HackingTheUniverse

Federal agencies are required by law to report incidents to the US Computer Readiness Team (CERT) office in DHS and must have a formal incident response capability.

INCIDENT RESPONSE METHODOLOGY

• Prepare – accumulate knowledge, resources, tools, team members and training needed to handle incident reponse. Provide feedback into other processes (patch management…) that may help prevent incidents.
• Identify – establish processes to identify incidents (intrusion detection) and a mechanism for incident reporting (trouble ticket application)
• Contain – categorize types of incidents and prioritize reactions to them. Establish procedures for different levels or reactions and for forensic evidence collection.
• Eradicate – set up a triage process to determine what level of eradication is needed to ensure security.
• Recover – ensure backup and recovery procedures are working.
• Learn – document the entire incident and analyze it after recovering in an attempt to learn lessons and improve all related processes.

Organizational Capability

• Need for IR – establish business needs, legal and regulatory requirements.
• Policy and procedure:
• Create an IR policy and get it approved.
• Create an IR plan
• Establish information sharing procedures
• The response team:
• Choose a team structure
• Select and train staff
• Consider dependencies across the organization

Incident Types

• Inappropriate use
• Unauthorized access
• Malicious code
• Denial of service
• Combinations of types

Summary

• IR is required by law (for federal agencies)
• IR is required for security protection
• PICERL methodology

KEY NIST DOCS:
800-61 “Computer Security Incident Handling Guide”