Running Head: THE INCIDENT RESPONSE PLAN 1

The Incident Response Plan

Name

Professor

Date
 INCIDENT RESPONSE PLAN 2

The Incident Response Plan

Introduction

Information Technology infrastructure security incident response is increasingly becoming an

integral component of IT programs in general. Attacks related to cybersecurity have grown both

in sophistication and diversity hence making them more disruptive and damaging. New forms of

security challenges keep on emerging, thereby forcing system custodians to ever remain on the

lookout. It has been agreed that preventive activities formulated upon risk assessment results is

believed to possess the ability to lower occurrence of incidents and also limiting loss impacts as

well as destruction, reinforcing weak lines that attackers exploited and lastly which is the most

important is the restoration of services. In regard to the above observation, this plan is a

continuous publication developed to not only to provide a mechanism of restoring the

unauthorized movement of across the intrusion detection system of the host nation but also

provides guidelines pertaining to the handling of incidents and determination of responses to

every single incident that can ever occur in a similar fashion or totally different one.

The exercise at hand is divided into two major sections where the first section provides

detailed analysis of the environmental conditions as well as the mechanisms used to maneuver

process coordination while the second section will focus on the various processes of active

response. In the first part, issues such as the roles and responsibilities of the environmental

conditions, incident response phases, scenarios detailing incident response plan in cases such as

distributed denial-of-service (DDoS) attacks particularly touching on communication loss.

Others include activities, authorities relating to roles and responsibilities, action trigger
 INCIDENT RESPONSE PLAN 3

conditions, closure trigger conditions, reports and products spanning through the incident

response activity and techniques, tools and technologies.

Environmental Conditions

Roles and Responsibilities of Incident Response Team Members

Response to IT-related incidents commences by first evaluating the environment of

occurrence. The response team, in this case, must have their roles and responsibilities cut out for

each and every team member. NIST's publication 800-64 issued a proposal regarding an ideal

composition of Incident Response Team (IRT) which includes a manager, a technical lead and

the rest of the members. The PCI DSS made it involuntary to assign personnel or team different

tasks such as establishment, documentation and distribution of security incident response and

procedure escalation when as necessity would dictate (Cichonski, Millar, Grance, & Scarfone,

2013). Normally, the team is mandated to monitor and perform analysis of security alerts as well

as access to data. The PCI-DSS equally requires the IRP to include documentation detailing roles

as well as responsibilities as shown in the table.

Role Tasks Skills

Manager  In charge of the entire process of Demonstration of resilience to

IRP in terms of coordination and situations deemed stressful.

directing

 Communicating with

management

 Securing the right personnel to

take part in the IRP

 INCIDENT RESPONSE PLAN 4

 Oversees the entire process if

outsourced.
Technical Lead  Takes charge of the technical  Better knowledge of

needs of the process cyber threats and incident

response procedures

 Reports to the team manager for  Fine knowledge of

regular updates internal IT structures

Team Members  Carryout the incidence response  Demonstrate good

as envisaged. technical skills regarding

 Often deployed to undertake the administration of

intrusion detection responsibility. systems, administration,

of networks as well as

programming, intrusion

detection and technical

support

Phases of Incident Response

Preparation in advance is always important as it provides head start while tackling a

problem. In dealing with cybersecurity incidences, an incident response plan on the standby

takes priority. The NIST’s Computer Security Incident Handling Guide (SP 800-61) lists

important areas to address which include preparation, detection and analysis, containment,

elimination and recovery and post-incident activity (Spring, 2019). Human decision. Preparation

here involves issues like prior planning on ways to handle and probably prevent the occurrence

of security incidents while detection and analysis comprise all interventions from close
 INCIDENT RESPONSE PLAN 5

monitoring of potential attack vectors to the identification of signs pointing to the possibility of

incident occurrence for prioritization purposes. The containment, elimination and recovery

pertain to mitigation strategies, identification and management of the hosts as well as systems

comprised by the occurrence of the incidents. Also, the recovery plan is well documented in this

section. Finally, the post-incident activity reviews lessons learnt and developing a plan for

retaining the evidence.

Scenario: Incident Response Plan for Distributed Denial-of-service (DDoS) Attacks

Definition of DDoS

Distributed denial-of-service (DDoS) can be explained as attempts to interfere with the

usual traffic flow of a network, a specific server or particular service. The attack is usually

carried out through jamming the targeted server or network or sometimes the infrastructure

surrounding it with myriads of internet traffic. These attacks utilize numerous computer systems

that are comprised, thereby converting them into effective agents of the attack. On the other side,

machines or input/ output devices in the network become exploited and fail to discharge normal
 INCIDENT RESPONSE PLAN 6

services. To simplify the concept of the DDoS, it resembles a traffic jam clogged up at a high-

way round-about, thereby preventing the normal traffic and eventually blocking cars from

reaching their destinations.

Mechanisms of the DDoS Attack

The attacker finds a way of taking over the control of online machines in a network. To do this,

the attacker infects the computers and other targeted devices in the network with a malware

hence converting each one of them into bots. To this extent, the attacker gains remote control

over the masses of bots, usually referred to as botnets. The attacker can then direct the bots

through remote control method. When an IP address of a target is singled out via a botnet, the

response is a series of requests that overwhelms the capacity of the respective server. In return,

the server becomes unavailable for regular services hence denying service to clients.

Scenario

An online gaming international company that outsourced its DDoS services to another

reputable company one assumed all was well and therefore relaxed its internal effort to stay safe.

One Saturday morning, unexpected happened. All senior employees in the company were on

their weekend off-day when series of volumetric attacks took down the company site. The attack

only left a handful of senior employees present to be able to escalate incidents to the company

providing them with DDoS services even though they were not promptly available. Further

complicating the situation was that the DDoS service providing company after receiving the

incident alerts, together with the internal teams of the victim company dialled different

conference lines hence causing more delays to the response. The delays meant that mitigation

measures could only be executed after a lot of time has been lost. With online gaming, gamers
 INCIDENT RESPONSE PLAN 7

are usually spoilt with alternatives as long as they can get super-fast and unrivalled quality of

services. The company ended up losing close to $1 million dollars during the entire period they

were unavailable online.

IR to DDoS targeting Communication Loss

As much as the gaming company had all its DDoS needs taken care of by another

company, the company itself needed to have equipped its small internal security team with

necessary skills on reporting incidents and managing response process. This is what caused the

delays and hugely contributed towards the substantial revenue loss. The correct incident response

that the company needed to apply is summarized in the phases below. It is always important to

remember that the phases are not linear but a loop.

Preparation

Always believed to be the most important phase of incident response, preparation is the

fact that it is the anchor of the whole process. First, the company needed to organize its small

internal security team into a formal IRT with a manager, technical lead and a few team members

and assign them responsibilities. In many organizations, the general defence is always classified

as the responsibility of the company security team, while DDoS responsibilities are always

assigned to the network team. Breaking down such ambiguities before an incident creates a

seamless flow of communication in the event an attack has been orchestrated. If the gaming

company worked on this prior to the incident, the delays that took place while attempting to

launch the response could never have occurred.

Classification
 INCIDENT RESPONSE PLAN 8

Classification helps in locating the type of attack that has been carried out. The response

team conducts assessment aimed at answering questions such as how the incident successfully

found its way into the company network or information technology infrastructure, the extent of

the impact and whether the origin of the attack has been discovered.

Trace-back

This is where the team ascertains the source of the attack and the potential effect on the network.

Such information helps the team collaborate with other problems witnessed in the network or the

infrastructure and determine their relationship with the attack.

Reaction

With the knowledge of the attack source of the attack and having classified it, the team

has to prepare an appropriate mitigation tool. In many cases, there has never been one particular

technique or tool that can be applied in all the circumstances. As per the NIST’s Computer

Security Incident Handling Guide (SP 800-61), it is always advisable to be equipped with prompt

mitigation tool or measure at hand that can always create an immediate response (Norton, 2018).

For comprehensive intervention, there has to be a way of leveraging automated response

capabilities.

Post-Mortem

Finally, having prepared, identified, classified and reacted, then comes a time to carry out

analysis of what might have ensued. From there, the team and the organization, in general, is

expected to learn something like in the case of the gaming company in the scenario, the company

learnt that speed in incident response matters a lot. Also, this is the point to note what can be
 INCIDENT RESPONSE PLAN 9

done better next to avoid re-occurrence of such problems. A post-mortem is basically a relook

into everything that took place.

Events and Processes on the Active Response Plan

Incident Response Checklist

There are a number of steps that are usually performed while handling a security incident.

Even though the actual steps depend on the specific type of attack as well as the individual

incidents, NIST Computer Security Incident Handling Guide issues a number of incident

handling checklist that provide guidelines to handlers on key steps that should be performed. The

steps are classified as detection and analysis, containment, eradication and recovery and post-

incident activity (Boritz, 2019). The first is determining whether if an incident has truly

occurred. This action concerns processes such as analyzing precursors as well as indicators,

looking for correlating information, conducting research through the knowledge base and search

engines and initiating investigation documentation subject to confirmation of an incident

occurrence. After the determination of the incident occurrence, the handler then prioritizes

handling of the incident based on factors such as functional impact, possible effects on

information and efforts on recovery. The detection and analysis are capped with reporting the

incident to relevant personnel based internally external organizations if possible.

Containment, Eradication and Recovery

This marks the acquisition, preservation, and securing and evidence documentation.

Thereafter, containing the incident ensues upon which incident eradication efforts are applied.

Under incident eradication, there are steps such as identifying and mitigating all vulnerabilities

that the attackers might have exploited, removing malware, materials deemed inappropriate as
INCIDENT RESPONSE PLAN 10

well as other components. In the event that many affected hosts are discovered, the detection and

analysis steps are taken again until all hosts are identified, contained and eradicated. Finally,

under the containment, eradication and recovery is the process of recovering from the incident.

This entails returning affected systems to states that are ready to operate. Also within recovery is

the confirmation of the fact that systems affected are functioning normally and if necessary, extra

monitoring efforts are implemented to look out on the future related activity.

Post-Incident Activity

After successfully carrying out detection and analysis, containment, eradication and

recovery, the last guideline is a post-incident activity also referred to as post-mortem which

involves the creation of a follow-up report and convention of meetings to evaluate the whole

process from beginning to the end and more importantly talk of lessons learned.

Data Protection Mechanisms

CISSP Security Management and Practices provides four main mechanisms of data

protection. They include abstraction, layering, encryption and data hiding. Abstraction is a

common term utilized in object-oriented design where data is organized into objects. The objects

themselves further possess class definitions that describe methods and data. The objects then

allow the data within them to be managed as the entire class thereby creating a web of security

layers to the data. Encryption of data involves the use of algorithms to convert data into codes

that can only be understood after decoding. Data encryption is usually applied when data is in

being transmitted or in storage. It is the widely used method of the two. The other two

mechanisms, data hiding and layering, are more of the concepts of abstraction save for little

differences.
INCIDENT RESPONSE PLAN 11

Integrity Controls

System integrity controls such as the Integrity Checking and Recovery (ICAR) functions

to protect system data form modifications that may take place amidst the recovery process. These

controls offer protection to the integrity of the file system by automatically restoring files that are

modified through enabling of the cryptographic hashes of the files hence performing verification

and generation while also configuring the security constraints.

Network Behavior and a Threat Bulletin Investigation Plan

Network behaviour is usually monitored using automated systems. These systems

monitor traffic flow and occasionally generate alerts depending on the activity that has caused

the activation. In the event that the network exhibits anomalous behaviour, the Intrusion

Detection System (IDS) issues alert that either indicate the presence of malicious activity or

trigger a host of further processing like scanning, recording and many more (Ab Rahman &

Choo, K.(2015). An alert pointing to malicious activity in the network once detected is sent to

the relevant security reporting unit where incident response procedures are effected to not only

investigate but also escalate the incidents confirmed by the IDS.

Incident Response Plan Necessary to Contain a Cyber Incident on the International

Domain

In addition to the incident response mechanism as discussed in this paper, the

international community has found various ways to deal with the menace especially considering

the fact that the attackers have become more sophisticated than the past years. These aspects

include speedy reporting of incidents, mandatory escalation and utilizing highly-trained experts
INCIDENT RESPONSE PLAN 12

to issue effectively (Lewis, (2017). Also, which has been one of the most vital tools in containing

incident occurrence at the international scene is the sharing of data between these countries.

Diagrams of swim lanes of authorities, activities and process flows, coordination and

communication paths

A Staff detects
Support Desk receives Incident asks for
an incident
the call and routes it to specific services that
and calls IT- Is the IT the Incident Manager are affected
Desk to report Support after realizing it’s a
Open? major incident

Staff leaves an
emergency voice
message copied to IT-
Desk and Incident
Manager

The Incident Manager The Incident

receives the voice Manager uses a
Massage after an hour priority matrix to set
priorities

The Diagram Continues on the next page.

 INCIDENT RESPONSE PLAN 13

Is the
Incident
DDoS

YES
NO

Incident
Manager The IR Team The Incident Instructs the
updates runs the Manager Lead-Technical
Incident Incident Convenes a
Tech Web and instructs
resolved Management meeting of IR him to
process Team investigate the
incident

Incident
Manager
declares the
situation
resolved
The lead-technical
turns in the report.
Issue resolved.
INCIDENT RESPONSE PLAN 14

References

Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling

in the cloud. computers & security, 49, 45-69.

Boritz, J. E. (2019). A Framework for Information Integrity Controls.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2013). Computer security incident

handling guide. International Journal of Computer Research, 20(4), 459.

Lewis, B. (2017). NIST Offers Free Software to Help Agencies Test Computer Forensics Tools.

Norton, T. (2018). Primary Law Enforcement Mistakes during Initial Critical Incident Response

and Timeline of These Events Anatomy of the First 60. California State University, Long

Beach.

Spring, J. M. (2019). Human decision-making in computer security incident response (Doctoral

dissertation, UCL (University College London)).