59
Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Embed Size (px)

Citation preview

Page 1: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition

Chapter 6Incident Response: Organizing and

Preparing the CSIRT

Page 2: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 2

Objectives

• Describe the purpose and function of the CSIRT• Discuss the skills and abilities needed in the CSIRT• Explain the standing operating procedures

associated with CSIRT operations• Describe training and deployment of the CSIRT

Page 3: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 3

Introduction

• Coordinated reaction to unexpected events– Requires a designated group of individuals

• Deal with the situation, reestablish information asset security

• Carefully selected with appropriate skill range• Alternates required to assume responsibilities• Distinct from Incident Response Planning (IRP) team

• IRP team’s primary incident response responsibility– Develop and implement policy and plans

Page 4: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 4

Introduction (cont’d.)

• IR reaction team responsibility– Respond to notice from a predefined entity as to an

incident possibility– CSIRT works to regain control of information assets at

risk, determine what happened, and prevent repeat occurrences

• IR reaction team’s other names– Computer Security Incident Response Team (CSIRT)– Security Incident Response Team (SIRT)– Computer Emergency Response Team (CERT)– IR team

Page 5: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 5

Introduction (cont’d.)

• Computer Security Incident Response Team – Loose or informal implementation

• Association of IT and InfoSec staffers • Called up if attack on information assets detected

– More formal implementation• Set of people, policies, procedures, technologies,

information• Detect, react, and recover from incident potentially

resulting in unwanted information modification, damage, destruction, or disclosure

• Prevention: entire information security staff involved

Page 6: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 6

Building the CSIRT

• Formal CSIRT – Carnegie Mellon CERT/CC defined stages

• Step 1: Obtain management support and buy-in• Step 2: Determine the CSIRT strategic plan• Step 3: Gather relevant information• Step 4: Design the CSIRT vision• Step 5: Communicate the CSIRT vision and

operational plan• Step 6: Begin CSIRT implementation• Step 7: Announce the operational CSIRT• Step 8: Evaluate CSIRT effectiveness

Page 7: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 7

Step 1: Obtaining Management Support and Buy-In

• Formal management support– Required for CSIRT success

• CSIRT members assigned additional duties– CSIRT work: part-time or as detached assignments– Must ensure irresolvable conflicts with primary job

responsibilities removed– Senior management must direct subordinate

managers• Allow CSIRT members time on CSIRT activities

• Resources requiring funding and support– Time/materials for incident preparation/reaction

Page 8: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 8

Step 1: Obtaining Management Support and Buy-In (cont’d.)

• Constant and ongoing management support– Sustains team efforts– Ensures long-term success to manage incidents

• CSIRT champion– May be same person as the IR function champion– Typically the chief information officer (CIO)– Must be an upper-level executive

• Requires organizational power and authority to ensure success

Page 9: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 9

Step 2: Determining the CSIRT Strategic Plan

• Formal plan encompasses:– Team scope and responsibilities– Reporting structure and functional processes

Page 10: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 10

Step 2: Determining the CSIRT Strategic Plan (cont’d.)

• Formal plan items to address– Time frame for CSIRT development– Gap analysis: needed versus available skills– CSIRT structure and team model– Available and needed funding– Training and testing methods and requirements– Formal and informal communications requirements– Procedures for updating and modifying documents

and activities

Page 11: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 11

Time Frame for Development of the CSIRT

• First CSIRT strategic plan item to determine– How soon team needs to be up and running

• Management response: “yesterday”• Cold reality

– Weeks or months– Use informal organization response procedures

Page 12: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 12

Gap Analysis of Needed versus Available Personnel Resources (Skills)• Harsh reality

– Few departments overstaffed to support ongoing operations

• Small-to-medium-sized organizations– May include the entire IT/InfoSec skillset– “Off duty” and “on call” IT staff expected to respond to

incidents• If organizations constantly calling back primary IT

and InfoSec personnel– Must conclude additional resources needed

Page 13: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 13

Gap Analysis of Needed versus Available Personnel Resources

(cont’d.)• Obtaining additional resources

– Understand skills needed to effectively respond to incident

– Determine if staff already has resources– Possible management determinations

• Willingness to acquire needed personnel to fill gaps• Willingness to provide existing personnel training • Willingness to live with consequences of team’s

inability to respond• Other option: outsourcing the CSIRT function

Page 14: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 14

Gap Analysis of Needed versus Available Personnel Resources

(cont’d.)• Typical CSIRT experience areas needed

– Malware scanning, elimination, recovery– System administration– Network administration (switches, routers, gateways)– Firewall administration– Intrusion detection systems– Cryptography– Data storage and recovery– Documentation creation and maintenance– Experience creating and following policy and plans

Page 15: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 15

CSIRT Structure and Team Model

• Incident discovery leads to CSIRT notification– CSIRT determines incident impact and acts

appropriately– Success dependent on participation and cooperation

of individuals• CSIRT structural categories

– Central CSIRT: single CSIRT handles incidents– Distributed CSIRTs: multiple CSIRTs handle incidents

for a particular logical or physical segment– Coordinating team: CSIRT provides guidance and

advice to other teams with no authority

Page 16: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 16

CSIRT Structure and Team Model (cont’d.)

• CSIRT staffing models– Employees: organization performs all IR work

• Limited contractor technical and administrative support– Partially outsourced: portions of IR work outsourced

• 24-hour-a-day; 7-day-a-week (24/7) monitoring • Basic IR work performed in-house; contractors assist

– Fully outsourced: all IR work outsourced to on-site contractor

• Used when organization lacks available, qualified employees

Page 17: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 17

CSIRT Structure and Team Model (cont’d.)

• Team model selection factors to consider– Need for 24/7 availability– Full-time versus part-time team members– Employee morale– Cost– Staff expertise– Organizational structures

Page 18: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 18

Available and Needed Funding for Initial and Ongoing CSIRT

Operations• Everything in business costs money

– Time, people, and building a CSIRT operation– Top management must commit to funding CSIRT

• Team member needs– Time away from current responsibilities– Formal or informal training– Equipment to detect and manage incidents– Special communications equipment

• NIST recommends tools for use by incident handlers

Page 19: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 19

Training and Testing Methods and Requirements for the CSIRT

• CSIRT testing and training methods – Defined in the strategic plan

• Planning team– Must enumerate management expectations

• Most organizations– Provide some training for CSIRTs

• In-house and informal

• Few organizations– Conduct formal testing regimes

• Fear creating incidents in the process

Page 20: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 20

Formal and Informal Communications Requirements

• Formal and informal communications methods– Included in the CSIRT strategic plan– Used between CSIRT personnel and other personnel– Must be clearly defined methods for:

• Contacting CSIRT personnel• Notifying CSIRT of potential incidents

• Critical requirement– Upward flow of information from CSIRT to

organizational and IT/InfoSec management• CSIRT must report preliminary finding to management

Page 21: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 21

Procedures for Updating and Modifying CSIRT Documents and

Activities • Final component of any formal plan

– Mechanism by which plan can and should be updated• CSIRT development plan designed to guide CSIRT

planning, training, testing– Routinely review (annually) and modify– Guides CSIRT planning, training, testing

• Guiding documents for updating CSIRT document– Formal Incident Response Policy and CSIRT plans– Provide response team preparation and training– May combine CSIRT strategic plan with an IR plan

Page 22: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 22

Step 3: Gathering Relevant Information

• CSIRT formation– IRP team collects organization IR and service needs

• Information used to craft CSIRT• Ensures necessary skills and abilities available

– IR planning committee• Establishes CSIRT scope and responsibilities• Determines team constituency and abilities

– Converse with stakeholders• Identify team skills and abilities• Identify end user needs

Page 23: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 23

Step 4: Designing the CSIRT Vision

• Planning elements– May have been developed as part of strategy

• Planning element steps– Identify constituency– Define CSIRT’s mission, goals, and objectives– Determine organizational model– Select CSIRT services to provide to the constituency

(or others)– Identify required resources to operate CSIRT– Determine CSIRT funding

Page 24: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 24

Identifying Your Constituency

• CSIRT must know:– Who it works for– What systems to focus on

• Clear chain of command necessary– Critical once CSIRT on site

• CSIRT can take charge of the situation• CSIRT can exert influence to regain control of systems

• Requires top management support– Provides emergency authority to CSIRT leader

Page 25: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 25

Identifying Your Constituency (cont’d.)

• “Scope of operations”– Determining systems falling under CSIRT’s

responsibility– Be aware of its existence

• Know who to serve

• CSIRT constituents– Defined by who provides funding

• CSIRTs work collaboratively– With other CSIRTs in their geographic and logical

areas

Page 26: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 26

Defining Your CSIRT’s Mission, Goals, and Objectives

• CSIRT identifies for whom it works– Who it provides services to– Reporting relationships it must work within

• CSIRT must identify its mandate– Mission, goals, and objectives

• Mission of the CSIRT– States purpose clearly and succinctly– Establishes team tone– Provides path to obtainment of goals and objectives

Page 27: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 27

Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.)

• Mission of the CSIRT (cont’d.)– Common failing among multiple CSIRTs

• Lack of precision in defining mission• Failure to communicate mission so CSIRT tries to

validate priorities: leads to revisions on the fly– Clear and concise mission statement

• Allows for established service list, service levels, and quality framework

– Purpose statement supplements mission statement– Approaches to incident response (philosophy)

• Protect and forget, or apprehend and prosecute

Page 28: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 28

Page 29: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 29

Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.)

• Goals and objectives of the CSIRT– Based on constituent or parent organization business

goals– CSIRT keys to success

• Protect critical assets• Enable and support constituency’s critical business

processes and systems– CSIRT goals coupled with detailed procedures

• Enable team to effectively contain and resolve incidents

– No goals results in inconsistent and incomplete incident response

Page 30: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 30

Selecting the CSIRT Services to Provide to the Constituency (or Others)• CSIRT main focus: performing incident response

– May shift gears to deal with threat– May significantly overlap with other traditional

information security tasks• Will have an IR focus

– CSIRT constantly works with IR-based tools and technologies

• Allows for training and focus on incidents• Can better deal with intrusions

Page 31: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 31

Selecting the CSIRT Services to Provide to the Constituency (or Others)

(cont’d.)• CSIRT services categories

– Reactive services– Proactive services– Security quality management services

• Advisory distribution– Describes new vulnerabilities– Provides information on mitigating the vulnerabilities– Useful in helping others identify incident signs

Page 32: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 32

Page 33: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 33

Selecting the CSIRT Services to Provide to the Constituency (or Others)

(cont’d.)• Vulnerability assessment

– IR team determines how vulnerability exploited, the risks, and recommends risk mitigation

– IR team may performs auditing or penetration testing– Incident handlers

• Well suited to perform vulnerability assessments

• Intrusion detection– May be performed by IR team

• Allows team to gain knowledge– Ideally performed by another team with IR team

assisting

Page 34: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 34

Selecting the CSIRT Services to Provide to the Constituency (or Others)

(cont’d.)• Education and awareness

– Resource multipliers– Communicated by workshops and seminars, Web

sites, newsletters, posters, & stickers on monitors• Technology watch

– Look for new trends in information security threats– Recommend improvements in security controls

• Patch management– Not recommended for IR team (too time consuming)– Needed most when addressing large-scale incidents

Page 35: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 35

Identify Required Resources

• CSIRT needs– Qualified individuals to perform tasks– Time, funding, managerial support

• Incident response personnel– Single employee in charge of incident response– Fully outsourced model: person oversees and

evaluates service provided– All other models: team manager or deputy team

manager in charge– Managers perform variety of tasks with:

• Technical, communication, and positive attitude skills

Page 36: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 36

Identify Required Resources (cont’d.)

• Technical skills– Technical lead

• Has strong technical skills and IR experience• Has oversight of and final responsibility for IR team

technical work quality– Incident lead

• Primary contact point for handling a specific incident• May not perform actual incident handling• Coordinates handlers’ activities, gathers information,

provides updates, ensures team’s needs met

Page 37: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 37

Identify Required Resources (cont’d.)

• Technical skills (cont’d.)– CSIRT members need excellent technical skills– Technical inaccuracy in functions undermines team’s

credibility– Poor technical judgment can cause incidents to

worsen– Critical technical skill areas include:

• System administration, network administration, programming, technical support, intrusion detection

– Team members need good problem-solving skills

Page 38: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 38

Identify Required Resources (cont’d.)

• Technical skills (cont’d.)– Provide opportunities for learning and growth

• Budget enough funding for technical conferences• Provide books, magazines, technical references• Provide opportunities to perform other tasks• Rotate staff members in and out of the CSIRT• Maintain sufficient staff for uninterrupted time off work• Create a mentoring program• Allow members to temporarily trade places• Occasionally bring in outside experts• Develop incident-handling scenarios and simulate

Page 39: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 39

Identify Required Resources (cont’d.)

• Nontechnical skills– Teamwork skills for cooperation and coordination– Communication skills

• Speaking• Writing

• Determine your funding– CSIRT leader and IRP team require a clearly defined

budget• Guides effort in planning preparation, training, and

testing

Page 40: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 40

Step 5: Communicating the CSIRT’s Vision and Operational Plan

• Communication important when developing CSIRT– Include a feedback mechanism– Keep stakeholders informed and involved

• Managerial team or individual serving as champion– First group to communicate CSIRT’s vision and plan

• Champion begins cultivating a marketing stance

• Fully informed champion can:– Convince top management of general success

• Demonstrates champion is on top of the situation• Opens doors for additional resources and support

Page 41: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 41

Step 5: Communicating the CSIRT’s Vision and Operational Plan (cont’d.)

• Educating remaining top management– Serves two purposes:

• Closes loop on the preparation phase of CSIRT team building

• Moves group into an operational capacity– Pro forma notification

• CSIRT may have already begun supporting the organization informally

– Adjust executive mindset of top management as to the group status

– Communicate forthcoming CSIRT to employees

Page 42: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 42

Step 6: Beginning CSIRT Implementation

• Execution of plans begin– Obtain management approval with a formal sign-off

• Substeps:– Recruit and train initial CSIRT staff– Purchase equipment and prepare the required

network infrastructure– Define and prepare necessary CSIRT policies and

procedures– Define and acquire incident-tracking system– Prepare incident-reporting guidelines and forms

Page 43: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 43

Step 6: Beginning CSIRT Implementation (cont’d.)

• Incident-reporting guidelines– Enable constituency to interact with the CSIRT

• Incident reporting process– Should be concrete– Include directives on how to make reports

• Guidance on responding to incidents– How request prioritized, applicable service levels and

response times, how notifications and escalations managed, & how resolution documented and reported

• Critical aspect of the IR plan: guideline and procedure definitions for incident response

Page 44: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 44

Step 7: Announce the operational CSIRT

• Provide formal or informal notice to employees– Describe availability of CSIRT service

• Items to include in announcement– Staff members and leadership– Mission and goals– Services and functions– Operating hours– Contact methods and number

• Circulate as part of security awareness program• Keep information in front of employees

Page 45: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 45

Step 8: Evaluating CSIRT Effectiveness

• Two key mechanisms for IR plan– Test of CSIRT’s ability to respond to an incident– Means test for IR plan suitability, comprehensiveness

• CSIRT uses performance measures (metrics)

• Closing the loop– After action review (AAR): performed at end

• Detailed event examination: detection to recovery• Key players review notes, members review actions• Update plan• Serves as training case for future staff

Page 46: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 46

Step 8: Evaluating CSIRT Effectiveness (cont’d.)

• CSIRT performance measures– Methods for assessing relative worth and operations

of a subject of interest– Identify operation areas to assess, collect data from

those areas• Review data periodically to determine if improving

– Feedback mechanism options• Compare local CSIRT measures to other CSIRTs• Solicit comments from CSIRT’s constituency• Use periodic surveys to gain insight from constituency• Collect, report, and audit a set of empirical measures

Page 47: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 47

Step 8: Evaluating CSIRT Effectiveness (cont’d.)

• CSIRT performance measures (cont’d.)– Useful to build baseline of past measures

• Compare current performance to past performance• Determines effect of CSIRT on its user community

– Measurements used for comparison• Incidents reported• Response times• Resolution rates for reported incidents

Page 48: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 48

Final Thoughts on CSIRT Development

• CSIRT development can be tedious, difficult process• Time necessary to build effective CSIRT varies

– Dependent on organization’s size, industry, staffing, availability of needed skills

– May take months or years: requires patience• First signal of progress

– Dramatic increase in number of identified incidents– Trust CSIRT to respond after notification

• See http://csrc.nist.gov/publications/nistpubs and http://www.cert.org/csirts

Page 49: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 49

Outsourcing Incident Response

• Organizations outsourcing part of IR capacity– Due to increase popularity of managed security

services• Specialized companies

– Install equipment firewalls and IDSs – Remotely monitor equipment from centralized facility

Page 50: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 50

Page 51: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 51

Current and Future Quality of Work

• Important consideration – Quality of service provider’s work

• Other considerations– Current quality of work– Efforts to ensure quality of future work

• Minimizing turnover and burnout• Providing solid new employee training program• Auditing or objectively assessing quality of service

provided

Page 52: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 52

Division of Responsibilities

• Organizations unwilling to give outside resource authority operational decisions– Must decide point where service provider hands off

incident response• Partially outsourced model

– Service provider delivers incident report with recommendations for handling incident

– Internal team ultimately makes operational decisions

Page 53: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 53

Sensitive Information Revealed to the Contractor

• How to limit issues– Divide IR responsibilities– Restrict access to sensitive information

• Example– Contractor can determine user ID used in an incident

• Will not know person associated with the user ID– Trusted employees can take over investigation

Page 54: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 54

Lack of Organization-Specific Knowledge

• Accurate analysis and prioritization of incidents– Dependent on specific environment knowledge– Provide service provider regularly updated documents

• Incidents concerning organization• Critical resources • Response level under various sets of circumstances

– Report all changes and updates to IT infrastructure, network configuration, systems

• If there is a lack of organization-specific knowledge:– Contractor has to make a best guess– Leads to problems in-house if communications weak

Page 55: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 55

Lack of Correlation

• Important to have correlation among multiple data sources

• Contractor requires administrative privileges:– To critical systems and security device logs– With remote access over secure channel

• Issues– Increases administration costs– Introduces additional access entry points– Increases risk of unauthorized disclosure of sensitive

information

Page 56: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 56

Handling Incidents at Multiple Locations

• Effective IR work – Often requires physical presence at the facilities– Considerations for off-site service provider

• How quickly it can have a CSIRT at any facility• How much this will cost

– Considerations for on-site visits• Facilities or areas where service provider should not

be permitted

Page 57: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 57

Maintaining IR Skills In-House

• When organization has completely outsourced IR– Strive to maintain basic IR skills in-house

• Organization can perform incident handling if service provider unable to act

• For service provider’s recommendation– Technical staff must understand:

• Significance• Technical implications• Impact

Page 58: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 58

Summary

• Organizations designate groups to:– Deal with unexpected situations– Reestablishing information assets security

• Formal or informal development CSIRT requires several stages

• CSIRT formal plan requires management support• Skills needed to respond to incidents• IR team availability necessary to respond to incident• Building CSIRT requires adequate financial support• Strategic plan: testing, training, contact information

Page 59: Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT

Principles of Incident Response and Disaster Recovery, 2nd Edition 59

Summary (cont’d.)

• Formal plan final component: update mechanism• IRP team collects information on IR and service

needs to develop plan details• Communicate CSIRT planning to general

management and employees• After planning phase: CSIRT implemented• CSIRT effectiveness mechanisms:

– IR plan tests and CSIRT performance measures• CSIRT development can be tedious• Organizations may outsource all or part of process