Information Security Incident Response | Process Street Information Security Incident Response – Process Street

Introduction:

The worst has happened and the apocalypse is here! Your security's been breached and it's time to spring into action to do some damage control.

"The number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the nature of their business as a result of their worst breach" - PWC's 2015 Information security breaches survey

Never fear! We here at Process Street have come up with your very own information security incident response.

From assessing and containing the damage to making sure that it doesn't happen again, follow these steps from the get-go of your incident response to ensure that you don't become a heavy statistic in an annual breach survey.

Let's begin!

Initial response:

Input personnel details

To begin with, you'll need to input basic information such as names, dates and email addresses of the personnel involved with the incident response process.

Timing is crucial at this point, so go ahead and fill in the form fields below.

Perform preliminary incident analysis

Damage assessment is the key to your information security incident response!

First up, consider the nature of the incident, in terms of exactly what happened, and exactly what was affected.

Continue on and complete all of the form fields below to kick-start the response protocol.

Alert response team of incident

One of the first steps following an information security incident is to notify everyone in the response team, including external resources, to begin company protocol for activating the response plan.

Determine who needs to be notified

You may have to notify additional personnel as part of legal proceedings, or if certain sensitive information has been compromised.

Select from the drop-down field to determine who else needs to be notified of the incident.

  • 1
    Law enforcement
  • 2
    Media
  • 3
    Employees (internal)
  • 4
    Government agency
  • 5
    Customer

Damage control:

Secure the premises around the affected area

When a breach occurs, the premises of and around the affected area should be secured and access should be limited to as-needed only in an effort to preserve evidence.

To this end, you should limit access to contaminated computers and server rooms, keeping the doors locked and making sure to notify staff and site security which areas are off limits.

  • 1
    Inform staff and site security which areas are off limits
  • 2
    Be sure entrances and exits are secured and monitor access to the building
  • 3
    Enforce sign-ins and sign-outs if not already in place

Scan for compromised machines

Though full remedial action on compromised machines should be left until after the forensic investigation, steps should be taken to understand the extent of the breach as quickly as possible.

Scan the remaining computers in the network for indicators of compromise associated with this outbreak (e.g. MD5 hashes).

Disconnect compromised systems from network

Systems containing sensitive data should be disconnected from the main network, including local intranet as well as internet until the incident has been resolved.

After being disconnected from the main network, compromised systems should be preserved and left untampered in preparation for a full forensic investigation.

  • 1
    Disconnect computers with access to sensitive information from main network
  • 2
    Preserve compromised machine states for forensic investigation

Backup all critical systems data

During a system compromise, critical systems data should be backed up onto secure offline databases.

In doing so, agents should be careful not to tamper with the state of compromised machines, and the backup process should be thoroughly documented, including how the backup was performed, and by who.

Preserve all system and application logs and states

You must now make an effort to preserve all company system and application logs for later reference and review.

  • 1
    Archive all data to a secure off-site system.
  • 2
    Document all actions taken, by whom and when
  • 3
    Record all forensic tools used

Enact web server safeguard protocol

If you've been subject to a direct denial of service (DDoS) attack, you should enact your server safeguard protocol immediately to prevent further damage.

  • 1
    Configure web servers to protect against HTTP and SYN flood requests
  • 2
    Coordinate with your ISP to block source IP addresses

Monitor the system for signs of continued access

Working closely with your ISP (internet service provider), detect, monitor and investigate unauthorized access attempts – with priority on those that are mission-critical and/or contain sensitive data.

Identify the privileged user accounts for all domains, servers, apps, and critical devices and then ensure that monitoring is enabled for all of these systems (including system events).

Sometimes a DDoS is used to divert attention away from another more serious attack attempt.

Complete the sub-checklist below to ensure system monitoring is properly put in place.

  • 1
    Correspond with your ISP
  • 2
    Identify and monitor privileged user accounts
  • 3
    Increase system surveillance
  • 4
    Investigate unauthorized access attempts

Check IP address reputation score

If an unidentified actor was attempting to gain access to company systems, run a reputation check against their IP address.

Tools like AlienVault's Open Threat Exchange are very useful databases of IP reputations and should be the first port of call when investigating a rogue address.

If this database yields no results, then try looking up the WHOIS information for the offending domain.

Incident investigation:

Determine whether incident has been resolved

Has the incident been resolved? This is crucial in determining the nature of the response.

Fill out the form fields below with the current incident status.

Based on your response to the form field above, provide some additional context as to how the incident was resolved (if it was), or what the main issue is with regard to any ongoing problems (if it wasn't).

Determine the impact of the incident

Examine logs, audit trails and data to find out if any sensitive information was involved in the incident. Record your findings in the form field below.

Provide suggestion for customer's best course of action

Given what you know so far about the incident, you must provide a suggested course of action for your customer if their data was compromised.

The specific course of action will vary depending on whether or not the incident has been resolved, but be sure to take into consideration legal obligation and plan with the most recent threat intelligence in mind.

Communications:

Alert law enforcement of the incident

Should the incident be severe enough to warrant law enforcement involvement, the relevant law enforcement individuals should be contacted and informed immediately.

Enact federal data breach notification procedure

Your client should be reminded of their obligation to take appropriate action as defined by the Health Information Technology for Economic and Clinical Health (HITECH) act in response to a breach of confidential patient healthcare data.

Inform your client that all affected patients must be notified that their data has been compromised in a timely manner.

As with any case of sensitive confidential data leakage, the protocol for proper response should be carefully examined - be sure you are educated on both local and federal regulations.

Inform upper management of the incident

Now that a more thorough investigation has taken place, you should have more information to update management, so you can forward an email summarizing your findings.

The details filled out in the checklist so far will be automatically added to the template below, so all you need to do is check everything looks okay before sending it off. 

Only those with a valid need-to-know should be included in communications regarding key incident details, indicators of compromise, adversary tactics, and procedures.

Inform the customer of leaked sensitive information

If sensitive customer data was involved, contact the customer about the incident. 

Businesses generally have 60 days to notify individuals of a data breach, assuming notification is required by law and that no other varying circumstances are at play. This time period starts from the moment the breach was discovered.

Sources: