Information Security Incident Response

The worst has happened and the apocalypse is here! Your security's been breached and it's time to spring into action to do some damage control.

"The number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the nature of their business as a result of their worst breach" - PWC's 2015 Information security breaches survey

Never fear! We here at Process Street have come up with your very own information security incident response.

From assessing and containing the damage to making sure that it doesn't happen again, follow these steps from the get-go of your incident response to ensure that you don't become a heavy statistic in an annual breach survey.

Let's begin!

To begin with, you'll need to input basic information such as names, dates and email addresses of the personnel involved with the incident response process.

Timing is crucial at this point, so go ahead and fill in the form fields below.

Damage assessment is the key to your information security incident response!

First up, consider the nature of the incident, in terms of exactly what happened, and exactly what was affected.

Continue on and complete all of the form fields below to kick-start the response protocol.

One of the first steps following an information security incident is to notify everyone in the response team, including external resources, to begin company protocol for activating the response plan.

Depending on the nature of the breach, you may have to meet certain legal requirements.

Be sure to carefully review both federal and state regulations with regard to your specific industry, as well as the type of data involved and the nature of the incident. 

You will also need to make sure you are clear on exactly who needs to be notified, i.e. your customers, employees, law enforcement, media, government agencies, etc. and make sure that these notifications occur within any specified timeframes.

You may have to notify additional personnel as part of legal proceedings, or if certain sensitive information has been compromised.

Select from the drop-down field to determine who else needs to be notified of the incident.

When a breach occurs, the premises of and around the affected area should be secured and access should be limited to as-needed only in an effort to preserve evidence.

To this end, you should limit access to contaminated computers and server rooms, keeping the doors locked and making sure to notify staff and site security which areas are off limits.

Though full remedial action on compromised machines should be left until after the forensic investigation, steps should be taken to understand the extent of the breach as quickly as possible.

Scan the remaining computers in the network for indicators of compromise associated with this outbreak (e.g. MD5 hashes).

Systems containing sensitive data should be disconnected from the main network, including local intranet as well as internet until the incident has been resolved.

After being disconnected from the main network, compromised systems should be preserved and left untampered in preparation for a full forensic investigation.

During a system compromise, critical systems data should be backed up onto secure offline databases.

In doing so, agents should be careful not to tamper with the state of compromised machines, and the backup process should be thoroughly documented, including how the backup was performed, and by who.

You must now make an effort to preserve all company system and application logs for later reference and review.

If you've been subject to a direct denial of service (DDoS) attack, you should enact your server safeguard protocol immediately to prevent further damage.

Working closely with your ISP (internet service provider), detect, monitor and investigate unauthorized access attempts – with priority on those that are mission-critical and/or contain sensitive data.

Identify the privileged user accounts for all domains, servers, apps, and critical devices and then ensure that monitoring is enabled for all of these systems (including system events).

Sometimes a DDoS is used to divert attention away from another more serious attack attempt.

Complete the sub-checklist below to ensure system monitoring is properly put in place.

If an unidentified actor was attempting to gain access to company systems, run a reputation check against their IP address.

Tools like AlienVault's Open Threat Exchange are very useful databases of IP reputations and should be the first port of call when investigating a rogue address.

If this database yields no results, then try looking up the WHOIS information for the offending domain.

Has the incident been resolved? This is crucial in determining the nature of the response.

Fill out the form fields below with the current incident status.

Based on your response to the form field above, provide some additional context as to how the incident was resolved (if it was), or what the main issue is with regard to any ongoing problems (if it wasn't).

Examine logs, audit trails and data to find out if any sensitive information was involved in the incident. Record your findings in the form field below.

Given what you know so far about the incident, you must provide a suggested course of action for your customer if their data was compromised.

The specific course of action will vary depending on whether or not the incident has been resolved, but be sure to take into consideration legal obligation and plan with the most recent threat intelligence in mind.

Should the incident be severe enough to warrant law enforcement involvement, the relevant law enforcement individuals should be contacted and informed immediately.

Your client should be reminded of their obligation to take appropriate action as defined by the Health Information Technology for Economic and Clinical Health (HITECH) act in response to a breach of confidential patient healthcare data.

Inform your client that all affected patients must be notified that their data has been compromised in a timely manner.

As with any case of sensitive confidential data leakage, the protocol for proper response should be carefully examined - be sure you are educated on both local and federal regulations.

Now that a more thorough investigation has taken place, you should have more information to update management, so you can forward an email summarizing your findings.

The details filled out in the checklist so far will be automatically added to the template below, so all you need to do is check everything looks okay before sending it off. 

Only those with a valid need-to-know should be included in communications regarding key incident details, indicators of compromise, adversary tactics, and procedures.

If sensitive customer data was involved, contact the customer about the incident. 

Businesses generally have 60 days to notify individuals of a data breach, assuming notification is required by law and that no other varying circumstances are at play. This time period starts from the moment the breach was discovered.

• PWC - 2015 Information Security Breaches Survey
• Onpage - Ultimate MSP Incident Response Guide
• CBSIT - Common Information Security Breaches
• AlienVault - Types of InfoSec Incidents
• Vita2 - Information Security Incident Response Form
• Sans - Legal Considerations of InfoSec Response
• Experian - Data Breach Response Guide
• DigitalGuardian - Building Your Incident Response Team

• Inventory Management Process
• Network Security Management
• Client Data Backup Best Practices
• Computer Maintenance Guide
• Server Setup Process
• Virtual Private Server Setup
• IT Support Process
• Helpdesk Management
• Server Maintenance Checklist
• Server Security Checklist
• SQL Server Audit Checklist