فا

‫ Computer Security Incident Handling in Six Phases- Follow Up

IRCAR201106105
Date: 2011-06-28
 
In Follow Up phase, the goal is to learn from the incident. You are searching for lessons that will help you do a better job in the future. Some incidents require considerable time and effort. Stress levels rise and relationships may become strained. Afterwards, the folks who were at the center of the storm tend to want to forget it and get on with their lives. Performing follow-up activity, however, is one of the most valuable activities in responding to incidents. This procedure, only slightly more popular than wisdom tooth removal, is known as "the search for lessons learned". Organizations that follow up soon after problems have been contained find they rapidly improve their incident handling capability. Rapid follow up also helps support efforts to prosecute those who have broken the law.
 
STEP 1: DEVELOP A FOLLOW-UP REPORT
Experience must be captured quickly. A Follow-up report, including lessons learned, is the accepted method of protecting the knowledge so it can be used in the future.
 
Action 1.1: Start as soon as possible.
Folks who wait until weeks after the dust has settled, learn that the human memory, unlike fine wine, does not improve with the passage of time.
 
Action 1.2: Assign the task to the on site team.
In order to make the lessons learned section as positive and effective as possible, most sites require the incident handling team to draft the Lessons Learned Report as an integral part of their handling of the incident. The job's not finished until the paperwork is done.
 
Action 1.3: Include forms from this guide.
The incident report is generally an electronic version of the identification, survey, containment, and eradication forms that are included in this guide. Focus especially on answering the questions on the Lessons Learned form.
 
Action 1.4: Encourage all affected parties to review the draft.
Submit the Lessons Learned, along with the draft incident report, for review by all affected parties.
 
Action 1.5: Attempt to reach consensus.
Gather responses, disagreements, additions, and suggestions from all the interested parties. Encourage them to submit comments electronically, so they will do it quickly. Keep their comments as part of the record.
 
Action 1.6: Conduct a Lessons Learned meeting.
Distribute the comments in advance and plan for a one-hour Lessons Learned meeting. If you surprise people with comments they had not previously reviewed, meetings can take much longer. Focus the meeting on recounting the incident and ratifying any process changes.
 
Action 1.7: Create an Executive Summary.
Summarize the incident, including cost and impacts, for management. Submit the summary to management with a promise that recommended changes will follow.
 
Action 1.8: Send recommended changes to management.
Provide management with a prioritized set of recommended changes from the Lessons Learned process along with cost estimate, high-level schedule, and impact of implementing or not implementing the recommended actions.
 
Action 1.9: Implement approved actions.
Where you get management approval, ensure the changes are made using your organization's tasking system.
 
Incident Follow-Up questions
Below you will find some suggested questions for the Lessons Learned meeting. The primary purpose of the meeting is to improve your incident handling process, not to play politics! In almost every incident some things are done well, some things aren't. People have a tendency to remember the screw-ups. Accentuate the positive.
 
Briefly describe what has transpired and what was done to intervene. Was there sufficient preparation for the incident? What preparation wasn't done that should have been done?
  • Did detection occur promptly or, if not, why not?
  • What additional tools could have helped the detection and eradication process?
  • Was the incident sufficiently contained?
  • Was communication adequate, or could it have been better?
 
We have never been involved in a serious incident where anyone could seriously claim that "communication was great". The phone lines are overtaxed; the onsite team has trouble reaching the command decision team to provide them needed tactical information. As stress goes up, communication degrades. The point of this question is to find ways to improve communication. An organization might not wish to approve three extra phone lines into the facility that will be used by the command decision team. After an incident, (and its lessons learned phase), in which the team was unable to stay in communication with critical parts of the organization, phone lines are often installed without further comment.
 
  • What practical difficulties were encountered?
 
Analyzing the cost of the incident. Work within your chain of command to determine personnel time that was invested in dealing with the incident, including time necessary to restore systems. Convert those hours into monetary cost. The simplest method is to multiply the time spent by the burdened rate, usually about 1.5 times what the organization pays in salary.
 
  • Ask how much the incident disrupted ongoing operations?
  • Were any data irrecoverably lost, and, if so, what was the value of the data?
  • Was any hardware damaged?
 
Generate an executive summary that includes cost and schedule impacts. If possible, post the results of the incident investigation on the incident handling intranet web page.
 
Related Links:
 
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها: 0