Preface

This book is about computer security incident response teams. Sometimes when we mention this phrase, people picture war-painted commandoes, late on a rainy night, in a black helicopter at treetop level, chasing the author of a computer virus through rugged mountainous terrain.

That couldn't be further from the truth. In reality, these teams consist of people who are armed with a plan and a desire to secure and investigate inconsistent, odd, anomalous events, or merely violations of policy on their network and computer systems.

This book is the first to cover the incident response team in depth—from the history and justification for forming one, to the determination of what the team will provide to the organization, to the organization of the team, to the process of attracting, hiring, and retaining the proper team members, to legal issues, to methods of dealing with incidents. It includes many examples, some taken directly from the field, and some encountered as a result of lessons learned in the field. The book takes as its perspective a normal or ganization—one where resources are not unlimited and where keeping the organization working smoothly, efficiently, and profitably is paramount.

We've written this book for the mid-level manager and other personnel who are responsible for the creation and day-to-day operation of an incident response team. The book also keeps the people who handle the incidents in mind. Because many other books discuss intrusion detection methodology, details about file systems, and forensics, we merely touch on those subjects and do not dive into the technical issues surrounding those items.

In building this book, we discovered a lot about how different opinions can affect the formation of a team. Both authors have been involved with incident response teams for quite a while. It's interesting to see how different dynamics and focuses can affect a team. Some teams are more technical in nature and may be branches of a company's computer security or system administration group. Others are more policy-oriented and take an “auditing” or “leading practices” approach, learning from each incident. One common thread is that each team has a strong focus, enjoys excellent leadership, and therefore garners the support of its organization to continue its mission successfully.

Another similarity shared by nearly every team we've talked with is that the team members never feel that they're doing as much as they could do. Their incident response operations aren't perfect, and they all wish they could offer more services, investigate and research more incidents, and provide the best prevention of any organization in their industry sector. Most will admit that they are doing quite a good job with the resources that they have. This attitude is a healthy one. Although the pursuit of perfection is something wonderful, it's something that will never be efficiently achieved. There's always something that will be an exception to what you've planned for. Some folks have suggested that a certain automobile is the perfect automobile. If you've ever encountered a used-car salesman, he will have several available that are the perfect automobile. There are certainly some fine automobiles on the market today, but none of them is perfect. Similarly, there are no perfect incident response teams. There will always be something new for the teams to accomplish. We mention goals several times along the way in the book—they're very important to have. They measure how well your team is doing for what's important to the organization.

In the process of writing this book, we learned that there are many different ways to do the job of incident response. Inevitably, we were asked, “Which is best?” Answering that question is one of the reasons that we wrote this book. In several places, we discuss the risks, benefits, and costs of engaging in certain activity. This factor must be considered carefully for just about any organization's product or service, but sometimes it isn't given enough consideration when dealing with computer or IT-based issues. After you've read this book, we certainly encourage you to look at your organization and do a bit of cost, risk, and benefit analysis. Are the risks of running a certain product worth the extra benefits that it provides? Are the costs of a particular architecture or computer system making the users that much more productive? Sadly, we've seen cases where organizations with wonderful business prowess seem to become giggling school kids when it comes to making decisions regarding the risks or benefits that technology can bring to them.

Management reporting is often an elusive quantity for incident response teams. Teams sometimes struggle with what to report, how much detail to include, and when to report it. It's an interesting company dynamic. We've encountered very senior-level managers in an elevator and been asked for an informal briefing regarding a recent virus infestation. Efforts spent on reporting are never wasted time. If you can quickly report trends for this month, this quarter, and this year to date, and compare them to last year's data, you will be in very good shape. Senior managers sometimes need to be reminded that their investment in a team is a good one, that the team is being productive, and that they're taking care of the important behind-the-scenes business that keeps the organization's information flowing securely. Some of the most uncomfortable meetings that we've at tended were ones where we were asked about something that we didn't track. This sort of reporting and the briefings that go along with them are a very valuable tool for the incident response team manager. You'll see this material again later in the book.

The final point that we'll include here is the fact that time spent on preventing an incident is always well worth the effort. Merely investigating an incident, then closing the case without analyzing what happened and figuring out how to prevent a similar thing from occurring in other places on your network, is truly negligent. We mention this point because it is often missed. Prevention of a brand-new type of incident is something that is very difficult to plan for, and it takes skill. Preventing a recurrence of something that your team has already encountered is much easier to do. The old saying “Fool me once, shame on you; fool me twice, shame on me” certainly applies in this case.

Preventing the spread of computer crime also entails helping your neighbors do the same thing. Computer security professionals are just that—professionals. They know the value of your organization's information. They also know the value of sharing information related to computer crime so that in the future, your organization may benefit from shared information. Computer crime information and generalized information on incidents, viruses, and vulnerabilities are all very important sources that will provide your organization with the opportunity to prevent an incident without having to do the initial investigative work. By using this information and sharing your own computer crime experience (but not your organization's valuable data!), you contribute to reducing the total numbers of systems that can be considered potential victims.

Use this book as an information tool when forming your team. Organizational suggestions and examples of work flow are intended to allow your organization to maximize its technical resources. The book includes many examples of day-to-day team operations, communications, forms, and legal references. As a result, it will continue to be a valuable resource after your team becomes operational.

We've used the analogy of identifying the pieces of a puzzle and putting that puzzle together throughout the book. The “pieces of the puzzle” refer to the many considerations that should be taken into account when forming a team. Once these decisions are made, they work together to form the “picture of incident response.” Some may consider certain pieces identified as merely common sense. It's been our experience, however, that even the most obvious considerations may be missed when you're challenged with the overwhelming task of forming a team. Take advantage of the experiences we've gained from having “been there and done that” and let this book guide you through the process. Good luck and enjoy the puzzle!