The (formerly) Unsung Incident Response Plan

Edwin Covert
4 min readJul 29, 2023

--

planning is key to incident response
Photo by Christina Morillo: https://www.pexels.com/photo/woman-in-black-coat-1181346/

The practitioner, the government, industry, and even the public recognize there is a significant problem in how we protect the information residing in our networks and infrastructures. We read about it every day in our Twitter/X feeds or in news events. Bisson (2015), Zorz (2015), and Raywood (2015) provide examples from just several weeks. This does not even take into account the data breach at the US Office of Personnel Management (Riley, 2015). After all, there are only two types of organizations: those who have been hacked and those who do not know it yet (Perlroth, 2014). In addressing this problem, we tend to buy things. Where we run into problems is in what we buy. In the defensive cyber operations world, we are focusing on tools that are shiny and new at the expense of properly tested and updated response plans and procedures.

Defensive cyber operations is both the passive and active actions we take to uphold and protect our network, infrastructure, system data capabilities (US Department of Defense, 2013). We execute defensive cyber operations as a response to an “attack, exploitation, intrusion, or effects of malware” (pp. II-2) on our networks or in general defense of our own part of cyberspace. This definition includes both the technical and non-technical aspects of cybersecurity.

In the technical arena, there are tools for every job. We employ firewalls for both perimeter and internal boundary protection. We use intrusion protection systems to detect and respond to events. We have access control lists to determine if we should allow someone on a particular part of the infrastructure. We correlate logs from across our enterprises with incident and event management tools. We can even automate our entire technical response with playbook systems (CSGI, 2015). Each of these elements plays a vital role in identifying, containing, and eradicating threats from our networks (Kral, 2011). And a simply walk around any cybersecurity conference shows that we are not in any danger of not having enough tools.

What this technology cannot help with are the other steps Kral (2011) outlines: preparation, recovery, and learning the lessons. Preparing for the eventual attack or data breach Perlroth (2014) postulates is by far and away the single most important step an organization can take as part of its defensive cyber operations. Being proactive is key and proactive cybersecurity requires the development and maintenance of an incident response plan. Such a plan involves ensuring the organization can effectively respond to events and incidents when they occur (Frasier, 1997). Frasier (1997) notes five distinct reasons preparing for an incident is important:

  • “Protecting the assets which could be compromised
  • Protecting resources which could be utilized more profitably if an incident did not require their services
  • Complying with (government or other) regulations
  • Preventing the use of your systems in attacks against other systems (which could cause you to incur legal liability)
  • Minimizing the potential for negative exposure” (p. 40)

Such a plan also allows organizations to transfer knowledge efficiently as personnel change in the organization over time.

Creating a plan means organizations need to review current response procedures to ensure they accurately reflect the threat environment they occupy and then update those procedures as needed. Plans should have triage processes for incidents, strategic partnership information, and long term handling procedures, among other items. It should accurately describe what services the organization provides as well as how it performs them (West-Brown, et al., 2003). The plan needs to include how the organization will communicate internally and externally with stakeholders and the public. It needs to document what are the organizations priorities and then set response limits for those priorities (Frasier, 1997). Organizations need to repeat this process at regular intervals. The plan cannot simply be static and gather dust; it requires upkeep. The incident response plan should change as requirements and environments change.

In today’s cybersecurity world, shiny and new gets the attention; it does not matter if we are talking about new toolsets in the operations center or new attacks. However, the incident response plan is a critical part of your organization’s ability to conduct defense cyber operations and protect its network and data.

References

Bisson, D. (2015, May 20). Data breach hits Telstra’s Pacnet, exposes customer data. Retrieved from Tripwire: http://www.tripwire.com/state-of-security/latest-security-news/data-breach-hits-telstras-pacnet-exposes-customer-data/

CSGI. (2015). Invotas Security Orchestrator. Retrieved from csg Invotas: http://invotas.csgi.com/invotas-security-orchestrator

Frasier, B. (1997). Site security handbook. Internet Engineering Task Force. Retrieved from http://www.ietf.org/rfc/rfc2196.txt

Kral, P. (2011). The incident handlers handbook. Bethesda: SANS Insitute.

Perlroth, N. (2014, December 9). Hacked vs. hackers: game on. Retrieved from New York Times: http://bits.blogs.nytimes.com/2014/12/02/hacked-vs-hackers-game-on/

Raywood, D. (2015, May 25). 20% of IT professionals have witnessed a security breach cover-up. Retrieved from IT Security Guru: http://www.itsecurityguru.org/2015/05/21/20-of-it-professionals-have-witnessed-a-security-breach-cover-up/

Riley, M. A. (2015, June 5). China hackers got past costly U.S. computer security with ease. Retrieved from Bloomberg Business: http://www.bloomberg.com/news/articles/2015-06-06/china-hackers-got-past-costly-u-s-computer-security-with-ease

US Department of Defense. (2013). Joint Publication 3–12 Cyberspace operations. Washington, DC: US Government. Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf

West-Brown, M. J., Stikvoort, D., Kossakowski, K.-P., Kilcrece, G., Ruefle, R., & Zajicek, M. (2003). Handbook of computer security incident response teams (CSIRTs). Pittsburgh: Carnegie Mellon University Software Engineering Institute.

Zorz, Z. (2015, May 19). Trojanized, info-stealing PuTTY version lurking online. Retrieved from Help Net Security: http://www.net-security.org/malware_news.php?id=304

--

--

Edwin Covert

Cybersecurity, guitar, jazz, bourbon, rye, enterprise security architecture, current trophy husband. CISSP-ISSAP, CISM, CRISC, SCF, PMP at www.edwincovert.com