Incident Response Planning
Incident response planning deals with the identification of, classification of, and response to an incident. Attacks are only classified as incidents if they are directed against an information asset; have a realistic chance of success; or could threaten the confidentiality, integrity, or availability of information resources. Incident response (IR) is the set of activities taken to plan for, detect, and correct the impact of an incident on information resources. IR consists of the planning, detection, reaction, and recovery. Planning for an incident requires a detailed understanding of the scenarios developed for business continuity. Predefined responses enable the organization to react quickly and effectively to the detected incident. The IR team consists of those individuals who must be present to handle the systems and functional areas that can minimize the impact of an incident as it takes place. The designated IR teams act to verify the threat, determine the appropriate response, and coordinate the actions necessary to deal with the situation.
Individuals sometimes notify systems administrators, security administrators, or their managers of an unusual occurrence. The most common occurrence is a complaint about technology support, which is often delivered to the help desk. The mechanisms that could potentially detect an incident include host-based and network-based intrusion detection systems, virus detection software, systems administrators, and even end users. Only by carefully training the user, the help desk, and all security personnel on the analysis and identification of attacks can the organization hope to quickly identify and classify an incident. Once an attack is properly identified, the organization can effectively execute the corresponding procedures from the IR plan. Incident classification is the process of examining a potential incident, or incident candidate, and determining whether the candidate constitutes an actual incident.
Possible indicators of incidents are presence of unfamiliar files, presence or execution of unknown programs or processes, unusual consumption of computing resources, unusual system crashes, activities at unexpected times, presence of new accounts, reported attacks, etc.
Incident reaction consists of actions outlined in the IR plan that guide the organization in attempting to stop the incident, mitigate the impact of the incident, and provide information for recovery from the incident. In reacting to the incident, there are actions that must occur quickly, including notification of key personnel and documentation of the incident. Most organizations maintain alert rosters for emergencies. An alert roster contains contact information for the individuals who should be notified in an incident. There are two types of alert rosters: sequential and hierarchical. A sequential roster is activated as a contact person calls each and every person on the roster. A hierarchical roster is activated as the first person calls a few other people on the roster, who, in turn, call a few other people, and so on. The incident is documented as an incident to ensure that the event is recorded for the organization’s records in order to know what happened, how it happened, and what actions were taken. A critical component of incident reaction is to stop the incident or contain its scope or impact. Before an incident can be contained, the affected areas of the information and information systems must be determined. In general, incident containment strategies focus on two tasks: stopping the incident and recovering control of the systems. The organization can stop the incident and attempt to recover control through different strategies. If the incident originates outside the organization, the simplest and most straightforward approach is to cut the affected circuits. Compromised accounts or server(s) should be disabled. Only as a last resort should there be a full stop of all computers and network devices in the organization. The bottom line is that containment consists of isolating the channels, processes, services, or computers and removing the losses from that source of the incident.
To recover from the incident, people must stay focused on the task ahead and make sure that necessary personnel begin recovery operations as per the IR plan. Incident damage assessment determines the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just after an incident. Related to the task of incident damage assessment is the field of computer forensics. Computer forensics is the process of collecting, analyzing, and preserving computer-related evidence. Evidence is a physical object or documented information that proves an action that has occurred or identifies the intent of a perpetrator. Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal or informal proceedings.
Assume that you have been tasked by your employer to develop an incident response plan. Create a list of stakeholders for the IR planning committee. For each type of stakeholder, provide the reasons for inclusion and the unique aspects or vision that you believe each of these stakeholders will bring to the committee.
After reviewing the above materials or other materials you find helpful, write a 3- to 5-page paper describing the stakeholders on the IR planning committee. Provide a detailed discussion for the skills needed for each of these members of the IR planning committee and why these skills are needed to have a successful IR plan.