Building an Incident Response Program
Activity 11.1 Incident Severity Classification
Case Study: Your company is experiencing a prolonged DDOS attack on one of their crucial public facing web applications. The attack is preventing the company from selling its services to customers. Every day the attack is causing a loss of nearly two million. The attack is coming from multiple sources simultaneously. As you have exhausted all your options, you are now searching for a third-party to manage the incident response.
- Classify the incident
- Assign categorical ratings for funcitonal impact, economic impact, recoverability effort and information impact
Incident Classification
The scope of an incident’s impact can be defined as a both the degree of impairment caused to an organisation and the effort required to recover from the incident. As the DDOS attack is causing significant ecnomic impact, lacks a clear timeframe for resolution and requires engaging a third party – the impact of this incident is high.
Categorical Ratings
| Category | Rating | Justification |
| Functional Impact | HIGH | While under DDOS attack, the company has been completely unable to sell their products and provide services to their users. |
| Economic Impact | High | As the economic loss is estimated at over 2 million per day, this amount clears the NIST threshold of $500,000 per day. Since the DDOS attack is ongoing with no clear remediation ahead, the company will experience significant losses. |
| Recoverability Effort | Extended | The time to recover from this attack is not predictable. As in-house capabilities have been exhausted, the company is now searching for a third party provider to assist. Hiring a third party will also increase the costs associated with the incident. |
| Information Impact | None | As the attack is a DDOS attack, availability is the main effected aspect of the business. No information has been exfiltrated at this point. |
Activity 11.2 Incident Response Phases
In this activity, I will identify the correct phase of the incdent response process which corresponds to the following:
| Activity | Phase |
| Conducting a lessons learned review session. | Post-incident activity |
| Recieving a report from a staff member about a malware infection. | Detection and analysis |
| Upgrading a firewall to block a new type of attack. | Preparation |
| Recovering normal operations after eradicating an incident. | Containment, Eradication, Recovery |
| Identifying the attackers and attacking systems | Containment, Eradication, Recovery |
| Interpreting log entries using a SIEM in order to identify a potential incident | Detection and analysis |
| Assembling the hardware and software required to conduct an incident investigation | Preparation |
Activity 11.3 Develop an Incident Communications Plan
In this exercise I will imagine I am a CSIRT leader for a large ecommerce website. The website has experienced a security incident where attackers used SQL injection attacks to steal transaction records from the backend database. In response to this incident, I will develop a communications plan to outline the methods for responding to all relevant stakeholders.
Stakeholders
XYZ company has several stakeholders, both internal and external which will need to be informed of the data breach. Each stakeholder group requires a different approach to communicate information regarding the breach. The timing, content and approaches will differ for each group. Internal stakeholders which will need to be informed in order of priority are: executive management, board members, the legal team, IT department, the communications department and the general remainder of employees. External stakeholders which will need to be informed, also in order of priority are: suppliers involved in the breech, shareholders, consumers and the general public.
Internal Stakeholders
A brief overview of the intended approach to inform identified internal stakeholders are listed below:
- Executive Management
- First priority
- Management team to meet with the CSIRT team and create the overall approach for communicating the incident to all other stakeholders
- Approach to be agreed on and documented by all management team members
- Timing and deadlines to be set
- The Legal team
- Review the approach developed by executive management
- Alter any areas which may have significant legal implications
- The Board
- Convene emergency board meeting
- Recieve board approval and feedback for implementing communication plans
- IT department
- Inform all members of the IT department the technical details of the incident
- IT team to increase monitoring and awareness posture
- The Communications department
- Present approach to divlugving the incident to the public and general employees
- Communications team to develop strategies and select approrpiate channels, i.e. media, social media, email, etc for relevant communications
- General empoyees
- Explain incident according to approach laid out by communications team above.
External Stakeholders
A brief overview of the intended approach to inform identified external stakeholders are listed below:
- Suppliers
- Create a priority list of any suppliers whose information may potentially have been divulged during the incident
- Inform these suppliers and advise them of the nature of the information exfiltrated
- Advise suplliers on status of company response and steps they can take
- Shareholders
- Send out general shareholder notice via email
- Send at the same time as emailing general consumers
- Consumers
- Communicate breach first to consumers affected via official email
- General Public
- Notify the media and general public based on the approach outlined by the communications team
- Use a multi-channel approach, i.e. twitter, facebook, television, email, etc.
Conclusions
Before communicating the nature of a breach to stakeholders, careful consideration needs to be taken to develop the correct approach. This initial consideration requires significant input from executive management, the legal team and the communications department. Finally, once all stakeholders have been informed it is essential to review the effectiveness of the communcations and identify areas for improvement.
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
| Security Event | Any observable event relating to a security function |
| Security Incident | A serious violation or impending violation of an organisation's computer security policies |
| CSIRT | Computer Security Incident Response Team |
| Incident Response Process | Preparation > Detection and Analysis > Containment Eradication Recovery > Post Incident Activity |
| Security Event Indicators | Four major categories of security event indicators: Alerts, Logs, Public Info, Internal People Reporting Issues, file integrity checking software |
| NTP | Network Time Protocol; Syncing Time is Essential for ensuring accurate timestamps across devices |
| Procedures | Provide detailed tactical info needed when responding to an incident |
| Policy | Provides high level guidance and creates a framework for incident response |
| External or Removable Media | NIST Threat Classification - An attack conducted from external storage such as a USB drive |
| Attrition | NIST Threat Classification - Brute force attacks intended to compromise, degrade or destroy |
| Web | NIST Threat Classification - Attacks executed from web based applications such as malicious downloads or XSS |
| NIST Threat Classification - Attacks executed in an email via the attachment or body | |
| Impersonation | NIST Threat Classification - Replacing something benign with something malicious such as MITM or SQL injection |
| Improper Usage | NIST Threat Classification - When an authorized user violates the Acceptable Use Policy resulting in a security issue |
| Loss or Theft of Equipment | NIST Threat Classification - Loss of a laptop, smartphone, device or authentication token |
| Unknown | NIST Threat Classification - An attack of unknown origin |
| APT | Advanced Persistent Threat - Highly skilled hackers focused on singular objectives |
| Functional Impact | The degree of impairment an incident causes to an organization, measured on a scale of none, low, medium and high |
| Economic Impact | The degree an incident causes economic damage. Measured in losses on a scale of none, low, medium and high |
| Recoverability Effort | NIST Measurement of the time services will be unavailable, measured on a scale of regular, supplemented, extended and not recoverable |
| Datatype | The nature and classification of data effects the incident response |
| Impact Categories | NIST impact categories are defined as none, privacy breach, proprietary breach and integrity loss. |