Great to have you back for this week’s discussion on incident response plans. Take a moment to read the below transcript from a recent call from an end user to the IT department:
IT: IT — how may I help you?
User: I think I just opened a file I shouldn’t have.
IT: Can you explain what happened?
User: I was trying to download this oh-so-cute kitty cat desktop wallpaper because I just love cats. You know, I have five cats, and they’re my life. I just love—
IT: Okay, you love cats — what happened?
User: Anyway, I downloaded this wallpaper file and clicked on it, and then my screen started going crazy, and now it says I need to pay bitcoins — whatever those are — to somebody. Is that bad?
IT: Oh no… Um… Uh… Hold on a minute. (Technician starts Googling “what to do when a ransomware infection occurs.”)
Can we all agree this is not a good situation and is something that should never occur? Good. Since we’re all on the same page, why is this such a bad situation? It’s bad because when an incident occurs, time is of the essence. We need to react immediately to identify the problem and isolate it to prevent spread of the infection.
How Does an Incident Response Plan Benefit Us?
We have incident response plans so we can quickly address security incidents and eliminate the threat as quickly as possible. Okay, that’s great, but why is it such a big deal? We can always just restore from a backup and be up and running in a few hours. You may be able to do that, but during those few hours of downtime, what is affected? Is your company missing service level agreements (SLAs) with customers because of this? Is your company unable to produce their product during the outage, which creates a loss of revenue? We need the ability to respond to security incidents like a well-oiled machine to protect three things:
- Our data and our clients’ data, such as PHI, PII, and PCI.
- Our organization’s reputation and customer trust.
- Revenue: If we are losing revenue, that impacts the stability of the organization.
In short, an incident response plan helps us eliminate threats quickly and effectively, which helps us protect data, reputation, and revenue.
What Does an Incident Response Plan Consist Of?
It’s been established that we need an incident response plan, but what does it consist of, and is that all we need? You will need an actual incident response plan that should list out each step and how to deal with each step. For example, during the isolation process, your plan may state something like this:
- When isolating infected workstations, they should be left powered on with the network cables removed and all network adapters disabled within the operating system.
- When isolating infected virtual servers, a C-level executive must give permission to isolate a server. Once permission is granted, the virtual network adapter of the virtual server will be disabled within the operating system, and the server’s virtual network adapter will be connected to the quarantine VLAN. The virtual server is to remain powered on.
- When isolating infected physical servers, a C-level executive must give permission to isolate a server. Once permission is granted, the network cable will be removed from the physical host and the host’s network adapter will be disabled from within the operating system. The server is to remain powered on.
NIST (National Institute for Standards and Technology) has created some guidelines to help you create an incident response plan, which can be found here, beginning in section 3 (page 21). In the image below, you can see how NIST illustrates the incident response lifecycle.
Once you have an incident response plan created, the next step is to create an incident response form. This form is very much like the plan, where it outlines each step, but it also provides space for incident responders to document the results from each step. The purpose of these forms is two-fold. They are to document all actions that took place during the incident in case insurance or any legal actions come into play. They are also used during the lessons-learned or after-action meeting where the response is critiqued in order to verify the incident response plan is meeting the organization’s needs or if there’s a way to prevent the same incident from reoccurring.
Lastly, you’ll need a call list. This is a list of everyone on the incident response team (IRT) and all C-level executives who may be called upon for permission or key decisions that must be made.
If you’d like to learn more about the incident response process, it’s covered in the CompTIA CySA+ certification course at Linux Academy.
Incident Response Practice and Improving Security
Now that we’ve identified why we need an incident response plan and how to create one, we’re all done, right? Not quite. Remember: Incident response is what firemen do when responding to a fire and paramedics do when responding to a vehicle accident. In order to be efficient at incident response, we must practice.
One way to practice is to perform table-top exercises where the entire IRT comes to the table and walks through an incident. Each step is documented in the incident response form as the exercise is played out. Later, the team comes back together for a lessons-learned meeting and reviews the incident response form to ensure the response was adequate, if the incident response plan is meeting the needs of the organization, and if there is a way this incident could be prevented in the future. If you’re in need of some ideas for tabletop exercises, NIST can help with that as well in this document — Appendix A provides some questions to answer as well as several scenarios to practice.
Incident Response Wrap-Up
In the last few articles, we’ve talked about using vulnerability scanning to see what vulnerabilities are in your infrastructure, which will lead directly to patching most of the time, and then we dove into the importance of data backups, as well as passwords and policies such as using MFA and proactively identifying compromised passwords to help secure your infrastructure. Incident response is a big topic, and we’ve just scratched the surface here. For those of you operating without an incident response plan, I hope this post helped shine some light on how important they are. For those of you who already have a plan, be sure to keep practicing with your IRT to ensure you’re ready when the cybercriminals come knocking!