eBook - ePub
Computer Incident Response and Forensics Team Management
Conducting a Successful Incident Response
- 352 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Computer Incident Response and Forensics Team Management
Conducting a Successful Incident Response
About this book
Computer Incident Response and Forensics Team Management provides security professionals with a complete handbook of computer incident response from the perspective of forensics team management. This unique approach teaches readers the concepts and principles they need to conduct a successful incident response investigation, ensuring that proven policies and procedures are established and followed by all team members. Leighton R. Johnson III describes the processes within an incident response event and shows the crucial importance of skillful forensics team management, including when and where the transition to forensics investigation should occur during an incident response event. The book also provides discussions of key incident response components.- Provides readers with a complete handbook on computer incident response from the perspective of forensics team management- Identify the key steps to completing a successful computer incident response investigation- Defines the qualities necessary to become a successful forensics investigation team member, as well as the interpersonal relationship skills necessary for successful incident response and forensics investigation teams
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Computer Incident Response and Forensics Team Management by Leighton Johnson in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Section 1
Introduction
This section introduces the special needs and requirements for Incident Response and Forensics Teams, their construct and development, the members and staff, and the basic framework for response and forensics teams.
Keywords
Incident response framework
When I started as the corporate Computer Security Manager for a large retail organization 15 years ago, there was no response team, no computer security awareness among the IT staff or senior management, and no driving need to implement any security activities, structures, or requirements for the corporate workers. Everyone from the CEO down thought the computer security situation was someone elseās problem and concernāthe classic ānot my problemā syndrome.
The first task I embarked on as the Computer Security Manager was to educate the senior executives in the need for corporate computer security and the ability to respond to potential threats to the work environment. It took almost a year, but the corporate leadership did finally accept and fund the development of an incident response capability which was that industryās first team specifically designed to handle and manage incidents which affected the day-to-day operations of the organization and its ābottom line.ā
Security Incident Response and Forensics Response Teams (SIR&FT) are needed more today than ever before during the Computer and Internet Era which has developed over the last 40 years. Today, with most security response organizations and vendors reporting an incredible 30,000ā70,000 pieces of new malware being introduced each day, the need for responders and investigators is at an all-time high. Every major corporation, all governmental agencies, and most organizations operating on the Internet, using e-mail, or transacting business online require the ability to respond to an unexpected or malicious attack on their networks and infrastructure just to stay in business, let alone perform their daily tasks safely and securely.
All incidents threaten the business or government organization as a whole. The organizationās primary business process, all its other processes and reputationāthey are all in jeopardy when these incidents strike. Security incident response and management seek to prevent such incidents from happening. And when they inevitably happen, to contain and resolve them, and use the response lessons learned for the next time. Therefore, security incident response and management serve both the primary response process and the organization as a whole.
Since the proliferation of malware is rampant today where the adversary eventually breaches some aspect of a corporationās protective measures, along with the high impact of insider threat issues as evidence by recent Corporate, Intelligence and Defense incidents, the primary focus for the SIR&FT is simple but profound:
1. detect compromise as efficiently as possible;
2. respond to incidents as quickly as possible; and
3. investigate using digital forensics as effectively as possible.
The Incident Response team will become one of your most important development activities as the manager in the first days as you start up the management and oversight of the security incident response team (SIRT) and the Forensics investigation team. The team member makeup, the team charter, the corporate executive officer support, the response criteria, all make the SIRT one of the more important team-building activities you will be responsible for at the start.
These SIR&FT have very specialized management needs in order to accomplish their goals in todayās work and response environments. The SIR&FT need to be constructed with general skills and specialties; however, during the response activity, the skills needed maybe other than originally planned and the Team Manager must change the team members and the skills rapidly to meet the threat and necessary response.
This book introduces the special management needs and requirements for Incident Response and Forensics Teams, how these teams are constructed and developed, the team members and support staff, and the basic framework for managing response and forensics teams. Ensuring that proven policies and procedures are established and followed are manager level responsibilities, along with personnel certifications and levels of expertise. These will be discussed along with Incident Response Team Makeup and Management.
SIR&FT management personnel have many areas of focus to address and requirements to meet. They include:
A. First, ensuring team members are properly hired, trained, and certified. The criticality of the response always will require the best of the best to respond.
B. Second, ensuring the Incident Response Team has the proper unencumbered senior executive level support, authority, and responsibility. Full exposure and support at the top of the corporate leader is needed and required these days in the business world with Sarbanes-Oxley Law (SOX) reporting requirements, industrial espionage threats, and the competitive nature of each industry.
C. Third, proper case management activities are performed, which include:
ā Investigator time and schedule management. Each case requires detailed oversight and management to ensure full accountability and proper actions during the investigation.
ā Quality assurance processes. Ensuring the accuracy of every investigation is often the key to an investigation.
ā Chain of custody procedures. Following the proper methods for evidence collection and analysis is important to the proper prosecution of any case.
ā Change management. Making sure the software, hardware, and tools used during the case activities is vital to providing the legal framework of the case.
ā Final review of all case work. Full review of all of the case details is commonly where the manager can provide the best return on expertise and viability of the case.
D. Fourth, provide the proper response at the proper level for the currently active incident while simultaneously making sure the incident is contained, controlled, repaired, and reported on correctly and in accordance with corporate or organizational policies and guidance.
E. Fifth, ensuring all legal, regulatory, statutory, organizational, and governmental guidance for incident handling and reporting is met within the appropriate time frames.
This book is intended to provide to the SIR&FT manager the answers to the following questions to insure their activities are acceptable, legal, and complete:
a. Have the team members met their objectives?
The objectives may include incident fixed or removed, report been delivered and accepted, security posture improved as result of lessons learned about attack; and many others.
The objectives may include incident fixed or removed, report been delivered and accepted, security posture improved as result of lessons learned about attack; and many others.
b. Is the incident contained and eradicated?
The basic requirement for the security group is to āsecure the data,ā so now the data should be protected and controlled, the issue which prompted the SIRT response completed and the corporate equipment which was ācompromisedā has been either cleaned or removed from operations.
The basic requirement for the security group is to āsecure the data,ā so now the data should be protected and controlled, the issue which prompted the SIRT response completed and the corporate equipment which was ācompromisedā has been either cleaned or removed from operations.
c. Have the users returned to normal business operations?
The operational need for the SIRT is to get the normal business operations back in place and functioning, so always place that as one of the goals for any response.
The operational need for the SIRT is to get the normal business operations back in place and functioning, so always place that as one of the goals for any response.
d. Have all activities been completed in a reasonable amount of time?
Each team member will have a set of tasks to accomplish during the response, so quick completion of these will allow faster response and return to normal operations for the organization and the personnel.
Each team member will have a set of tasks to accomplish during the response, so quick completion of these will allow faster response and return to normal operations for the organization and the personnel.
e. Did the team respond quickly and efficiently?
Ensuring the timing requirements for business recovery needs to be quickly assessed during the initial stages of the response, so all actions by the response team need to be expeditious and complete.
Ensuring the timing requirements for business recovery needs to be quickly assessed during the initial stages of the response, so all actions by the response team need to be expeditious and complete.
f. Was there any time where response actions could have been performed earlier?
Looking at the response effort, the team leader needs to assess if any of the required actions could have been accomplished earlier in the actions, or if any pre-deployed tools would have assisted in the response effort.
Looking at the response effort, the team leader needs to assess if any of the required actions could have been accomplished earlier in the actions, or if any pre-deployed tools would have assisted in the response effort.
g. Were the team memberās skills applicable to incident?
One of the SIRT managerās jobs is to assess the team in reference to the response and see if any additional skills, techniques, or knowledge would have contributed to a quicker and possibly safer resolution to the incident.
One of the SIRT managerās jobs is to assess the team in reference to the response and see if any additional skills, techniques, or knowledge would have contributed to a quicker and possibly safer resolution to the incident.
h. Have team members followed the documented procedures?
Reviewing the generated reports and documentation allows the SIRT manager to verify the proper procedures and techniques were followed during the response.
Reviewing the generated reports and documentation allows the SIRT manager to verify the proper procedures and techniques were followed during the response.
i. Were all activities reported and written down?
All incident response actions need to be documented for after action reports, improvement of skills and abilities, and to place the organization in a strong position to handle any external or potential legal action.
All incident response actions need to be documented for after action reports, improvement of skills and abilities, and to place the organization in a strong position to handle any external or potential legal action.
j. Are team members turning in quality and defendable documentation?
Always making sure all documentation is detailed, direct, and technically strong is a criterion for all SIRT members. Does the report make sense and does it follow the events are both questions to be answered by the SIRT manager.
Always making sure all documentation is detailed, direct, and technically strong is a criterion for all SIRT members. Does the report make sense and does it follow the events are both questions to be answered by the SIRT manager.
k. Is the documentation being produced in correct format?
The SIRT manager has to have a documentation guide for each team member that they must follow during and after an event is responded to by the team.
The SIRT manager has to have a documentation guide for each team member that they must follow during and after an event is responded to by the team.
l. Is all the document content in the report?
The full and complete āpictureā of all of the events making up the incident response need to be recorded and delineated within the final incident report.
The full and complete āpictureā of all of the events making up the incident response need to be recorded and delineated within the final incident report.
m. Are team members performing in an efficient and effective manner?
Utilizing the skills and knowledge each has, the team members have to be evaluated to ensure they performed correctly in the response.
Utilizing the skills and knowledge each has, the team members have to be evaluated to ensure they performed correctly in the response.
n. Are the incident/forensics artifacts controlled through the proper chain of evidence?
The āchain of custodyā for the gathered and retrieved artifacts must be maintained during and after the event for proper handling and so they do not become contaminated during subsequent activities.
The āchain of custodyā for the gathered and retrieved artifacts must be maintained during and after the event for proper handling and so they do not become contaminated during subsequent activities.
o. Are the team members properly certified?
All team members should be professionally certified in their areas of expertise, as well as in the incident handling procedures they use during the response activity.
All team members should be professionally certified in their areas of expertise, as well as in the incident handling procedures they use during the response activity.
p. What are the lessons learned from each incident?
Conducting a ālessons learnedā meeting after the completion of the response always brings new areas for training and skill development for the SIRT which will improve their abilities for the next incident response.
Conducting a ālessons learnedā meeting after the completion of the response always brings new areas for training and skill development for the SIRT which will improve their abilities for the next incident response.
We will discuss all these areas and more as we explore the SIR&FT M...
Table of contents
- Cover image
- Title page
- Table of Contents
- Copyright
- Dedication
- About the Author
- Section 1. Introduction
- Section 2. Definitions
- Part 1: Incident Response Team
- Part 2: Forensics Team
- Part 3: General Management and Team
- Appendix A. References
- Appendix B. Relevant Incident Response and Forensics Publications from Governmental Agencies and Organizations
- Appendix C. Forensics Team Templates
- Index