In Part-I of this article, we looked at what is incident response and why is it an important aspect of information security for any organization. In this article, the author discusses detailed steps to formulate an incident response plan and also the benefits of outsourcing it.

How to make an Incident Response plan

Establish a team

The first step in creating an incident response plan is to create an Incident Response Team (IRT). An IRT is a multi-disciplinary, multi-departmental response team that provides a structured, formal capability to respond to actual or attempted intrusions into the organization’s IS infrastructure. The IRT includes information security team members as well as representatives from other organizational entities like IT, corporate communications/public relations, legal and human resources.

Other personnel who can be added to the team on as-needed basis could include system administrators, system developers, database administrators, etc. The mission and scope of the team should be formally established in a charter document, which should also define reporting relationships of the team, the services provided by it and the roles and responsibilities of individual members.

The function of the IRT would be to handle security incidents as they occur, using pre-defined procedures. The team members should ensure that the incident is handled as quickly as possible, and that it does not affect the security of other systems and applications. The team must also have procedures for controlling the release of incident-related information within the organization.

The IRT would also be responsible for creating user awareness on acceptable use and incident reporting and handling. If desired appropriate, the team may also establish communication channels with external Computer Security Incident Report Teams.

Formulate an incident response procedure

Once a team is established, the next step is to draw out a methodology for handling security incidents. A five-step process for incident handling includes:

• Prepare: This phase involves
  • establishing the incident handling policy,
  • defining what constitutes an incident,
  • creating user awareness and training on incident reporting and preliminary handling
  • creating standard procedures for handling common incidents like virus attacks, root compromises, denial of service attacks, etc, and obtaining management approval on them
  • ensuring that network diagrams and OS and application documentation are up-to-date and handy
  • enabling enhanced and secure logging for the infrastructure in purview
  • ensuring that the organization stays on top of security vulnerabilities
    
    
• Detect: In this phase, it is confirmed that a suspected event is actually an incident. This can be ensured by different technical and procedural means like firewall and/or IDS logs, confirming a user report on suspicious activity, confirming non-availability of a service, etc. The incident is also classified in this phase based on the severity level, the criticality of the service/system affected and potential business impact. It is important to ensure that all details are gathered and activities carried out are carefully recorded.
  
  
• Respond: The first step in this phase is to make a decision on "protect" or "prosecute". The organization could either decide to stop the incident immediately and restore normal operations or attempt to catch the intruder for legal action.
  The organization will have to weigh the options carefully and make a choice for further action. If the "prosecute" option is chosen, all further actions will have to be performed in a forensically sound manner so that the evidence will later be admissible in court. The organization may also require specialized technical assistance to carry out the evidence gathering and forensic process.

  Once investigation is carried out, the current intrusion is terminated, and an effort is made to discover how access was obtained and how many systems were compromised. A backup of the affected disk and/or configuration should be taken for detailed later analysis of the incident. If an external entity has been attacked from the organization’s systems, the same must also be notified about the incident.

• Recover: After all information on the incident is gathered, the systems affected are restored back to normal operation. This may require rebuilding the operating system from scratch from an original media, restoring the pre-incident configuration of a device and re-loading of data from backup tapes.

  The vulnerability that was used to gain access is also fixed which could involve installing an operating system or application patch, changing user passwords and enforcing good password practices, turning off an unnecessary service or implementing an addition security technology as a countermeasure.

  The whole process involving each of the steps followed should be documented and an incident report should be made out of it.
  
  

• Lessons learned: The incident report prepared earlier should be reviewed by both the IRT and the Security Manager for ideas for improvement such as modifying security guidelines, improving user security awareness, modifying security policy and procedures, or modifying security incident response procedures. A summary of the report should also be presented to the Management.

Benefits of outsourcing

Security service providers provide services for both proactive efforts like policy development, vulnerability assessment and fixing, and advisory services and also for ad-hoc assistance involving telephone or on-site response to customers’ security incidents.

The value proposition that commercial service providers bring to the table includes:

• Depth of experience, having responded to multiple incidents on multiple customer sites
• Breadth of experience, having worked at multiple customer sites and hence having been exposed to different kinds of systems, network configurations and attack methods
• Specialized skill sets with experience in a wide variety of applications, operating systems and also forensic tools
• Better ability to hire, train and retain security and forensics personnel

Security service providers can help organizations develop and implement incident response policy and procedures and also provide response team personnel. Organizations can augment their own security staff with services from a security service provider to build additional expertise and specialized skills. A mix of internal and outsourced efforts can provide the best protection cost-effectively.