Incident Response Planning: Strategies, Costs & Best Practices

Outsourcing an IR Process

Advantages:

1. Services provided by professionals trained in IR.
2. 24/7 monitoring.
3. Early notification of potential problems in the region.

Disadvantages:

1. Potential loss of control of response to incidents.
2. Possible exposure of classified organizational data to service providers.
3. Locked in to proprietary equipment and services.

Long Before a DOS: Six Tasks

1. Coordinating with the ISP.
2. Collaborating and coordinating with professional response agencies.
3. Implementation of prevention technologies.
4. Monitoring resources.
5. Coordinating the monitoring and analysis capabilities.
6. Setting up logging and documentation.

Potential Containment Strategies

1. Monitoring system and network activities.
2. Disabling access to compromised systems.
3. Changing passwords.
4. Disabling system services.
5. Disconnecting compromised systems.
6. Shutting down compromised systems.
7. Verifying that redundant systems have not been compromised.

Variables

• Type
• Method of incursion
• Current level of success
• Expected level of success
• Current level of loss
• Expected level of loss
• Target
• Target’s level of classification
• Any legal impacts

Considered in Determining the Costs

• Cost associated with the number of person-hours diverted from normal operations to react to the incident.
• Cost associated with the number of person-hours needed to recover data.
• Cost associated with reproducing lost data.
• Legal cost associated with prosecuting offenders.
• Cost associated with loss of market advantage due to disclosure of proprietary information.
• Cost associated with acquisition of additional security mechanisms ahead of budget cycle.

Involving Law Enforcement Agencies

Advantages:

1. Such agencies are usually much better equipped at processing evidence than a business organization.
2. Unless the security forces in the organization have been trained in processing evidence and digital forensics, they may do more harm than good when attempting to extract information that can lead to the legal conviction of a suspected criminal.
3. Law enforcement agencies are also prepared to handle the warrants and subpoenas necessary when documenting a case.

Disadvantages:

1. Possible loss of control of the chain of events following an incident, including control over the collection of information and evidence and the prosecution of suspects.
2. The organization may not hear any new information about the case for weeks, or even months.
3. Evidence tagging of equipment that is vital to the organization’s business; valuable assets can be removed, stored, and preserved to prepare the criminal case.