An Incident Response Plan in Three, Two, One and Done. The U.S. Government describes INFOSEC as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide…. Integrity, Confidentiality, and availability.

Reducing Incidents Through Effective Network Security Practices

Per the National Institute of Standard and Technology (NIST) 800-61r2, “Preventing problems is often less costly and more effective than reacting to them after they occur.”

Incident prevention is an essential complement to an incident response capability. When security controls are insufficient the likelihood of more incidents is increased significantly. This undoubtedly will overwhelm the resources and capacity for response, resulting in delayed or incomplete recovery, possibly more extensive damage, and longer periods of service and data interruption.

The Purpose of Incident Response Management

The purpose of the Incident Response Management is to minimize the negative impact of incidents and restoring normal service operations as quickly as possible.

Author Introduction

Angel Aquino III

I am a retired Navy Veteran of 20 years; I was a football and Wrestling jock in high school an Anti-Terrorism Instructor and Police Officer. Now I am in Cybersecurity and Information Assurance and for me it’s not Greek however, Navy is my first language and IT is like my tertiary language. Therefore, if you like sports, food, and military movies you have come to the right place for a colorful blog on Incident Response. I will be using various analogies form my life’s experience to illustrate the simplicity of every IT course explaining an Incident Response Plan. In life as you may have heard we have to “Hope for the best and plan for the worse.” And I’d like you to keep that in the back of your mind as we move forward.

Now before I dial it back and subject you to some of my catch phrases, randomly placed repeat statements, and visually stunning vocabulary, I’ll present you with the longest Information Technology portion of this blog. I encourage you all to laugh with me or laugh at me as you read and as a bonus. I will script in a few key words to remember, know, and understand as you go forth in the development of your organization’s IRP.

More on Incident Response

Ok, let’s knock out the pleasantries we all may or may not know the fact is that all information and guidance is derived from the 79 pages of the “NIST Special Publication 800-61 Revision 2 Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology” and The Basics of Information Security Second Edition

Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

Establishing an incident response capability should include the following actions:

1. Creating an incident response policy and plan
2. Developing procedures for performing incident handling and reporting
3. Setting guidelines for communicating with outside parties regarding incidents
4. Selecting a team structure and staffing model
5. Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
6. Determining what services, the incident response team should provide
7. Staffing and training the incident response team.

Terms and Definitions for the Non-Nerds

Information Security – is keeping data, software, and hardware secure against unauthorized access, use, disclosure, disruption, modification, or destruction.

To have risk there must be a threat and vulnerability.

Assets – should always be protected by value to the organization

Priority 1 People

Priority 2 Data

Priority 3 Hardware/Software

Every business has assets both tangible and intangible. Hardware, software, data, and people. People will always be more important than data, software, and hardware.

Risk Management is a constant process. As assets are purchased, used, and retired they must constantly be assessed. The steps will vary based on organization policies and procedures.

Incident Response is the response to when risk management practices have failed and have caused an inconvenience to a disastrous event.

Types of Attack Payloads When we look at the types of attacks we might face, we can generally place them into one of four categories:

1. Interception – Interception attacks allow unauthorized users to access our data, applications, or environments, and might take the form of unauthorized file viewing or copying, eavesdropping on phone conversations, or reading e-mail, and can be conducted against data at rest or in motion.

• Interruption – Interruption attacks cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. (DoS attack on a mail server)

• Modification – Modification attacks involve tampering with our asset. If we access a file in an unauthorized manner and alter the data it contains, we have affected the integrity of the data contained in the file.

• Fabrication – Fabrication attacks involve generating data, processes, communications, or other similar activities with a system.

Threats -something that has the POTENTIAL to cause us harm. Threats tend to be specific to certain environments, particularly in the world of information security. Threats are any events being man-made, natural, or environmental that could cause damage to ASSETS.

Vulnerabilities are WEAKNESSES that can be used to harm us. Vulnerabilities are a weakness that a threat event or the threat agent can take advantage of.

Risk is the likelihood that an event will occur. To have risk there must be a threat and vulnerability. For us to have a risk in a particular environment, we need to have both a threat and a vulnerability that the specific threat can exploit.

Risk Management – In order to compensate for risks that occur in our environment, we need to identify our important assets, identify the potential threats against them, assess the vulnerabilities that we have present, and then take steps to mitigate these risks.

Incident Response – In the event that our risk management efforts fail, incident response exists to react to such events. The actual occurrence of such an emergency is not the time to (attempt to) follow documentation that has been languishing on a shelf, is outdated, and refers to processes or systems that have changed heavily or no longer exists.

The incident response process consists of:

• Preparation

• Detection and analysis

• Containment

• Eradication

• Recovery

• Post incident activity

I’m glad you IT types know what that means, and we are now on the same page. Now from this point on the rest of us are going to talk about food, the Military, and sports.

Things to know:

1.         Your enemy – Threats and Vulnerabilities (Humans and Human Complacency)

2.         Weapons capabilities and limitations – Ransomware, Malware etc.

3.         Methods of Attack – Phishing, tailgating etc…

By The Two’s

There are two things you must do for IRP,

1. Groundwork Preparation (Risk Management)
2. Lay the Foundation (Defense in Depth)

Defense in depth is a strategy common to both military maneuvers and information security. In both senses, the basic concept of defense in depth is to formulate a multilayered defense that will allow us to still achieve a successful defense should one or more of our defensive measures fail.

Incident Response Plans (IRP) in Two Words

1.         Offense

2.         Defense

Both the Military and Sports managers believe that if your defense fails then go on the offense or switch to an offensive Attack Strategy – Counterattack – that’s all an IRP is.

Here’s is a quote we’ve all may have heard before or something similar.

“The best defense is a good offense” (this is an adage that has been applied to many fields of endeavor, including games and military combat. It is also known as the strategic offensive principle of war.)

I’ve heard “The Best Offense Is a Great Defense” and “The best defense is a good offense” It goes without saying or politically stated or in reverse order or how you want to word it the ideal and message remains the same. The context of the statement remains unchanged regardless of the origin, language or who said it – George Washington, Bill Belichick, or Sun Tzu – we get it, we understand it.

Question: So, what is an IRP really?

Answer: In any team sports you have an offense and a defense, and they each have a playbook with game plans roles and responsibilities and what is to be achieved. The teams will also switch between offense and defense.

1. We are the Incident Response Management Team.
2. Incident Response is a Proactive Defense against unexpected cybersecurity incidents and data breaches.
3. Our Playbook is the Incident Response Plan.

3-2-1 and done! A hyper speed explanation equals the best read ever!

The key to an IRP is the basics of Cybersecurity. We are “Superheroes” “Protectors of Good”!! And as an individual endeavoring to be a hero one must constantly ask themselves.

1. Question: What is my purpose?

Answer: Protector

• Question: What or Who am I Protecting?

Answer: Assets

• Question: How will I protect them?

Answer: Practice Doesn’t Make You Perfect It Makes you effective.

Before your vision becomes 20/20 hindsight, ask yourself this, in the event of an incident would I prefer to:

React without any plan or face an incident head on with confidence as a result of taking Proactive Efforts (Risk Management) in the development of a Pre-Planned Response (PPR) called and Incident Response Plan (IRP)?

IRPs are not guides on “how to do” but a systematic and methodical process of what to do in response to an incident. Call it what you want, in the end you know what to do, how to do it, why to do it and in what order it needs to happen in for timely and successful outcome.

In closing remember these are NIST recommendations of the best practices for Incident Response management. It is up to the organization to determine how best to respond to threats attacks incidents and problems.

Have a great Week!

Contact THA Security if you need assistance in developing an Incident Response Plan (IRP).