Week 8

Organizing the Computer Security Incident Response Team (CSIRT)

• CSIRT is a group of individuals who respond to incidents, selected based on skills and access privileges
• Different CSIRT subteams can be formed based on scope and type of incident
• Training members can occur through national training programs, conferences, and mentoring-type training

Creating IR Contingency Strategies

• Plan how to respond to various incidents, with strategies varying greatly depending on the circumstances
• General categories of strategies include:
  • Protect and forget
  • Apprehend and prosecute

Developing the Incident Response (IR) Plan

• The IR plan includes general sections on:
  • Identification
  • Response
  • Containment and eradication
  • Recovery
• Incident classification involves evaluating organizational events and identifying possible indicators of an incident, such as:
  • Presence of unfamiliar files
  • Presence of unknown programs or processes
  • Unusual consumption of computing resources
  • Unusual system crashes
• Probable indicators of an incident include:
  • Activities at unexpected times
  • Presence of new accounts
  • Reported attacks
  • Notification from IDS
• Definite indicators of an incident include:
  • Use of dormant accounts
  • Modified or missing logs
  • Presence of hacker tools
  • Notifications by a partner or peer
  • Notification by hacker
• Response actions include:
  • Notification
  • Documenting the incident
  • Interviewing individuals involved

Containment and Eradication

• Containment strategies include:
  • Disabling compromised user accounts
  • Reconfiguring firewall to block problem traffic
  • Temporarily disabling compromised process or service
  • Taking down the conduit application or server
  • Stopping all computers and network devices

Recovery

• Recovery involves:
  • Informing appropriate human resources
  • Assessing the full extent of the damage
  • Beginning recovery operations based on the IR plan
  • Steps include:
    • Identifying and resolving vulnerabilities
    • Restoring data
    • Restoring services and processes
    • Restoring confidence across the organization
  • After-action review

Ensuring Plan Testing, Training, and Exercises

• Five strategies to test contingency plans include:
  • Desk check
  • Structured walk-through
  • Simulation
  • Parallel testing
  • Full interruption
  • War gaming

IR Plan Maintenance

• The IR plan should be periodically reviewed, every one year or less
• Shortcomings should be noted, and deficiencies may come to light based on:
  • After-action reviews
  • Use of the plan for actual incidents
  • Use of the plan for simulated incidents
  • Review during periodic maintenance
• Revise the plan to correct deficiencies