The Incident Response Plan (IRP) for Cyber Attacks outlines a fast, orderly and effective process for dealing with suspected computer related intellectual property theft. It outlines how an organization deals with hacking attempts, social networking scams, viruses, DoS attacks, data exfiltration and the like. Although the premier mission is to prevent data loss, the secondary responsibility is to try and minimize the impact on financial losses and public perception damage.

cyber attacks
The incident response plan outlines not only the steps to be taken but, where to get necessary authorizations to stop, mitigate or even resolve various types of incidents. It is the responsibility of the incident response team (IRT) to investigate intrusion reports in a timely, cost-effective way and escalate sensitive issues to corporate executives. In order for the IRT to be effective, they are required to subscribe to various security alert services which keep them abreast of current threats and vulnerabilities.  Typical IRT members include the Information Security Officer, the Chief Information Officer, the firewall administrator, the desktop administrator, related server or application managers and others.

Why form an IRT

  1. Proactive: Corporations that put IRTs in place tend to be more on top of threat detection and related security incidences
  2. Public Relations: Individuals within the IRT understand what the media is looking for, how to service their needs and minimize the negative impact to the corporate image.
  3. Veil of Protection: Internal politics can be an inhibitor in times where expedience is paramount.  IRTs are given some authority to take control and make decisions to avoid red tape.  Some executives also feel that this group offers an additional form of damage control because it demonstrates their efforts to stay prepared.

The IRT does not have to consist of dedicated individuals.  Many times it is a distributed effort with members from various divisions within the company.  The individuals who make up the IRT must understand how the business units work as well as their related systems which can be useful when addressing incidents to the satisfaction of business managers.  It also ensures that more than one person can be approached if the primary contact becomes unavailable. Having more than 1 person in charge however can become counterproductive. Employees who double as a member of the IRT should not take their role lightly.  Regular meetings should take place and documentation should be reviewed for updates.

Incident Response Team Responsibilities

Among the IRT members, responsibilities are assigned which can include but, are not limited to the following in the incident response plan:

  • The central contact for all electronic security incidences
  • Determining the nature and scope of the incident
  • Who to contact internally about the issue and the time frames those escalations must fall under.
  • Where to get training on how to deal with different issues
  • When to escalate to executive management, legal counsel or even law enforcement.
  • When and how to go public with the breach information.  What information is provided?
  • How to monitor progress of the investigation
  • When to contact the authorities
  • The information to be provided to the authorities
  • The technologies used that constantly capture and save system messages as well as network traffic.
  • How to go about evidence gathering and where to get it.  Some credit card companies for example list specific details for evidence collection.

This list continued in Part 2 of the Incident Response Plan for Cyber Attacks.

 

Michael

Michael

Michael is the Co-Founder and the product manager for Scrutinizer Incident Response System. He can be reached most hours of the day between work and home. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer. Feel free to email him.

Related