Develop Your Incident Response Team

Organizational policies and practices provide important guidance that applies to forensic examinations. They are designed to ensure quality and efficiency in the workplace. In an effort to properly preserve evidence, you must establish and make ready an incident response team (IRT). That team needs to know how to handle workplace situations they will encounter when conducting investigations.

Organize the Team

Incident response plans are needed so that you can intelligently react to intrusions, security breaches, or other identifiable incidents. More important is the issue of legal liability. You are potentially liable for damages caused by a hacker using your machines, so you will want to preserve any evidence you collect during an investigation.

You must be able to prove to a court that you took reasonable measures to defend yourself from hackers. You must also present any evidence as clearly and concisely as possible. If a plan is not in place and duties not clearly assigned, your organization may wind up in a state of disarray. Failure to plan for security breaches and other incidents could result in a negative outcome in court.

The components of an incident response plan should include preparation, roles, rules, and procedures. Once a plan is prepared, appoint response team members. Note that this is not a full-time assignment; it is simply a group of people with obligations to act in a responsible manner when an incident occurs to which some response is warranted.

Never underestimate the effect an incident has on employees. Disruptions in the workplace not only cause confusion, they also disturb employee schedules and diminish productivity.

An incident response team is responsible for containing damage and getting systems back up and running properly. These steps include determination of the incident, formal notification to appropriate departments, and the recovering of essential network resources. With this in mind, the team should include the following personnel:

• Security and IT staff
• Someone to handle communication with management and employees
• Someone to handle communication with vendors, business partners, and the press
• Developers of in-house applications and interfaces
• Database managers

The entire team is responsible for successful incident handling. The entire team must remain in place until an incident is closed.

State Clear Processes

The basic premise of incident handling and response is that an organization needs a clear action plan to define procedures to be followed when an incident occurs. These procedures should include:

• Identifying initial infected resources by obtaining preliminary information about what kind of attack is underway, and what potential for damage exists.
• Notifying key personnel, such as the security department and the incident response team.
• Assembling the response team for duty assignments and selecting an incident lead.
• Diagnosing problems, identifying potential solutions, and setting priorities. The security response team must be clear about what to do, especially if potential damages are high.
• Escalating problems to additional teams if necessary. The key is to understand what actually happened and how severe any attack might be.
• Gathering all information learned about the incident up to its resolution, and storing it in a secure location on secure media, in case it may be needed for potential legal action.
• Communicating about the incident. This may include reporting it to law enforcement, IT security companies, or possibly customers and regulatory agencies.

If an event is newsworthy, expect media contact. Make sure someone is authorized—and prepared—to speak to the media.

The team should prepare an incident report to determine and document incident causes and ultimate solutions. This report should be an internal document that puts everything, from the minute the incident was noticed until the minute service is restored, into perspective.

Coordinate with Local Law Enforcement

Local law enforcement relies on network administrators to report when their systems get hacked, but alas, intrusion victims are often reluctant to call the authorities. This reluctance is reflected in surveys conducted jointly by the Computer Security Institute and the FBI. Only 25 percent of respondents who experienced computer intrusions reported those incidents.

If organizations do not report incidents, law enforcement cannot provide an appropriate or effective response. Networks are getting more complex and more vulnerable to intrusions. Law enforcement agencies are familiar with computer crime investigations, view intrusions as important, and do respond appropriately. They are able to refer reports promptly to the proper agencies if they are not equipped to handle more complex cases.

Publicity is frequently an issue for victims of computer crime. Law enforcement is trained to be sensitive to victims’ concerns about publicity and seizure of data. Many investigations also require information from the victim’s incident response team.