CertiGuide to Security+ - Six-Step Incident Response Process

WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like what you see? Get it in one document for easy printing!

Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!

Get It Here!

CertiGuide to Security+
9 Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9 3.4  Intrusion Detection
           9 3.4.4  Incident Response

Role of IDS in Incident Response

Reporting Incidents to Third Parties

Six-Step Incident Response Process

The NSWC Dahlgren Computer Security Incident Handling Guidelines³⁴⁵ describe incident response as a six-step process:

Preparation: Setting up systems to detect threats and policies for dealing with them, including identifying roles staff will play in incident response, and creating emergency contact lists.
Identification: Identifying what the threat is, and/or the effects it is having on your systems/networks, including keeping records of the time/systems involved/what was observed, and making a full system backup as soon after the intrusion was observed, as possible, to preserve as much information about the attack as you can.
Containment: Limiting the effects of an incident by confining the problem to as few systems as possible, freezing the scene so that nothing further happens to the compromised system(s) by disconnecting its network connections and possibly console keyboard.
Eradication: Getting rid of whatever the attacker might have compromised by deleting files or doing a complete system reinstall – we cannot stress enough that you should err on the side of deleting MORE rather than less in order to restore a system to production, since the intruder may have left very-well-disguised Trojan Horse binaries around the system, to be activated once the system is reconnected to the Internet.
Recovery: Getting back into business, by putting the system back into normal operations, reconnecting it to the network, restoring from backups if necessary, etc.
Follow-up: If possible, tightening security so that the intrusion cannot happen again, determining the “cost” of the intrusion based on staff time/lost data/lost user work time (don’t skip this! It may help justify security expenditures in the future), considering which, if any, additional tools might have helped handle the incident better than it may have been handled, reflecting on “lessons learned” from both the intrusion and the organization’s response to it and tweaking policies as required.

SANS offers an incident response publication dealing with these 6 major phases, in detail³⁴⁶.

The very first thing to do is to secure access to the involved devices, to protect against further damage and to assist with preservation of evidence. The critical theme is to not destroy evidence by changing anything! Legal cases have been hampered, and even destroyed, by well-meaning system administrators “doing the wrong thing” in the name of “preservation of evidence.” Report any suspicious incidents to upper management.

Incident Response: Step-by-Step

The six steps to incident response are preparation, threat identification, containment, eradication, recovery, and follow-up.

When an incident is detected, the first thing to do is secure access to the involved devices through actions like unplugging them from the network, locking any involved terminals or systems, etc. Be careful not to destroy evidence by changing anything, in case the incident is eventually taken to the courtroom.

Also be sure to report any suspicious incidents to upper management. They need to know when intrusions have occurred, particularly if financial aspects of the business may be affected.

Incident Response Planning

Does your organization have a computer security incident response policy? If so, do you know what it is? If not, consider sketching one out and seeking approval for it so that you know in advance what to do, if you need to react on short notice someday. As noted above, a helpful guide to incident response, to help get you started in planning for it, can be found at SANS. Again, we can’t stress enough that you should think about this in advance, in order to be best prepared to respond in ways that help get things back to “business as usual” as quickly as possible in a way that doesn’t destroy important evidence, and which enables you to understand the threat you faced, so that you can better protect yourself against similar threats in the future.

__________________

345. “NSWC Dahlgren Computer Security Incident Handling Guidelines”, http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/incident.handle.html, February, 2002.

346. http://www.sans.org/newlook/publications/incident_handling.htm

Role of IDS in Incident Response

Reporting Incidents to Third Parties

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!

Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.