Professional Documents
Culture Documents
Name
Professor
Date
INCIDENT RESPONSE PLAN 2
Introduction
integral component of IT programs in general. Attacks related to cybersecurity have grown both
in sophistication and diversity hence making them more disruptive and damaging. New forms of
security challenges keep on emerging, thereby forcing system custodians to ever remain on the
lookout. It has been agreed that preventive activities formulated upon risk assessment results is
believed to possess the ability to lower occurrence of incidents and also limiting loss impacts as
well as destruction, reinforcing weak lines that attackers exploited and lastly which is the most
important is the restoration of services. In regard to the above observation, this plan is a
unauthorized movement of across the intrusion detection system of the host nation but also
every single incident that can ever occur in a similar fashion or totally different one.
The exercise at hand is divided into two major sections where the first section provides
detailed analysis of the environmental conditions as well as the mechanisms used to maneuver
process coordination while the second section will focus on the various processes of active
response. In the first part, issues such as the roles and responsibilities of the environmental
conditions, incident response phases, scenarios detailing incident response plan in cases such as
Others include activities, authorities relating to roles and responsibilities, action trigger
INCIDENT RESPONSE PLAN 3
conditions, closure trigger conditions, reports and products spanning through the incident
Environmental Conditions
occurrence. The response team, in this case, must have their roles and responsibilities cut out for
each and every team member. NIST's publication 800-64 issued a proposal regarding an ideal
composition of Incident Response Team (IRT) which includes a manager, a technical lead and
the rest of the members. The PCI DSS made it involuntary to assign personnel or team different
tasks such as establishment, documentation and distribution of security incident response and
procedure escalation when as necessity would dictate (Cichonski, Millar, Grance, & Scarfone,
2013). Normally, the team is mandated to monitor and perform analysis of security alerts as well
as access to data. The PCI-DSS equally requires the IRP to include documentation detailing roles
directing
Communicating with
management
outsourced.
Technical Lead Takes charge of the technical Better knowledge of
response procedures
of networks as well as
programming, intrusion
support
problem. In dealing with cybersecurity incidences, an incident response plan on the standby
takes priority. The NIST’s Computer Security Incident Handling Guide (SP 800-61) lists
important areas to address which include preparation, detection and analysis, containment,
elimination and recovery and post-incident activity (Spring, 2019). Human decision. Preparation
here involves issues like prior planning on ways to handle and probably prevent the occurrence
of security incidents while detection and analysis comprise all interventions from close
INCIDENT RESPONSE PLAN 5
monitoring of potential attack vectors to the identification of signs pointing to the possibility of
incident occurrence for prioritization purposes. The containment, elimination and recovery
pertain to mitigation strategies, identification and management of the hosts as well as systems
comprised by the occurrence of the incidents. Also, the recovery plan is well documented in this
section. Finally, the post-incident activity reviews lessons learnt and developing a plan for
Definition of DDoS
usual traffic flow of a network, a specific server or particular service. The attack is usually
carried out through jamming the targeted server or network or sometimes the infrastructure
surrounding it with myriads of internet traffic. These attacks utilize numerous computer systems
that are comprised, thereby converting them into effective agents of the attack. On the other side,
machines or input/ output devices in the network become exploited and fail to discharge normal
INCIDENT RESPONSE PLAN 6
services. To simplify the concept of the DDoS, it resembles a traffic jam clogged up at a high-
way round-about, thereby preventing the normal traffic and eventually blocking cars from
The attacker finds a way of taking over the control of online machines in a network. To do this,
the attacker infects the computers and other targeted devices in the network with a malware
hence converting each one of them into bots. To this extent, the attacker gains remote control
over the masses of bots, usually referred to as botnets. The attacker can then direct the bots
through remote control method. When an IP address of a target is singled out via a botnet, the
response is a series of requests that overwhelms the capacity of the respective server. In return,
the server becomes unavailable for regular services hence denying service to clients.
Scenario
An online gaming international company that outsourced its DDoS services to another
reputable company one assumed all was well and therefore relaxed its internal effort to stay safe.
One Saturday morning, unexpected happened. All senior employees in the company were on
their weekend off-day when series of volumetric attacks took down the company site. The attack
only left a handful of senior employees present to be able to escalate incidents to the company
providing them with DDoS services even though they were not promptly available. Further
complicating the situation was that the DDoS service providing company after receiving the
incident alerts, together with the internal teams of the victim company dialled different
conference lines hence causing more delays to the response. The delays meant that mitigation
measures could only be executed after a lot of time has been lost. With online gaming, gamers
INCIDENT RESPONSE PLAN 7
are usually spoilt with alternatives as long as they can get super-fast and unrivalled quality of
services. The company ended up losing close to $1 million dollars during the entire period they
As much as the gaming company had all its DDoS needs taken care of by another
company, the company itself needed to have equipped its small internal security team with
necessary skills on reporting incidents and managing response process. This is what caused the
delays and hugely contributed towards the substantial revenue loss. The correct incident response
that the company needed to apply is summarized in the phases below. It is always important to
Preparation
Always believed to be the most important phase of incident response, preparation is the
fact that it is the anchor of the whole process. First, the company needed to organize its small
internal security team into a formal IRT with a manager, technical lead and a few team members
and assign them responsibilities. In many organizations, the general defence is always classified
as the responsibility of the company security team, while DDoS responsibilities are always
assigned to the network team. Breaking down such ambiguities before an incident creates a
seamless flow of communication in the event an attack has been orchestrated. If the gaming
company worked on this prior to the incident, the delays that took place while attempting to
Classification
INCIDENT RESPONSE PLAN 8
Classification helps in locating the type of attack that has been carried out. The response
team conducts assessment aimed at answering questions such as how the incident successfully
found its way into the company network or information technology infrastructure, the extent of
the impact and whether the origin of the attack has been discovered.
Trace-back
This is where the team ascertains the source of the attack and the potential effect on the network.
Such information helps the team collaborate with other problems witnessed in the network or the
Reaction
With the knowledge of the attack source of the attack and having classified it, the team
has to prepare an appropriate mitigation tool. In many cases, there has never been one particular
technique or tool that can be applied in all the circumstances. As per the NIST’s Computer
Security Incident Handling Guide (SP 800-61), it is always advisable to be equipped with prompt
mitigation tool or measure at hand that can always create an immediate response (Norton, 2018).
capabilities.
Post-Mortem
Finally, having prepared, identified, classified and reacted, then comes a time to carry out
analysis of what might have ensued. From there, the team and the organization, in general, is
expected to learn something like in the case of the gaming company in the scenario, the company
learnt that speed in incident response matters a lot. Also, this is the point to note what can be
INCIDENT RESPONSE PLAN 9
done better next to avoid re-occurrence of such problems. A post-mortem is basically a relook
There are a number of steps that are usually performed while handling a security incident.
Even though the actual steps depend on the specific type of attack as well as the individual
incidents, NIST Computer Security Incident Handling Guide issues a number of incident
handling checklist that provide guidelines to handlers on key steps that should be performed. The
steps are classified as detection and analysis, containment, eradication and recovery and post-
incident activity (Boritz, 2019). The first is determining whether if an incident has truly
occurred. This action concerns processes such as analyzing precursors as well as indicators,
looking for correlating information, conducting research through the knowledge base and search
occurrence. After the determination of the incident occurrence, the handler then prioritizes
handling of the incident based on factors such as functional impact, possible effects on
information and efforts on recovery. The detection and analysis are capped with reporting the
This marks the acquisition, preservation, and securing and evidence documentation.
Thereafter, containing the incident ensues upon which incident eradication efforts are applied.
Under incident eradication, there are steps such as identifying and mitigating all vulnerabilities
that the attackers might have exploited, removing malware, materials deemed inappropriate as
INCIDENT RESPONSE PLAN 10
well as other components. In the event that many affected hosts are discovered, the detection and
analysis steps are taken again until all hosts are identified, contained and eradicated. Finally,
under the containment, eradication and recovery is the process of recovering from the incident.
This entails returning affected systems to states that are ready to operate. Also within recovery is
the confirmation of the fact that systems affected are functioning normally and if necessary, extra
monitoring efforts are implemented to look out on the future related activity.
Post-Incident Activity
After successfully carrying out detection and analysis, containment, eradication and
recovery, the last guideline is a post-incident activity also referred to as post-mortem which
involves the creation of a follow-up report and convention of meetings to evaluate the whole
process from beginning to the end and more importantly talk of lessons learned.
CISSP Security Management and Practices provides four main mechanisms of data
protection. They include abstraction, layering, encryption and data hiding. Abstraction is a
common term utilized in object-oriented design where data is organized into objects. The objects
themselves further possess class definitions that describe methods and data. The objects then
allow the data within them to be managed as the entire class thereby creating a web of security
layers to the data. Encryption of data involves the use of algorithms to convert data into codes
that can only be understood after decoding. Data encryption is usually applied when data is in
being transmitted or in storage. It is the widely used method of the two. The other two
mechanisms, data hiding and layering, are more of the concepts of abstraction save for little
differences.
INCIDENT RESPONSE PLAN 11
Integrity Controls
System integrity controls such as the Integrity Checking and Recovery (ICAR) functions
to protect system data form modifications that may take place amidst the recovery process. These
controls offer protection to the integrity of the file system by automatically restoring files that are
modified through enabling of the cryptographic hashes of the files hence performing verification
monitor traffic flow and occasionally generate alerts depending on the activity that has caused
the activation. In the event that the network exhibits anomalous behaviour, the Intrusion
Detection System (IDS) issues alert that either indicate the presence of malicious activity or
trigger a host of further processing like scanning, recording and many more (Ab Rahman &
Choo, K.(2015). An alert pointing to malicious activity in the network once detected is sent to
the relevant security reporting unit where incident response procedures are effected to not only
Domain
international community has found various ways to deal with the menace especially considering
the fact that the attackers have become more sophisticated than the past years. These aspects
include speedy reporting of incidents, mandatory escalation and utilizing highly-trained experts
INCIDENT RESPONSE PLAN 12
to issue effectively (Lewis, (2017). Also, which has been one of the most vital tools in containing
incident occurrence at the international scene is the sharing of data between these countries.
Diagrams of swim lanes of authorities, activities and process flows, coordination and
communication paths
A Staff detects
Support Desk receives Incident asks for
an incident
the call and routes it to specific services that
and calls IT- Is the IT the Incident Manager are affected
Desk to report Support after realizing it’s a
Open? major incident
Staff leaves an
emergency voice
message copied to IT-
Desk and Incident
Manager
Is the
Incident
DDoS
YES
NO
Incident
Manager The IR Team The Incident Instructs the
updates runs the Manager Lead-Technical
Incident Incident Convenes a
Tech Web and instructs
resolved Management meeting of IR him to
process Team investigate the
incident
Incident
Manager
declares the
situation
resolved
The lead-technical
turns in the report.
Issue resolved.
INCIDENT RESPONSE PLAN 14
References
Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2013). Computer security incident
Lewis, B. (2017). NIST Offers Free Software to Help Agencies Test Computer Forensics Tools.
Norton, T. (2018). Primary Law Enforcement Mistakes during Initial Critical Incident Response
and Timeline of These Events Anatomy of the First 60. California State University, Long
Beach.