Section 1
Introduction
This section introduces the special needs and requirements for Incident Response and Forensics Teams, their construct and development, the members and staff, and the basic framework for response and forensics teams.
Keywords
Incident response framework
When I started as the corporate Computer Security Manager for a large retail organization 15 years ago, there was no response team, no computer security awareness among the IT staff or senior management, and no driving need to implement any security activities, structures, or requirements for the corporate workers. Everyone from the CEO down thought the computer security situation was someone else’s problem and concern—the classic “not my problem” syndrome.
The first task I embarked on as the Computer Security Manager was to educate the senior executives in the need for corporate computer security and the ability to respond to potential threats to the work environment. It took almost a year, but the corporate leadership did finally accept and fund the development of an incident response capability which was that industry’s first team specifically designed to handle and manage incidents which affected the day-to-day operations of the organization and its “bottom line.”
Security Incident Response and Forensics Response Teams (SIR&FT) are needed more today than ever before during the Computer and Internet Era which has developed over the last 40 years. Today, with most security response organizations and vendors reporting an incredible 30,000–70,000 pieces of new malware being introduced each day, the need for responders and investigators is at an all-time high. Every major corporation, all governmental agencies, and most organizations operating on the Internet, using e-mail, or transacting business online require the ability to respond to an unexpected or malicious attack on their networks and infrastructure just to stay in business, let alone perform their daily tasks safely and securely.
All incidents threaten the business or government organization as a whole. The organization’s primary business process, all its other processes and reputation—they are all in jeopardy when these incidents strike. Security incident response and management seek to prevent such incidents from happening. And when they inevitably happen, to contain and resolve them, and use the response lessons learned for the next time. Therefore, security incident response and management serve both the primary response process and the organization as a whole.
Since the proliferation of malware is rampant today where the adversary eventually breaches some aspect of a corporation’s protective measures, along with the high impact of insider threat issues as evidence by recent Corporate, Intelligence and Defense incidents, the primary focus for the SIR&FT is simple but profound:
1. detect compromise as efficiently as possible;
2. respond to incidents as quickly as possible; and
3. investigate using digital forensics as effectively as possible.
The Incident Response team will become one of your most important development activities as the manager in the first days as you start up the management and oversight of the security incident response team (SIRT) and the Forensics investigation team. The team member makeup, the team charter, the corporate executive officer support, the response criteria, all make the SIRT one of the more important team-building activities you will be responsible for at the start.
These SIR&FT have very specialized management needs in order to accomplish their goals in today’s work and response environments. The SIR&FT need to be constructed with general skills and specialties; however, during the response activity, the skills needed maybe other than originally planned and the Team Manager must change the team members and the skills rapidly to meet the threat and necessary response.
This book introduces the special management needs and requirements for Incident Response and Forensics Teams, how these teams are constructed and developed, the team members and support staff, and the basic framework for managing response and forensics teams. Ensuring that proven policies and procedures are established and followed are manager level responsibilities, along with personnel certifications and levels of expertise. These will be discussed along with Incident Response Team Makeup and Management.
SIR&FT management personnel have many areas of focus to address and requirements to meet. They include:
A. First, ensuring team members are properly hired, trained, and certified. The criticality of the response always will require the best of the best to respond.
B. Second, ensuring the Incident Response Team has the proper unencumbered senior executive level support, authority, and responsibility. Full exposure and support at the top of the corporate leader is needed and required these days in the business world with Sarbanes-Oxley Law (SOX) reporting requirements, industrial espionage threats, and the competitive nature of each industry.
C. Third, proper case management activities are performed, which include:
■ Investigator time and schedule management. Each case requires detailed oversight and management to ensure full accountability and proper actions during the investigation.
■ Quality assurance processes. Ensuring the accuracy of every investigation is often the key to an investigation.
■ Chain of custody procedures. Following the proper methods for evidence collection and analysis is important to the proper prosecution of any case.
■ Change management. Making sure the software, hardware, and tools used during the case activities is vital to providing the legal framework of the case.
■ Final review of all case work. Full review of all of the case details is commonly where the manager can provide the best return on expertise and viability of the case.
D. Fourth, provide the proper response at the proper level for the currently active incident while simultaneously making sure the incident is contained, controlled, repaired, and reported on correctly and in accordance with corporate or organizational policies and guidance.
E. Fifth, ensuring all legal, regulatory, statutory, organizational, and governmental guidance for incident handling and reporting is met within the appropriate time frames.
This book is intended to provide to the SIR&FT manager the answers to the following questions to insure their activities are acceptable, legal, and complete:
a. Have the team members met their objectives?
The objectives may include incident fixed or removed, report been delivered and accepted, security posture improved as result of lessons learned about attack; and many others.
b. Is the incident contained and eradicated?
The basic requirement for the security group is to “secure the data,” so now the data should be protected and controlled, the issue which prompted the SIRT response completed and the corporate equipment which was “compromised” has been either cleaned or removed from operations.
c. Have the users returned to normal business operations?
The operational need for the SIRT is to get the normal business operations back in place and functioning, so always place that as one of the goals for any response.
d. Have all activities been completed in a reasonable amount of time?
Each team member will have a set of tasks to accomplish during the response, so quick completion of these will allow faster response and return to normal operations for the organization and the personnel.
e. Did the team respond quickly and efficiently?
Ensuring the timing requirements for business recovery needs to be quickly assessed during the initial stages of the response, so all actions by the response team need to be expeditious and complete.
f. Was there any time where response actions could have been performed earlier?
Looking at the response effort, the team leader needs to assess if any of the required actions could have been accomplished earlier in the actions, or if any pre-deployed tools would have assisted in the response effort.
g. Were the team member’s skills applicable to incident?
One of the SIRT manager’s jobs is to assess the team in reference to the response and see if any additional skills, techniques, or knowledge would have contributed to a quicker and possibly safer resolution to the incident.
h. Have team members followed the documented procedures?
Reviewing the generated reports and documentation allows the SIRT manager to verify the proper procedures and techniques were followed during the response.
i. Were all activities reported and written down?
All incident response actions need to be documented for after action reports, improvement of skills and abilities, and to place the organization in a strong position to handle any external or potential legal action.
j. Are team members turning in quality and defendable documentation?
Always making sure all documentation is detailed, direct, and technically strong is a criterion for all SIRT members. Does the report make sense and does it follow the events are both questions to be answered by the SIRT manager.
k. Is the documentation being produced in correct format?
The SIRT manager has to have a documentation guide for each team member that they must follow during and after an event is responded to by the team.
l. Is all the document content in the report?
The full and complete “picture” of all of the events making up the incident response need to be recorded and delineated within the final incident report.
m. Are team members performing in an efficient and effective manner?
Utilizing the skills and knowledge each has, the team members have to be evaluated to ensure they performed correctly in the response.
n. Are the incident/forensics artifacts controlled through the proper chain of evidence?
The “chain of custody” for the gathered and retrieved artifacts must be maintained during and after the event for proper handling and so they do not become contaminated during subsequent activities.
o. Are the team members properly certified?
All team members should be professionally certified in their areas of expertise, as well as in the incident handling procedures they use during the response activity.
p. What are the lessons learned from each incident?
Conducting a “lessons learned” meeting after the completion of the response always brings new areas for training and skill development for the SIRT which will improve their abilities for the next incident response.
We will discuss all these areas and more as we explore the SIR&FT M...