We just published my Whitepaper about First Steps, Preparation Plans, and Process Models for Incident Handling, that I wrote to pass the time between Christmas and New Year. The whitepaper sums up information that I consider to be useful to prepare for IT security incidents as a conclusion from the incidents in which we supported over the past year.
Have you for example thought about classes of incidents that are most likely to affect you and formulated Incident Handling Preparation Plans for those incidents?
Those are quite useful to have specific procedures and guidelines in place. For each considered type of incident and for different kinds of affected assets, a preparation plan containing the following information should be filled out:
- Assets
- Asset Details: Asset description, IP addresses,…
- Asset Point of contact
- Communication
- Internal point of contact for external communication
- Relevant external communication channels: press, suppliers, providers, customers
- Legal
- Internal point of contact for legal issues
- External point of contact for justice/prosecution
- Known legal obligations for the type incidents, for example if confidential or personal data is affected
- Containment steps
- Describe step by step what should be done to contain this particular type of incident (the article describes such first steps in detail).
- Analysis/Solution steps
- Describe step by step what should be done to resolve this particular type of incident, more details are provided in the full article, a rough outline can be:
- Patch Requisition
- Imaging
- Preliminary Rollback
- Incident Analysis
- Mitigation
It is very important to not only do this work once but to keep all the information documented in the preparation plans up to date and ideally perform test exercises and incident simulations on a regular basis. This implies of course lots of work, but is great add-on to every incident preparation line-up.
If you are interested in incident analysis, you are also welcome to join my applied two days incident analysis and forensic computing workshop at TR17.
Cheers,
Andreas