ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

Purpose This plan was developed for Health Network, Inc. (Health Network) and it is classified as the confidential property of that entity. Due to the sensitive nature of the information contained herein, this plan is available only to those persons who have been designated as members of one or more incident

management teams, or who otherwise play a direct role in the incident response and recovery processes.

Policy

This document discusses the steps taken by the Computer Incident Response Team during an incident.

1) The person who discovers the incident will call the IT Incident Response department.

2) The IT Incident Response department will create a ticket in the Incident Response database and document:

a) The name of the caller.

b) Time of the call.

c) Contact information about the caller.

d) The nature of the incident.

e) What equipment or persons were involved?

f) Location of equipment or persons involved.

g) How the incident was detected.

h) When the event was first noticed that supported the idea that the incident occurred.

Incidents will be classified as either Physical or Electronic. The security department will handle all Physical incidents. The IT department will handle all Electronic incidents.

3) If the incident is validated, the IT Incident Response department will contact the following offices, as appropriate, with details from the Incident Response database, to ensure they are aware of the incident:

a) Incident Response manager (via both email and phone messages)

b) The security department (via both email and phone messages)

c) LAN/WAN and Intrusion detection monitoring personnel (via phone)

d) Affected system administrator (via phone)

e) Affected database administrator (via phone)

4) The Incident Response department will research the Incident knowledge-base and add the following to the Incident Response ticket:

a) Is the equipment affected classified as business critical?

b) The Risk Factor/Impact and RTO of the systems affected?

c) Name of system being targeted, along with operating system, IP address, and location.

d) IP address and any information about the origin of the attack.

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

5) The Incident Response manager will determine which response teams will be mobilized and contact the IT Incident Response department to have them contact the team members.

6) The contacted Response Team members will meet or discuss the situation over the telephone and determine a response strategy.

a) Is the incident real or perceived?

b) Is the incident still in progress?

c) What data or property is threatened and how critical is it?

d) What is the impact on the business should the attack succeed? Critical, Major, Minor?

e) What system or systems are targeted, where are they located physically and on the network?

f) Is the incident inside the trusted network?

g) Is the response urgent?

h) Can the incident be quickly contained?

i) Will the response alert the attacker and if so, how will the response proceed?

j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage.

7) The Response Team lead will update the Incident Response ticket. The incident will be categorized into the highest applicable level of one of the following categories:

a) Category one – A threat to public safety or life.

b) Category two – A threat to sensitive data

c) Category three – A threat to computer systems

d) Category four – A disruption of services

8) Response Team members will follow one of the established Incident Response procedures (if a procedure does not exist, the Response Team will develop and document the new procedure). The following procedures are currently active.

a) Worm response procedure

b) Virus response procedure

c) System failure procedure

d) Active intrusion response procedure – Is critical data at risk?

e) Inactive Intrusion response procedure

f) System abuse procedure

g) Property theft response procedure

h) Website denial of service response procedure

i) Database or file denial of service response procedure

j) Spyware response procedure.

If a new procedure is developed, it will be forwarded to the Incident Response manager once the incident is resolved so the manager may add it to this document.

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

9) Response Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.

10) Response Team members will recommend changes to the Response Team manager to prevent the occurrence from happening again or infecting other systems.

11) Response Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:

a) Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.

b) Make users change passwords if passwords may have been sniffed.

c) Be sure the system has been hardened by turning off or uninstalling unused services.

d) Be sure the system is fully patched.

e) Be sure real time virus protection and intrusion detection is running.

f) Be sure the system is logging the correct events and to the proper level.

12) Response Team members will update the ticket with the following:

a) How the incident was discovered.

b) The category of the incident.

c) How the incident occurred, whether through email, firewall, etc.

d) Where the attack came from, such as IP addresses and other related information about the attacker.

e) What the response plan was.

f) What was done in response?

g) Whether the response was effective.

13) Response Team members will:

a) Make copies of logs, email, and other communication

b) Update the ticket with a list of all witnesses

c) Will keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.

14) The Response Team manager will notify the police and other appropriate agencies if prosecution of the intruder is possible.

15) The Response Team manager will assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.

16) The Response Team manager will review the response, update policies, and take preventative steps so the intrusion can’t happen again.

a) Consider whether an additional policy could have prevented the intrusion.

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

b) Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.

c) Was the incident response appropriate? How could it be improved?

d) Was every appropriate party informed in a timely manner?

e) Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?

f) Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?

g) Have changes been made to prevent a new and similar infection?

h) Should any security policies be updated?

i) What lessons have been learned from this experience?

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

Appendix A – Incident Response Worksheet

Complete this worksheet for any reported incidents

Preparation:

What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach?

Identification: When an incident is reported, it must be identified, classified, and documented. During this step, the following information is needed:

 Identify the nature of the incident o What Business Process was impacted o What threat was identified o What weakness was identified o What risk was identified o What was the Risk Factor/Impact of the incident o What was the RTO, MTD and RPO assigned to the business process o What hardware, software, database and other resource were impacted

Containment: The immediate objective is to limit the scope and magnitude of the computer/security- related incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.

 What needed to be done to limit the scope of the incident

Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.

 What was done to mitigate the risk of the incident

Recovery: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.

 What was done to recover the IT systems o What procedures were used and were they covered in the Disaster Recovery Plan o Was the Business Continuity Plan executed in response to this incident o Were any issues identified that would lead to updates to the BIA, BCP or DR plans.