incident as quickly as possible so you can take action. A swift reaction to an incident can minimize its impact to your organization.
2. Isolate the system. Once you know the scope of the incident, isolate affected systems and data from the rest of your environment. The purpose of this step is to limit the possibility of doing further damage to your environment. You may be tempted at this point to re-image the system or overwrite data from backup in order to rid yourself of the incident completely. You should resist this urge and keep the system and data intact until you completely understand the details of the incident.
3. Determine the details. This is where you dig deep to determine the “How”, “What”, “When”, and “Who” of the attack. With the system and data in isolation, you’ll need to scour the system to try to determine every detail of the incident. Depending on the nature of the incident, the techniques to determine the details can range from leveraging highly-sophisticated technical tools to conducting user interviews. It’s important to be thorough in your investigation. The information gathered from this investigation will be the basis of your remediation plan.
4. Restore service. Now that you’ve figured out the details of the incident, you can start the following process to restore service to the affected system.
a. Clean the affected systems and data. This may involve deleting files and reimaging systems.
b. Restore to a known good configuration. Leverage your system backups to restore any affected files and system configurations from known good sources. Be certain backup data won’t re-introduce compromised files or configurations.
c. Implement compensating controls. Install necessary patches, configurations, or other compensating controls to remove any known vulnerabilities.
d. Re-introduce the system. Once the system has been cleaned and remediated, it’s time to put it back in service. Once in service, pay close attention to system metrics and scrutinize any anomalies.
5. Post-mortem. It’s important to do an analysis of the incident and how you responded. This is a great opportunity to review your processes, security tools, system configurations, and user education. Make sure the lessons you’ve learned from the incident make you less likely to be compromised again.
The best way to develop an incident response plan is to assume you’ll have an incident. Know your systems and data, assemble your team of experts, and make sure your processes and documentation are up to snuff. If you find this prospect overwhelming, SAI has the products and services to help.