Sample Incident Response Plan

advertisement
<x> Energy
Incident Response Plan
Prepared by:
<date>
<x> Energy IRP
Incident Response Plan
<date>
Page 2
<x> Energy IRP
<date>
Table of Contents
1
2
3
4
5
6
7
8
Introduction ................................................................................................................. 1
Scope ........................................................................................................................... 2
Key Definitions ........................................................................................................... 3
Classifying an Event ................................................................................................... 5
4.1
Possible Events ................................................................................................... 5
Incident response framework ...................................................................................... 7
Incident Response Team ............................................................................................. 8
Incident Response Plan Structure ............................................................................. 10
7.1
Identification ..................................................................................................... 10
7.2
Assessment ........................................................................................................ 13
7.3
Containment ...................................................................................................... 13
7.3.1
Checking other systems on the network ................................................... 14
7.3.2
Checking for systems involved or affected at remote sites....................... 14
7.4
Eradication ........................................................................................................ 15
7.5
Recovery ........................................................................................................... 15
7.6
Follow-up .......................................................................................................... 15
7.7
Documentation .................................................................................................. 16
7.7.1
Revising policies, processes, standards, and procedures .......................... 17
Documents and Forms .............................................................................................. 18
8.1
Contact Information .......................................................................................... 18
8.2
Incident Handling Form .................................................................................... 19
8.3
Communication Log ..........................................Error! Bookmark not defined.
8.4
Network Component, System, and Application Sensitivity ............................. 21
Incident Response Plan <$entity> <$regulation>
Page i
<x> Energy IRP
<date>
1 INTRODUCTION
This document provides relevant information and steps required to identify, eradicate and
recover if an unforeseen security event were to occur to any system that falls under
<$regulation> or can adversely impact business processes.
While security incidents are not necessarily to be expected, the response to them needs to
be formally documented before a security incident occurs. Requirements dictate <x>
Energy to have an Incident Response Program that specifically addresses the way in
which the <x> Energy will handle unauthorized incidents.
Note that this document is required by <regulation entity> and therefore depends heavily
on their suggested formats and definitions.
Note to all prospective Incident Response Team (IRT) members.
Read and become familiar with this document as soon
as possible, it is only a matter of time before an incident
will occur. Your review and understanding of this
document is critical to ensuring <x> Energy can
appropriately react to security incidents.
Incident Response Plan <$entity> <$regulation>
Page 1
<x> Energy IRP
<date>
2 SCOPE
This document implements the general principles established by <x> Energy regarding
the specific processes that <x> Energy personnel must follow when responding to an
incident.
This document is meant to provide <x> Energy personnel with a specific and systematic
approach for dealing with computer security incidents. This document has been
developed to establish whether an incident has occurred, what data has been accessed
inappropriately, who needs to be contacted, and how to recover. Sub-goals are below.
1. Confirm or dispel the incident.
2. Determine the level of threat from an incident.
3. Determine the appropriate response to the incident, including who and when
to notify.
4. Direct actions on the containment, eradication, and recovery from the
incident.
5. Promote the accumulation of accurate information.
6. Establish controls for proper retrieval and handling of evidence.
7. Minimize disruptions to business functions and network operations.
8. Allow for legal or civil recriminations against perpetrators.
9. Provide accurate reports and useful recommendations.
Incident Response Plan
Page 2
<x> Energy IRP
<date>
3 KEY DEFINITIONS
Assessment—After the identification phase, an initial assessment should be performed to
confirm the existence of the incident. The assessment should include determining the
scope, the impact of the incident, and the extent of the damage caused by the incident.
Containment—Containment of the incident is necessary to minimize and isolate the
damage incurred.
Eradication—In order to successfully eliminate the possibility of the incident
reoccurring again, the IRT needs to determine the cause of the incident that resulted in
the system compromise.
Event—An occurrence that has not been verified as a Security Incident.
Follow-up—As a follow-up, a post-mortem analysis of the compromised system should
be performed to understand the weaknesses that resulted in the incident and other
potential vulnerable areas. In the event that <x> Energy is considering legal action
against the perpetrator, forensic specialists and/or law enforcement agencies should be
engaged to ensure that digital evidence are accumulated and preserved in a manner that is
consistent with a legal follow-up.
Identification—The occurrence of an incident is unpredictable. An anomaly in the
system behavior may indicate an incident or configuration errors. Hence, identifying an
incident amidst routine daily operations is not always an easy task.
Preparation—In any Incident Response Plan, it is essential to form an Incident
Response Team (IRT) prior to other tasks. The role of the team is to promptly handle an
incident so that it will have minimal impact to the business operation. The team is formed
of members from various functional roles in <x> Energy.
Recovery—The recovery phase restores operations of the compromised system to
facilitate the resumption of normal business operations. Prior to the resumption process, a
validation check should be performed to ensure that the system is secured against any
repeated incidents. Furthermore, the system should be placed under surveillance to ensure
that if the perpetrator returns, unauthorized attempts may be detected early.
Security Incident—An irregular or adverse event that occurs within any part of <x>
Energy’s information systems infrastructure. These include (but are not limited to)
computer intrusions, denial-of-service attacks, theft of information, inappropriate
Incident Response Plan
Page 3
<x> Energy IRP
<date>
modification of data, any unauthorized or unlawful activity that requires support
personnel, system administrators, or computer crime investigators to respond.
Incident Response Plan
Page 4
<x> Energy IRP
<date>
4 CLASSIFYING AN EVENT
The below categories will be used within <x> Energy.
Critical - These incidents can potentially affect human life or cause irreversible loss of
company resources; they also include for example, loss of large quantities of customer
data.
High - These incidents may affect the integrity or confidentiality of data, which may
result in direct loss of business and/or reputation, e.g. loss of large quantities of account
numbers and expiry dates.
Medium - These incidents typically affect the availability of information, but not data
integrity, e.g. acquiring network failures.
Low - These incidents may affect the confidentiality, integrity or availability of data
however no loss has occurred. <x> Energy should already be secured against these
incidents but constant surveillance may still be necessary to detect early signs of
unauthorized activities.
Insignificant - These incidents pose negligible risk to <x> Energy.
<$regulatory body> must be notified of any “Critical” or “High”
incidents.
4.1 Possible Events
This lists events that may trigger the suspicion of an incident.
1. Failure to comply with <x> Energy’s security policies, procedures, or standards.
2. Malicious software infections (virus, worm, Trojan Horse, etc.).
3. An attack against critical infrastructure or critical <x> Energy system.
4. An attack against a mission critical system that requires special circumstances for
service disconnection.
Incident Response Plan
Page 5
<x> Energy IRP
<date>
5. A denial of service attack affecting critical infrastructure or critical <x> Energy
system.
6. Any system external to and not owned by <x> Energy that is being attacked by a
<x> Energy system.
7. Unauthorized scanning of systems.
8. An active, compromised system.
9. Any fraud, waste, or misuse of a <x> Energy system.
10. An attack apparently originating from a <x> Energy system directed to an outside
system.
Incident Response Plan
Page 6
<x> Energy IRP
<date>
5 INCIDENT RESPONSE FRAMEWORK
The objective of an incident response framework is to provide a systematic approach in
developing an Incident Response Plan. A well-defined Incident Response Plan will
enable <x> Energy to handle any incident efficiently and effectively with minimal impact
to the business operations. When developing these plans, efforts must be made to
anticipate scenarios before they happen, and to make the following decisions in advance
of the incident:
1. Where did the incident occur?
2. Which areas of the business processes are affected?
3. Who should be notified?
4. What are the procedures/actions to be taken?
5. How should the procedures/actions be performed?
Incident Response Plan
Page 7
<x> Energy IRP
<date>
6 INCIDENT RESPONSE TEAM
Below are the IRT member titles, contact information, and responsibilities.
Table 1. IRT Members
Position
Contact Information
Information
Services
Manager
Information
Services
Administrator
Network
Administrator
Database
Administrator
CFO/CIO
Applications
Manager
Priority and
Responsibilities
Oversee incident response
process.
Perform response
recovery with systems.
Perform response
recovery with network
components.
Perform response
recovery with databases
systems.
Public Relations and
Incident Reporting
Official
Perform response
recovery with application
components.
Manager of Store
Services
Perform response
recovery with POS
components.
New Process
Development
Manager
Perform response
recovery with new process
components.
Physical Security
Officer
Building security issues.
Incident Response Plan
Page 8
<x> Energy IRP
<date>
Remote Sites:
Location Manager:
Contacts
Primary:
Alternate:
Incident Response Plan
Office Phone
Pager
E-Mail
Page 9
<x> Energy IRP
<date>
7 INCIDENT RESPONSE PLAN STRUCTURE
Fig 1 below is a depiction of an IR Framework. Because <x> Energy is dictated to have
an IRP that is geared specifically to systems that that fall under the <$regulation> or can
adversely impact business processes.
Figure 1. IR Framework
* The sections below address each aspect of the framework.
7.1 Identification
The cost of incident response and recovery can be high. When a staff member notices a
suspicious anomaly in data, a system, or the network, the IRT has to perform
investigation and verification, which is time and resource consuming. This activity in
itself is at risk if the number of false reports exceeds the number of real incidents that
occurred, as it diverts resources away from real incidents. To facilitate the task of
identification, the following is a list of typical symptoms of security incidents, which
include any of the following:
1. A system alarm or similar indication from an intrusion detection tool.
2. Suspicious entries in system or network accounting (e.g. a UNIX user obtains root
access without going through the normal sequence).
Incident Response Plan
Page 10
<x> Energy IRP
<date>
3. Accounting discrepancies (e.g. an eighteen-minute gap in the accounting log with
no entries).
4. Repetitive unsuccessful logon attempts within a short time interval.
5. Unexplained new user accounts.
6. Unexplained new files or unfamiliar file names.
7. Unexplained modifications to file lengths and/or dates, especially in system
executable files.
8. Unexplained attempts to write to system files or changes in system files.
9. Unexplained modification or deletion of data.
10. Denial/disruption of service or inability of one or more users to login to an
account.
11. System crashes.
12. Poor system performance of dedicated servers.
13. Operation of a program or sniffer device to capture network traffic.
14. Unusual time of usage (e.g. users login during non-working hours).
This section outlines the methods used to detect events. Events can be detected through a
variety of technical and procedural mechanisms. Technical mechanisms include intrusion
detection/prevention systems (IDS/IPS), log aggregation systems, and firewalls which
produce alerts when suspicious network activity occurs. Procedural mechanisms include
system log reviews, observations of abnormal resource utilization and suspicious account
activity. Additionally, sources external to <x> Energy may detect issues by recognizing
unauthorized activity or abnormal behavior on their systems and reporting the activity.
Typical and initial indications of security incidents include any of the following:
1. A system alarm or similar indication from an intrusion detection tool.
2. Suspicious entries in system or network accounting (e.g., a user obtains privileged
access without using authorized methods).
Incident Response Plan
Page 11
<x> Energy IRP
<date>
3. Accounting discrepancies (e.g., someone notices an 18-minute gap in the
accounting log for which there is no correlation).
4. Unsuccessful logon attempts.
5. New user accounts of unknown origin.
6. New files of unknown origin and function.
7. Unexplained changes or attempts to change file sizes, check sums, date/time
stamps, especially those related to system binaries or configuration files.
8. Unexplained addition, deletion, or modification of data.
9. Denial of service activity or inability of one or more users to login to an account;
including admin/root logins at the console.
10. System crashes.
11. Poor system performance.
12. Unauthorized operation of a program or the addition of a sniffer application to
capture network traffic or usernames/passwords.
13. Port/System Scanning (use of exploit and vulnerability scanners, using networkaware applications or utilities for information gathering about systems and/or
users).
14. Unusual usage times (statistically, more security incidents occur during nonworking hours than any other time).
15. An indicated last time of usage of a account that does not correspond to the actual
last time of usage for that account.
16. Unusual usage patterns (e.g., programs are being compiled by the account of a
user who does not know how to program).
17. Social engineering attempts.
Incident Response Plan
Page 12
<x> Energy IRP
<date>
Although observing one of these symptoms is generally inconclusive, observing multiple
symptoms in conjunction is motivation for further scrutiny.
7.2 Assessment
The next step to be performed by the IRT is to assess the scope, the impact and the
magnitude of the incident. As a note of precaution, never power off or reboot a
compromised system immediately as this may result in the loss of data, information or
evidence required for forensic investigation later. The following are some of the factors
to consider during the assessment:
1. How many computers are affected by this incident?
2. Is sensitive information involved?
3. What is the entry point of the incident (e.g. network, phone dial)?
4. What is the potential damage caused by the incident?
5. What is the estimated time to recover from the incident?
6. What resources are required to manage the situation?
7. How should the assessment be performed effectively?
Depending on the severity of the situation, top management may have to be informed.
Notification guidelines should be developed by the IRT during the preparation of the
Incident Response Plan. For “Extreme” and “High” risk incidents, the IRT should
escalate them. The list of key contacts should be completed in the Incident Response
Contact List. The Incident Reporting Form can be used to document the information
gathered from the assessment.
7.3 Containment
The objective of the containment phase is for the IRT to regain control of the situation by
limiting the extent of the damage. The IRT may consider isolating the compromised
system from the rest of the network systems. However, this may disrupt the business
operation if the compromised system is critical or many systems were affected by the
incident, as in the example of a virus outbreak. Hence, the IRT must evaluate with the
management on a per case basis the risk of continuing operations versus regaining control
Incident Response Plan
Page 13
<x> Energy IRP
<date>
of the compromised system. All attempts to contain the threat must take into account
every effort to minimize the impact to the business operations.
Furthermore, a backup should also be performed on the system to maintain the current
state of the system to facilitate the post-mortem and forensic investigation later. The IRT
may also consider changing the system passwords to prevent the possibility of Trojan
programs being installed on the compromised system that allows the intruder from
returning to the system via a backdoor.
Keep in mind that some legitimate network monitors and protocol analyzers will set a
network interface in promiscuous mode. Detecting an interface in promiscuous mode
does not necessarily mean that a sniffer is running on a system. If a sniffer has been
installed on a system, examine the output file from the sniffer, if available, to determine
what other machines or accounts are at risk. Machines at risk are those that appear in the
destination field of a captured packet, but if passwords across systems are common or if
the source and destination machines trust each other the source machine will also be at
further risk. Additionally, it is important to note that some sniffers encrypt their logs so
they may not be obvious. Because of this check for files that grow quickly.
Be aware that there may be other machines at risk in addition to the ones that appear in
the sniffer log. This may be because the intruder has obtained previous sniffer logs from
local systems or through other attack methods.
7.3.1 Checking other systems on the network
It is a good practice to check all systems related to the affected system, not just the one
that is known to be compromised. This check should include any systems associated with
the compromised system through shared network-based services (such as NIS and NFS)
or through any method of trust (such as systems in hosts.equiv or .rhosts files, or a
Kerberos server). It should be noted that the use of hosts.equiv or .rhosts files is highly
discouraged and the use of them and the services that use them are not considered a best
practice.
7.3.2 Checking for systems involved or affected at remote sites
While examining log files, intruder output files, and any files modified or created during
or since the time of the intrusion, also look for information that leads to another site that
may be associated with the compromise. It is often found that additional sites associated
with a compromised system (whether upstream or downstream) have also been victims.
Therefore it is important, responsible, and courteous to identify and notify all other
potential victim sites as soon as possible.
Incident Response Plan
Page 14
<x> Energy IRP
<date>
7.4 Eradication
After the containment phase, further investigation should be performed to uncover the
cause of the incident by analyzing system logs of various devices (e.g. firewall, router,
host logs). It is important that the IRT uses a separate set of administrative tools for the
investigation and not those in the compromised system. In the event that the perpetrator
has modified the system configuration, execution of any system tools may have dire
consequences. For example, the intruder may have modified the DOS CMD.EXE
application of the compromised system to delete all files in the system rather than to
return a command shell.
Some of the eradication steps are already addressed in the previous section
(Assess/Contain). Identify when it is necessary to consider the system too compromised
to sanitize without completely rebuilding the system from scratch.
A clean operating system should be reloaded into the compromised server after the
investigation. Many off-the shelf operating systems are not developed with security in
mind. Hence, to increase the security defense of the system, it must undergo a hardening
process, which should include:
1.
2.
3.
4.
Applying all the latest patches
Disabling any unnecessary services
Installing anti-virus software, and
Applying <x> Energy’s security policy to the system.
7.5 Recovery
Prior to restoring the system from a clean backup, it is recommended that the IRT
validate that the eradication procedures have been properly performed. After installing
the backup, the system should be monitored in a test environment to determine if it is
functioning normally before it can be restored into the business operation.
Furthermore, a network surveillance tool should be implemented to detect any
unauthorized attempts such as additional scans or probes that may signal the return of the
intruder.
7.6 Follow-up
The objective of a post-mortem analysis is to perform a detailed investigation of the
incident to identify the extent of the incident and potential impact prevention
mechanisms. There are three options for performing a post-mortem analysis as shown in
Table 2. The IRT should select the option based on the severity of the incident, the
Incident Response Plan
Page 15
<x> Energy IRP
<date>
damage incurred by the Company and the need for legal actions to be taken against the
perpetrator.
7.7 Documentation
All details related to the incident response process should be documented and filed for
easy reference. This provides valuable information to unravel the course of events and an
serve as evidence if prosecution of intruders is necessary. It is recommended that he
following items be maintained:
1. All system events (audit records)
2. All actions taken (including the time that an action is performed), and
3. All external conversations (including person with whom the discussion
was held, the date and time and the content of the conversation).
furthermore, an incident report documenting the following should be
written by the IRT at the end of the exercise:
4. A description of the exact sequence of events
5. The method of discovery
6. Preventive measure put in place, and
7. Assessment to determine if the recovery step taken is sufficient and what
other
8. Recommendations need to be considered.
The objective of the report is to identify potential areas of improvement in the incident
handling and reporting procedures. Hence, the review of the report by management
should be documented, together with the lessons learnt, to improve on the identified areas
and used as reference for future incidents.
Documentation occurs at every stage in the incident handling process. Use the Incident
Handling Form to document all phases of the incident. Use the Communication Log to
document all verbal communication. Consolidate any email communications in a manner
such that it can be consolidated when there is time to perform the final documentation of
the incident.
Performing follow-up is one of the most critical activities in responding to incidents. This
helps improve the incident response process as well as aiding in the continuing support of
any efforts to prosecute those who have broken the law. Follow-up activity includes the
below.

Analyzing what has transpired and what was done to intervene.

Was there sufficient preparation to prevent the incident?

Did detection occur promptly? If not, why?
Incident Response Plan
Page 16
<x> Energy IRP
<date>

Could additional tools have helped the detection and recovery process?

Was the incident sufficiently contained?

Was communication adequate, or could it have been better? How?

What practical difficulties were encountered?

How could any sensitive data have been better protected?

Are adequate administrative, technical, and/or physical controls in place to
mitigate any future incident(s)? If not, recommendations for additional controls.

Was the work performed within the stipulated time frames allocated to dealing
with the incident (including time necessary to restore systems)?
An “Incident Report” should be created for any security incident. Answers to the
following questions and any plans for mitigation of future incidents should be included in
this report.

How much was the monetary cost of the incident—including all time required to
respond and recover?

How much disruption did the incident cause?

Was any data irrecoverably lost or stolen, and, if so, what was the effect of the
loss?

Was <x> Energy sensitive data potentially compromised?
Each report is released to the necessary audience so that they can learn about the incident
response process even if they were not involved in responding to the particular incident in
question. The report should be developed by the SO and forwarded to the IT Steering
Committee for review before final approval by the President. Full details of some
incidents may need to be sanitized, depending on the intended audience.
7.7.1 Revising policies, processes, standards, and procedures
Developing effective policies and processes is an iterative process in which feedback
from follow-up activity is essential. The “Incident Report” should be used as the basis for
modifying <x> Energy Policies and IH Procedures.
Incident Response Plan
Page 17
<x> Energy IRP
<date>
8 DOCUMENTS AND FORMS
8.1 Contact Information
This table lists external contacts.
Entity
Internet Service Provider
Service Providers
City Law Enforcement
Contact Name
Prepared by:
External Contacts
Contact Info
Date Updated:
Prepared by:
Prepared by:
Prepared by:
State Law Enforcement
FBI
Customers?
Incident Response Plan
Page 18
<x> Energy IRP
<date>
8.2 Incident Handling Form
Type of Incident (Security, Reliability, Virus, etc)
Incident Date
Individuals Providing Report (Full Name)
Report Date
Phone
Incident Number
Division
Incident Description
Complete all information known at the time of the report preparation. Supervisors and investigators will
complete other items on the report as results become available.
Incident Description
Information/Systems Compromised or at Risk
Business Area(s) Impacted
Location of the Incident or Systems
Third Party Affected Systems/Sites/information
Observed Damage Resulting from the Incident
(Impact on Operations to include downtime,
costs, other damages)
Summary of Incident Investigation Results
(i.e. number of hosts attacked, how access was
obtained, how the attack was identified, was an
incident response organization contacted prior to
submission of this report, etc…)
Identify all parties that received a report
concerning this incident.
Incident Response Plan
Page 19
<x> Energy IRP
<date>
8.3 Chain of Custody
CASE INFORMATION
Case Number:
Case Name:
Notes:
Case Manager:
SOURCE INFORMATION
ID#
Evidence Bag #
Serial #
Make & Size
Description:
Activity Dates:
Party Performing Activity
Type of Activity Performed
Location of Activity
<Date 1>
<Date 2>
IMAGE INFORMATION
ID#
Evidence Bag #
Serial #
Make & Size
Description:
Activity Dates:
Party Performing Activity
Type of Activity Performed
Location of Activity
<Date 1>
<Date 2>
Incident Response Plan
Page 20
<x> Energy IRP
<date>
8.4 Network Component, System, and Application Sensitivity
Sensitivity is a combination of several factors and should come from the <x> Energy
Risk Assessment. Factors include: data processed [e.g., <x> Energy Confidential,
medical, financial, internal, and public (these should be identified in the <x> Energy
Enterprise-wide Information Security program)], criticality to operations, and etc.).
Network
Component
IP Address
Sensitivity
System Name
IP Address
Sensitivity
Application
IP Address
Sensitivity
Incident Response Plan
Page 21
<x> Energy IRP
<date>
8.5 Revision History
Revision Number
0.1
Incident Response Plan
Approval
Date
Name
Changes
Draft
Page 22
Download