Tuesday, January 28, 2014

Are You a "Target"? - Incident Managment (part 2)

   I'm calling this part 2, but it's really the third in a series covering the consumer and enterprise sides of incidents and breaches.  This is always an important infosec topic, but the recent highly publicized issues effecting Target, Neiman Marcus and, as we're told, 3 other organizations to be named later brings this to the forefront.

   Many say that it's not a question of if we will suffer a breach, but when and how we will suffer a breach.  And yet there are organizations that consider this an optional capability.

   Last time we talked about the first two parts of the Incident Management program: Prevention and Planning/Preparation.

   Next is:
Communication. So these groups know their roles:

  • Security, IT, Privacy, Legal, HR, Communications
  • Executive Management and the board so they endorse the process
  • Responders so you know you can reach them
Incident Response.  Many groups make the mistake to only include this aspect of the program in their planning.  But your actual response is the execution of your planning.  Similar to Business Continuity Planning, you don't practice so you know exactly what to do in every situation, you practice so that you are able to adapt to the situation at hand.  This illustration shows the NIST four stages of Incident Response:

  1. Preparation - having available information including: contact information, on-call lists, incident response procedures, a command center, workstations, blank media, clean installation media
  2. Detection & Analysis - the key here is to know your environment, to know when things are working correctly, and to have good situational awareness tools (logging, SIEM, Vulnerability Management, GRC, DLP, IDS/IPS, filtering, anti-malware) so you know when things are not right.  It is then, armed with the documentation provided from these and other tools, your team can analyze what does not seem right in the environment.  It is during this phase that your appropriate management team can classify the situation as an Event, Incident or Breach (as we discussed last time).  You may need to bring in expert help for the analysis.  You, of course, need to determine, in advance, how you will decide to and do this.  It is important to document all the measures taken in this phase.
  3. Containment, Eradication & Recovery - based on what you learned through analysis, you must decide how to minimize damage by segregating effected system, determining if and how to remove the problem, and what measures should be taken for recovery, up to and including invoking your Disaster Recovery or Business Continuity plans.  Again, you may need to bring in expert help for this phase. It is important to document all the measures taken in this phase.
Post-Incident Activity.
   While NIST considers this the final part of the response phase, I think the post-incident work deserves its own section.  There are two main phases:

  • Communication - this is both internal and external (if needed) communication.  Internally, people need to get an overview of what happened, what they should or should not communicate, and what steps are being taken.  If your issue was high-profile or involved a breach of information for which notification is required, you must provide timely communication.  In the absence of information, rumors develop.  The court of public opinion does not look kindly upon organizations that withhold information or don't accept responsibility for issues.
  • AAR and Lessons Learned - This is one of the most critical parts of the whole cycle.  Events and incidents happen.  Breaches happen.  We need to learn and adapt to get better.  Look at your whole Incident Management cycle.  What worked?  What didn't?  What could you have done better?  Build these aspects into your plan and improve!  The AAR is your After Action Report, which contains the details of the event and response.
   This is just an overview of my thoughts on incident response and the NIST SP800-61 guide. I highly recommend reviewing the guide to see how your program stacks up.  Then... practice!

   What other tips and techniques would you add?  Are there aspects of the plan in the guide that don't work for you?


  1. Barry: good, comprehensive article about preparation. I think where companies trip up is having everyone on the same page - IT collaborating with Marcom. Target might have prepared ahead of time but their internal and external communication was severely lacking which caused as much, if not more damage in the public eye.

    1. Great point Curt. It's quick action through communication that most directly correlates to public perception and reputation. I know that Target is doing what they need to internally, but it's often the timely communication that makes the difference.