Sample Intrusion Detection Incident Response Plan

Incident Response Plan Example

This document discusses the steps taken during an incident response plan. To create the
plan, the steps in the following example should be replaced with contact information and
specific courses of action for your organiation.
!" The person who disco#ers the incident will call the grounds dispatch office. $ist
possible sources of those who may disco#er the incident. The known sources
should be pro#ided with a contact procedure and contact list. Sources re%uiring
contact information may be&
a" 'elpdesk
b" Intrusion detection monitoring personnel
c" ( system administrator
d" ( firewall administrator
e" ( business partner
f" ( manager
g" The security department or a security person.
h" (n outside source.
$ist all sources and check off whether they ha#e contact information and
procedures. )sually each source would contact one *+,- reachable entity such as
a grounds security office. Those in the IT department may ha#e different contact
procedures than those outside the IT department.
*" If the person disco#ering the incident is a member of the IT department or
affected department, they will proceed to step ..
/" If the person disco#ering the incident is not a member of the IT department or
affected department, they will call the *+,- reachable grounds security department
at xxx0xxx.
+" The grounds security office will refer to the IT emergency contact list or effected
department contact list and call the designated numbers in order on the list. The
grounds security office will log&
a" The name of the caller.
b" Time of the call.
c" 1ontact information about the caller.
d" The nature of the incident.
e" 2hat e%uipment or persons were in#ol#ed3
f" $ocation of e%uipment or persons in#ol#ed.
g" 'ow the incident was detected.
Sample Intrusion Detection Incident Response Plan
h" 2hen the e#ent was first noticed that supported the idea that the incident
occurred.
." The IT staff member or affected department staff member who recei#es the call
4or disco#ered the incident" will refer to their contact list for both management
personnel to be contacted and incident response members to be contacted. The
staff member will call those designated on the list. The staff member will contact
the incident response manager using both email and phone messages while being
sure other appropriate and backup personnel and designated managers are
contacted. The staff member will log the information recei#ed in the same format
as the grounds security office in the pre#ious step. The staff member could
possibly add the following&
a" Is the e%uipment affected business critical3
b" 2hat is the se#erity of the potential impact3
c" 5ame of system being targeted, along with operating system, IP address, and
location.
d" IP address and any information about the origin of the attack.
6" 1ontacted members of the response team will meet or discuss the situation o#er
the telephone and determine a response strategy.
a" Is the incident real or percei#ed3
b" Is the incident still in progress3
c" 2hat data or property is threatened and how critical is it3
d" 2hat is the impact on the business should the attack succeed3 7inimal,
serious, or critical3
e" 2hat system or systems are targeted, where are they located physically and on
the network3
f" Is the incident inside the trusted network3
g" Is the response urgent3
h" 1an the incident be %uickly contained3
i" 2ill the response alert the attacker and do we care3
8" 2hat type of incident is this3 9xample& #irus, worm, intrusion, abuse,
damage.
-" (n incident ticket will be created. The incident will be categoried into the
highest applicable le#el of one of the following categories&
a" 1ategory one 0 ( threat to public safety or life.
b" 1ategory two 0 ( threat to sensiti#e data
c" 1ategory three 0 ( threat to computer systems
d" 1ategory four 0 ( disruption of ser#ices
Sample Intrusion Detection Incident Response Plan
:" Team members will establish and follow one of the following procedures basing
their response on the incident assessment&
a" 2orm response procedure
b" ;irus response procedure
c" System failure procedure
d" (cti#e intrusion response procedure 0 Is critical data at risk3
e" Inacti#e Intrusion response procedure
f" System abuse procedure
g" Property theft response procedure
h" 2ebsite denial of ser#ice response procedure
i" Database or file denial of ser#ice response procedure
8" Spyware response procedure.
The team may create additional procedures which are not foreseen in this
document. If there is no applicable procedure in place, the team must document
what was done and later establish a procedure for the incident.
<" Team members will use forensic techni%ues, including re#iewing system logs,
looking for gaps in logs, re#iewing intrusion detection logs, and inter#iewing
witnesses and the incident #ictim to determine how the incident was caused. =nly
authoried personnel should be performing inter#iews or examining e#idence, and
the authoried personnel may #ary by situation and the organiation.
!>" Team members will recommend changes to pre#ent the occurrence from
happening again or infecting other systems.
!!" )pon management appro#al, the changes will be implemented.
!*" Team members will restore the affected system4s" to the uninfected state. They
may do any or more of the following&
a" Re0install the affected system4s" from scratch and restore data from backups if
necessary. Preser#e e#idence before doing this.
b" 7ake users change passwords if passwords may ha#e been sniffed.
c" ?e sure the system has been hardened by turning off or uninstalling unused
ser#ices.
d" ?e sure the system is fully patched.
e" ?e sure real time #irus protection and intrusion detection is running.
f" ?e sure the system is logging the correct e#ents and to the proper le#el.
!/" Documentation@the following shall be documented&
a" 'ow the incident was disco#ered.
b" The category of the incident.
Sample Intrusion Detection Incident Response Plan
c" 'ow the incident occurred, whether through email, firewall, etc.
d" 2here the attack came from, such as IP addresses and other related
information about the attacker.
e" 2hat the response plan was.
f" 2hat was done in response3
g" 2hether the response was effecti#e.
!+" 9#idence Preser#ation@make copies of logs, email, and other communication.
Aeep lists of witnesses. Aeep e#idence as long as necessary to complete
prosecution and beyond in case of an appeal.
!." 5otify proper external agencies@notify the police and other appropriate agencies
if prosecution of the intruder is possible. $ist the agencies and contact numbers
here.
!6" (ssess damage and cost@assess the damage to the organiation and estimate both
the damage cost and the cost of the containment efforts.
!-" Re#iew response and update policies@plan and take pre#entati#e steps so the
intrusion canBt happen again.
a" 1onsider whether an additional policy could ha#e pre#ented the intrusion.
b" 1onsider whether a procedure or policy was not followed which allowed the
intrusion, and then consider what could be changed to ensure that the
procedure or policy is followed in the future.
c" 2as the incident response appropriate3 'ow could it be impro#ed3
d" 2as e#ery appropriate party informed in a timely manner3
e" 2ere the incident0response procedures detailed and did they co#er the entire
situation3 'ow can they be impro#ed3
f" 'a#e changes been made to pre#ent a re0infection3 'a#e all systems been
patched, systems locked down, passwords changed, anti0#irus updated, email
policies set, etc.3
g" 'a#e changes been made to pre#ent a new and similar infection3
h" Should any security policies be updated3
i" 2hat lessons ha#e been learned from this experience3