Page 1 of 5

CO1508 Computer Systems & Security – Week 19 –

Incident Response Planning

Summary
You are going to develop an Incident Response Plan (IRP) using the four phases we explored
during the lecture. The IRP will be based on a student registration system. You’ll also learn
about chain of custody and audit trail documents.

Activities

1. Threat Modelling, Again!

In this task, you will build a threat model that is tailored to the following system:

It’s a simple student registration system where Applicants provide their information to the
system and Tutors select students from applicant records to move to Student records (i.e.,
the applicant is accepted as a student).

First, you need to perform STRIDE threat analysis on this system. A quick reminder of STRIDE
which is a failure-oriented threat modelling that focuses on six main themes:
1. Spoofing: someone is attempting to gain access using a fake identity.
2. Tampering: unauthorised change to data.

CO1508 Computer Systems and Security, UCLAN – 2019-2020

 Page 2 of 5

3. Repudiation: someone is denying performing a specific action on the system.

4. Information Disclosure: data is exposed to unauthorised users.
5. Denial of Service: the system is down and not accessible anymore.
6. Elevation of privilege: a limited-privilege user tries to gain higher privileges such as an
administrator one to do more in the system.

To help you with the modelling, remember the security objectives you want to achieve for
this system:

1. Confidentiality: Data is only available to those who should access it.

2. Integrity: Resources are only changed in appropriate ways.
3. Availability: System ready when needed and performs acceptably.
4. Authentication & Authorisation: The identity of users is established. Explicitly allow or
deny access to resources.
5. Non-repudiation: Users can’t deny an action they’ve performed.

2. Risk Assessment

After finishing the threat modelling, you need to perform a qualitative risk assessment to
the system by filling in the matrix below. If you don’t remember qualitative risk assessment,
please refer to last week lab sheet.

Insignificant Minor Moderate Major Catastrophic

Rare
Unlikely
Possible
Likely
Certain

There are no right or wrong answers regarding the risks. You might choose spoofing to be
the high priority risk you want to address because it’s more likely and has a major impact.
You need to identify at least three risks to the system and prioritise them.

CO1508 Computer Systems and Security, UCLAN – 2019-2020

 Page 3 of 5

3. IRP Development

Now, you should prepare your IRP through the following phases:

• Preparation. In this phase, you already performed a risk assessment to assess the risks to
the student registration system, ranked them by importance and defined a prioritisation
mechanism. Now, you need a communication plan to specify how incidents should be
reported and to whom.

• Detection & Analysis. You should identify a valid set of indicators to detect an incident.
How would you record the incident? Does it need to be prioritised? Does it have a
devastating impact? Should you deal with it later (e.g., within 24 hours) or immediately?
Once done, you should choose the highest ranked risk and focus your IRP on it.

• Containment, Eradication, and Recovery. Here, you need to determine how to contain
the highest ranked incident and stop it. Based on your analysis, how can you eradicate
the threat (e.g., remove the breached user account from the system)? how can you
recover the systems to its normal operations?

• Post-Incident Investigation. In this phase, where the incident is over, you need to have
procedures to take any digital evidence from the student registration system in a
forensically sound manner. It’s important to do so to follow any necessary legal action in
court against the attackers (if any).

Have a look at this IRP from University of Connecticut to have an idea of what I’m expecting
you to do: https://security.uconn.edu/incident-response-plan/

You also need to read this document to have a better understanding of the IRP development
process:https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-
response-processes

You SHOULD spend time reading the above documents online.

CO1508 Computer Systems and Security, UCLAN – 2019-2020

 Page 4 of 5

4. Chain of Custody

This document represents the paper-trail of evidence detailing the custody, control, transfer
and analysis of any evidence. Failure to keep a chain of custody can wreck your chances of
using the evidence in court whether it’s digital or physical because how can you prove it
hasn’t been tampered with?

If you can’t 1) explain who has had access to the evidence; 2) Why/When they have had
access to the evidence and 3) explain where the evidence has been at all times, you can’t
use it in court.

You can find more information here and retrieve a chain of custody form example to use in
your IRP: https://www.andreafortuna.org/2018/04/09/digital-forensic-the-chain-of-
custody/

You should refer to filling in the chain of custody in your developed IRP for the student
registration system above.

5. Audit Trail

An audit trail is a record of all processes applied to an electronic evidence. The purpose of
this trail is to ensure an independent third party should be able to examine those processes
and achieve the same results. This means that *any* activity/process should be recorded
clearly and carefully. This is important as part of incident response planning.

Here's an example of how an audit trail might look like:

CO1508 Computer Systems and Security, UCLAN – 2019-2020

 Page 5 of 5

As you can see, every step is very clear. The audit trail records all the necessary information.
It also dictates the process to be followed allowing more consistency and allowing other
people to follow more clearly. Of course, the process will normally have been tried and
tested.

Now you have all the tools you need to create your IRP J Once you’re done, please show
your work to your tutor. If you’ve any question, just ask!

CO1508 Computer Systems and Security, UCLAN – 2019-2020