Incident Response Teams
Computer Incident Response Teams (CIRTs or IRTs) are key components in information security incident response. Effective incident response doesn’t just happen; it takes careful planning and practice. An effective Incident Response Policy should have a plan documenting steps that must be followed and should contain key tasks or milestones with details, processes, and procedures, which instruct the team on their specific requirements for a given task.
Typical procedures include: Communication, both internal and external to your organization, Escalation Notification, Incident Tracking Forms, Incident Reporting and Documentation, Investigation Checklists by technology platform, Remediation Checklists by Risk and Threat classification, Security Information Event Management, Evidence Collection and Handling, “Chain of Custody”, Forensics Investigation and Documentation, Data Retention and Destruction, Non-Disclosure Agreements.
Locating and identifying incidents and how they successfully attacked your environment is probably the most difficult part in Incident Response if you don’t have the proper security architecture, baselines, and processes.
After successfully identifying an incident it has to be contained. There is no standard response so caution is encouraged. Your post outlining that the actions to minimize damage, ensure continuity, and prevent further attacks, fits into this step.
Do not blindly shut down servers or services. Partial or full containment by blocking offending attack signatures, E-mail or Web content through applicable filtering may be possible. Often you may never be able to fully remove the threat, but bring it to an acceptable level of tolerance.
Eradication is where the IRT works with the appropriate network, systems, or applications personnel to address the incident. Evidence is gathered while correcting the problem ensuring that artifacts found within systems affected are removed. This could be patch updates, restoring file systems, adding network filters, removing inappropriate software, or rebuilding the system.
Recovery is a prioritized and phased approach often coordinated with eradication. In some cases you may have to deploy a new technology or a service. In other cases it can be actions like coordinating patch updates to operating systems or applications.
References
Holland, K., & Khiabani, H. (2014, April 1). Incident Response Exercise Planning Be Ready – Be Prepared. Retrieved August 6, 2015, from http://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
