Professional Documents
Culture Documents
July 2004
Incident Response Plan
Preface
This Incident Response Plan is a higher level companion document to the Forensic
Plan, which provides lower-level technical guidance in understanding how digital
evidence collected as part of an incident investigation may be preserved such that it
may be admissible in a court of law.
Both the Incident Response Plan and the Forensic Plan are available from the Office of
e-Government website (http://www.egov.dpc.wa.gov.au) in PDF format from the Policies
and Guidelines section.
If you have any comments, queries or need additional information, please contact:
email: egov@dpc.wa.gov.au
Phone: 9213 7100
Contact:
Sven Bluemmel
Gail Holt
Table of Contents
PREFACE ...................................................................................................................................... 2
TABLE OF CONTENTS ................................................................................................................... 3
Background ..........................................................7
INTRODUCTION ............................................................................................................................ 8
1.1 Disclaimer ............................................................................................................... 8
1.2 Introduction............................................................................................................. 8
1.3. Purpose and Scope .................................................................................................. 9
1.4 Related Documents ............................................................................................... 11
Incident Response Plan.......................................... 12
PHASES OF THE INCIDENT RESPONSE PLAN ................................................................................ 13
PREPARATION ............................................................................................................................ 14
3.1 Establish policies and procedures for responding to incidents ............................. 14
3.1.1 Information disclosure policy ........................................................................... 15
3.1.2 Networked systems security policy .................................................................. 16
3.1.3 Configuration redundancy policy ..................................................................... 18
3.1.4 Presumption of privacy policy .......................................................................... 19
3.1.5 Document a response procedure that implements your policies....................... 19
3.1.6 Conduct a legal review of your policies and procedures .................................. 19
3.1.7 Train designated staff about your response policies and procedures................ 20
3.2 Use Proactive Techniques to Prevent Incidents.................................................... 20
3.2.1 Subscribe to resources for notification of new threats and vulnerabilities ....... 21
3.2.2 Establish standard build procedures.................................................................. 21
3.2.3 Patch known system vulnerabilities.................................................................. 22
3.2.4 Perform network auditing and penetration testing............................................ 22
3.2.5 Display warning banners................................................................................... 22
3.2.6 Ensure that systems run antivirus with current definitions............................... 23
3.2.7 email client configuration ................................................................................. 23
3.2.8 Keep all network information current............................................................... 23
3.2.9 Improve technical security skills ...................................................................... 23
3.2.10 Establish automated intrusion detection ........................................................... 24
3.2.11 Know who has access to your systems ............................................................. 24
3.2.12 Keep track of remote computing users ............................................................. 24
3.2.13 Establish extranet agreements and monitoring ................................................. 24
3.2.14 Identify critical assets and servers .................................................................... 24
3.2.15 Review the physical security of critical assets and servers............................... 25
3.2.16 Use strong account policies .............................................................................. 25
3.2.17 Domain and network information current in whois databases.......................... 25
3.2.18 Situational awareness........................................................................................ 26
3.3 Form Your Incident Response Capability............................................................. 26
3.3.1 Create an incident response plan....................................................................... 26
3.3.2 Authority to act ................................................................................................. 26
8.1 Hold a post-mortem analysis and review meeting with all involved parties ........ 60
8.2 Conduct a lessons learned meeting ....................................................................... 61
8.3 Send recommended changes to management ....................................................... 61
8.4 Revise security plans, policies, procedures, and user and administrator training to
prevent incident recurrence............................................................................................... 62
8.5 Determine whether or not to perform a new risk analysis based on the severity and
impact of an incident......................................................................................................... 62
8.6 Take a new inventory of your system and network assets.................................... 62
8.7 Participate in investigation and prosecution, if applicable ................................... 62
ACKNOWLEDGEMENTS............................................................................................................... 63
APPENDIX A GLOSSARY........................................................................................................ 64
APPENDIX B COMPUTER AND NETWORK INCIDENT TAXONOMY .......................................... 70
APPENDIX C INCIDENT NUMBERING SCHEME ......................................................................... 72
APPENDIX D TYPES OF INCIDENTS ........................................................................................ 73
APPENDIX E SECURITY INCIDENT CATEGORIES...................................................................... 74
APPENDIX F LOG OF EVENTS FORM ..................................................................................... 76
APPENDIX G INCIDENT REPORTING FORM .............................................................................. 78
APPENDIX H CONTACT LIST ................................................................................................. 79
APPENDIX I NETWORK DIAGRAMS AND INFORMATION ......................................................... 80
APPENDIX J SERVICENET INCIDENT RESPONSE PROCEDURE ................................................. 81
Background
Introduction
1.1 Disclaimer
Every effort is made to ensure that the material in this document is accurate and up to
date. However, the Department of the Premier and Cabinet does not guarantee or
warrant the accuracy, completeness or currency of the information provided.
The material in this document is not and should not be regarded as legal advice.
1.2 Introduction
The increased computer literacy both within Government and the general community,
as well as the low cost and efficiency of the implementation of technological solutions,
has increased the likelihood of technology being used to commit an unauthorised act or
augment its commission. People who would not dream of stealing or maliciously
damaging other people’s property in the ‘real world’ have no qualms or second thoughts
in relation to the opportunities and challenges presented by technology, the Internet,
and the ‘virtual world’.
Computers are used in all facets of Government work to create messages, write reports
and other documents, compute financial information, transfer funds and browse the
Internet. As well, Government has established a business requirement to make more
extensive use of public data networks, such as the Internet. Connections to these
networks carry a number of additional threats and risks over and above those already
identified and for which safeguards have been provided. Government needs to
understand these threats and to respond to computer security incidents with speed and
skill so that incidents can be identified, contained, resolved, and in the longer term
prevented, in a timely and cost-effective manner.
The purpose of this Incident Response Plan is to document the steps necessary for
effectively and efficiently managing a computer security incident (hereafter referred to
as an incident).
It is aimed at the technical management of incidents, and intended for system and
network administrators, managers of information systems, and security personnel
responsible for networked information resources. Without an incident response
structure, agencies may be inadequately prepared to deal with incidents. When one is
discovered or suspected, decisions may be made in haste, responses may be
haphazard and ineffective, and may lead to:
• extensive damage to data, systems, and networks due to not taking timely action
to contain an incident. This can result in increased costs, loss of productivity,
and loss of business;
• the possibility of an incident affecting multiple systems both inside and outside an
agency because staff did not know who else to notify and what additional actions
to take;
• negative exposure in the news media that can damage Government stature and
reputation with customers and the community;
• protect the systems, the networks, and their ability to continue operating as
intended;
• recover systems;
This plan defines and categorises incidents and the actions to be taken when they
occur. The strategy processes for a systematic incident response approach have been
addressed in this plan under the following phases:
• Preparation
• Detection
• Containment
• Eradication
• Recovery and closure
• Follow-up
Category Phase
Prepare Preparation
Detect Detection
Respond Containment
Eradication
Recovery and closure
Follow-up Follow-up
Note. Adverse events such as floods, fires, power-related disruptions, excessive heat
that causes system crashes, and other natural disasters, though certainly undesirable
incidents, are not within the scope of this document and should be addressed in
Agencies’ business continuity (contingency) plans. For the purpose of this document,
therefore, an incident refers to an adverse event that is related to Information Security.
This Incident Response Plan forms part of an overall Office of e-Government Western
Australian Computer Security Incident Response Team (WACSIRT) incident response
framework. This plan refers to, and should be read in conjunction with, the WACSIRT
Forensic Plan. The Forensic Plan documents in more detail the mechanisms by which
evidence relating to security incidents should be handled by Government staff and
contractors. Also see the WACSIRT Operational Manual that documents how the
WACSIRT operates, and the WACSIRT Framework that is the head document
describing the objectives and scope of the WACSIRT.
Incident Response
Plan
FOLLOW-UP
RECOVERY &
CLOSURE
To restore the affected systems and
networks to operational status.
….
ERADICATION
CONTAINMENT
DETECTION
PREPARATION
|_______________|_________________|________________|_____________| …. |_____________|_____________|_→
T0 T1 T2 T3 Tn Tn+1
Preparation
The goal of this phase is to be prepared with a set of established policies, procedures,
and mechanisms for responding to incidents, and to be proactive in preventing them
occurring.
A security policy defines the rules that regulate how your agency manages and protects
computing resources to achieve security objectives. For responding to incidents, one of
the policy’s primary purposes is to document the threats you intend to guard against
and the actions you intend to take in response to a successful attack.
This section describes a subset of the topics your incident response policies and
procedures should address. It is important that you are willing to enforce your policies,
and that they will support the investigators of any incident. Ensure that you have a
mechanism to show that staff is aware of, and have accepted, your policies.
Why this is important. Policies and supporting procedures that are documented,
communicated, and enforced prepare you to respond to incidents in a timely, controlled
manner. This gives you the ability to exercise your procedures and eliminate potential
errors or omissions in advance of an incident. During or after an incident, you do not
want to be in a position of needing to determine what actions to take, what data to
gather and preserve, and how to protect your data, systems, and networks from further
damage.
Having documented plans, conducted training, and tested procedures in advance will
allow staff members to efficiently coordinate their activities when responding to an
incident. Without the knowledge conveyed through training and test exercises, users
may inadvertently expose parts of the organisation to security threats. For example,
users might reveal sensitive information if they contact the wrong person when
observing an incident.
• specifies who should be notified in the event of an incident and in what order.
The order of notification may depend on the type of incident or other
circumstances. You should contact the responsible manager and your local
response team immediately. The remaining contacts are listed in no particular
order and are in this list as a ‘picking list’ for you to tailor to your requirements.
o the responsible manager and other managers who need to know
o CSIRT, if one exists
o public relations
o system and network administrators
o security officer and personnel
o your Internet Service Provider (ISP)
o human resources (in the event an employee is implicated)
o help desk personnel (who may have to answer questions about an
intrusion)
o legal counsel
o corporate investigations group (if one exists)
o law enforcement (state, federal)
o users
o vendors
o other CSIRTs, the national body AusCERT
• defines specific roles and responsibilities for each contact within your
organisation including their range of authority;
• specifies how much information should be shared with each class of contact and
whether or not sensitive information needs to be sanitised (removed or filtered)
prior to sharing it;
• identifies who to notify and when to notify them by using specified communication
mechanisms (eg phone, email, fax, pager) and whether or not these mechanisms
need to be secure;
• identifies who has the authority to initiate information disclosure beyond that
specified in your policy.
• over time;
• as you obtain additional information (such as the extent of an intrusion);
• as you become aware that an incident you are analysing interacts with one or
more other incidents.
• restoring the affected system. You need to specify the order in which services
will be restored, if this is a consideration (for example, restore your email service
before restoring ftp). This ensures that the order meets your business objectives
and priorities while minimising negative effects on users, where possible.
Authority to act
This policy should indicate what types of incident response actions require management
approval and which are pre-approved. Document the circumstances under which you
intend to:
Ensure that the individuals or team responsible for incident response have pre-
authorisation from management to disconnect from the network and shut down the
affected system(s), if appropriate. Management must understand that shutting down
will cause a denial of service condition on the affected system until it is returned to
operation.
Document the actions to be taken in dealing with incidents involving remotely connected
computers used by your employees and vendors if these actions differ from those taken
for other types of incidents.
• the acceptable level of risk to business processes and the systems and networks
that support them;
• to what extent business processes and the systems and networks that support
them must remain operational, even in the event of intrusions or attacks;
If you choose not to create a CSIRT, ensure that all response roles and responsibilities
are clearly assigned to system and network administrators, security personnel, and
other staff.
• require that designated system and network administrators, and response team
members be trained in the use of incident response tools and environments.
• require quick access to backups in an emergency, even if they are stored offsite.
This may include defining procedures that give specific managers the
responsibility to authorise such access;
• state that staff members dealing with an incident may need to gain access to
restricted systems and data. This may include
o specifying how staff access is granted and how they will obtain
administrator passwords and encryption keys
o establishing the authority for staff access
o establishing the authenticity of the staff member obtaining access
o requiring that all access is documented and tracked.
Gathering evidence
Your agency’s networked systems security policy should document the roles,
responsibilities, authority, and conditions under which data, systems, and networks
suspected of having been compromised can be examined in the analysis of incidents.
Your agency’s networked systems security response procedures should ensure that a
provable chain of custody is maintained for protection of potential evidence. Refer to
your Forensic Plan for more information about the chain of custody. This level of rigor is
required even if you choose not to enter into a legal investigation with law enforcement.
Other affected organisations may decide to take action and request your assistance and
any evidence you have collected, and other organisations may initiate legal proceedings
against you if an intruder attacked their systems from yours.
Ensure that this policy is consistent with your business continuity policy.
This is probably as good a place as any to make you aware of the Telecommunications
(Interception) Act 1979 (the Act). This legislation prohibits interception of ‘a
communication passing over a telecommunication system’ except where this is
necessary for the operation or maintenance of such a system or pursuant to an
interception warrant. At the time of writing, there is a Telecommunications (Interception)
Amendment Bill 2004 before Parliament that seeks to amend the Act in relation to,
among other things, new offences, allowing access to ‘stored’ or ‘delayed access’
communications, and amending the definition of ‘interception’ to accord with recent
technological advances. Telecommunications interception is a huge area in itself, and
you should acquaint yourself with the requirements of the Act in terms of what
constitutes interception and how it may affect monitoring of your network and
information held on servers such as email.
Ensure that your incident response procedure is consistent and integrated into your
business continuity and disaster recovery processes.
This is especially important if your agency intends (or may intend) to take legal action in
the event of an incident, as it will prevent technicalities from undermining an otherwise
strong legal case.
3.1.7 Train designated staff about your response policies and procedures
During the training process, users should learn:
• the actions they need to take to report a suspected incident, including who to
notify, how (web, email, phone), and what information they should report;
• the use of incident response tools and environments based on their roles and
responsibilities.
Create and conduct periodic training about your response policies and procedures.
This training should be mandatory for all new employees and should review specific
policies and procedures relevant to the employee’s knowledge and responsibilities.
Test the effectiveness of the training and each employee’s readiness. Conduct practice
drills (e.g. responding to network intrusions and viruses) that test procedures and
execute operational activities, making sure all staff members are aware of their roles
and responsibilities. Conduct post-mortem meetings with trainees. Provide remedial
training as required.
Regularly conduct mandatory security awareness refresher training for designated staff.
Highlight recent change to policies or procedures and summarise recent incidents.
Make this subject a recurring topic at executive and management-level staff meetings to
maintain awareness.
Ensure that your system and network administrators, incident response staff, and their
managers are aware of and familiar with your Forensic Plan for evidence handling.
To stay current with the fast rate of technological change, ensure that system and
network administration staff set aside time to maintain and update the knowledge and
skills they need in technical topics required to implement your policies and procedures.
Everything in this section 3.2 either constantly needs auditing and updating, or is an
audit process that needs to be run on a timely basis. Lessons learned from the
investigation of any incident and identified in the Follow-up phase feed directly back in
to this section.
• via an email distribution list of those people/agencies who wish to receive all
notifications; and
• via a mailing list server, so that people/agencies can subscribe only to those
email lists of interest to their infrastructure.
You should already be subscribing to this service. If you are not, please:
At the very minimum you should be subscribing to the service offered by WACSIRT.
Rogue wireless LANs are easy and cheap to install, and are proving to be a real
security headache. As well, many major computer vendors are selling an increasing
number of laptops with built-in wireless LAN access cards. If your agency has a policy
that bans wireless LANs completely, or more precisely prohibits employees from
deploying their own wireless networks, you must decide how to enforce that policy
across the enterprise by choosing and using mechanisms to detect rogue wireless
networks.
******************************************************************
Only authorised users may access this machine.
******************************************************************
abreast of security developments and trends, emerging threats and vulnerabilities, and
have the chance to upgrade their skills.
• Domain name. The Registrar for .gov.au domain names is the National Office for
the Information Economy (NOIE). For more information on .gov.au domain
names, or to see or update details for your domain name, point your browser to
http://www.domainname.gov.au. If you have a .com.au domain name, these are
now managed by a host of Registrars accredited by .au Domain Administration
Ltd (auDA). To see a list of auDA accredited Registrars, point your browser to
http://www.auda.org.au/registrars/. To check the Registrar for your .com.au
domain name, use the whois facility at http://whois.ausregistry.net.au. Then you
can update your domain name using your Registrar’s website.
Senior management must provide ongoing commitment and support for an incident
response capability. Before establishing an incident response capability, senior
management must serve as an advocate of security and be proactive in preventing
incidents. Senior management must ensure that the security policies of the agency are
supported with reliable security and detection mechanisms, and that IT security
awareness and responsibility is conveyed throughout the agency. Senior management
must also commit to and support the initiative for an incident response capability.
Ensure that management supports and understands the level of authority the incident
response team will have in the event of a problem, and document this in your incident
response plan.
• intrusions
• software vulnerabilities
• viruses
• SPAM
• illegal activities such as software piracy
• requests to investigate suspected staff
• requests to perform on-site security audits
• requests to perform on-site training
• requests to speak at conferences
• requests for security information
In addition, you must decide what level of assistance will be provided. Will the team
merely forward notification of security incidents onto the affected people, or will they
work completely with staff to determine the extent of the incident and help them to better
secure their systems?
After you determine your approach to incident handling, it will be much easier to
determine under what conditions you are going to approach law enforcement.
Refer to section 3.1.2 Networked systems security policy for more information on
policy considerations that may be needed to be in place to underpin some of the
following steps.
3.4.3 Identify and install tools that support the reinstallation of systems
Identify and install tools that support the reinstallation of systems, applications, and
patches. This includes:
• all tools that are needed to retrieve, unpack, verify, and install software patches
that are intended to correct errors and eliminate vulnerabilities.
You need to ensure that high capacity, removable and hardware-write protectable
media and supporting equipment are available to make and restore system backups.
Backups you make during the response process are used:
The media that you use to store backups must have sufficient capacity to contain all
backup information.
To make backups and to load backups on other systems, all of the necessary devices,
cables, plugs, and terminators need to be available as well as the software that was
used to create the backups.
If possible, use media that cannot be written again once it has been used (i.e. protected
for read only access such as WORM media). This safeguards the information and
avoids accidental overwriting.
3.4.7 Ensure that test systems and networks are configured and available
Using compromised systems for any kind of analysis or test may expose these systems
to further damage and, given the systems are compromised, any results produced by
them are unreliable. In addition, using such systems may inadvertently inform an
intruder of the tests you are executing through the generation of network messages by
malicious or compromised programs.
If you have sufficient resources available, consider setting up test systems and
networks that are both physically and logically separate from your operational system
and network. You can then move the compromised systems to the test network, and
deploy newly installed and fully patched and secure systems onto the operational
network so as to continue operations. Newly installed systems may have the same
vulnerability that an intruder used to gain access. However, making the original
systems available for analysis may give you an advantage over other approaches for
reconstituting the compromised systems on your test network. In addition, the newly
installed system will not contain any software that the intruder may have left behind.
If your equipment is limited or you do not want equipment to be idle when no analysis is
being performed, you could instead choose to have a plan and process in place to
configure a test environment quickly, on an as-needed basis.
After analysis is complete, clear all disks to ensure that any remnant files or malicious
programs do not impact future analysis or any ongoing work on the test system, or are
inadvertently transferred to other operational systems. Refer to your Forensic Plan.
This is particularly critical in the event that your test system is used for other purposes.
Ensure that hardware devices such a printers or laptops are reserved for use in the
incident response process. Hardcopy materials are often required as part of an
incident log and archives. For example, laptops can be used to monitor your network
for suspicious activity, to retrieve contact information from Internet directory servers,
and to access previously collected information such as default configurations and user
id lists.
Documenting the IP address of the machine will enable you to quickly locate it on your
network diagram. This information should always be kept secure, as the information
could be used to compromise your network if it fell into the wrong hands.
Service Provider, Computer Crime Investigation Unit, and the Office of e-Government
WA Computer Security Incident Response Team. :)
To ensure database availability during an incident, store a backup copy off-site, have a
copy available on an accessible system that is not connected to any network, such as a
laptop, and have hardcopies available in an Appendix of your Plan. Keep all contact
information up to date, and protect it as you would any other piece of critical information.
Getting to know all your contacts before an incident occurs helps to make your
response process more efficient.
Be aware that even the act of two people communicating could indicate to an intruder
that they have been detected. A sudden flurry of encrypted email from your internal
security group to users, system administrators, CSIRTs, and others is a sure sign that
something is happening. Your response procedures need to take this into account
including the possibility of conducting all communications without the use of email (eg
using only phone and fax).
Invite your system administrators to help in the incident handling process. Because of
their intimate knowledge of your computer systems they can often bring the perspective
needed to solve a problem.
3.4.17 Ensure that auditing and logging are enabled and sufficient
Make sure that sufficient auditing and logging are enabled before an incident occurs.
Also, make sure that system clocks are synchronised from a trusted time source. This
will ensure that log files accurately reflect the real time that an incident occurred. Where
possible send logs to duplicate log servers. For instance, with the syslog facility, it is a
simple matter to keep a local log and send a duplicate copy to a syslog server. A
duplicate log on a separate logging server can be a huge help in the eradication phase
if an intruder has deleted or manipulated log entries on the local machine.
Gail Holt
Principal Technical Officer
Office of eGovernment
Department of the Premier & Cabinet
Level 10 Dumas House
2 Havelock Street
West Perth WA 6005
p: (08) 9213 7118
f: (08) 9213 7101
m: 0407 195 279
e: gholt@dpc.wa.gov.au
e: wacsirt@dpc.wa.gov.au
e: wacsirt@iinet.net.au
Detection
The goal of this phase is to determine whether an incident has occurred and if so, the
nature of the incident and its impact.
The following steps may not necessarily be carried out in the sequence listed. For
instance, if one of your staff suspects that an incident has occurred, they may decide to
immediately contact your Incident Response POC to triage the incident, rather than
trying to identify the nature of the incident and its impact themselves. Or a system
administrator may identify that an incident occurring is of such catastrophic
consequences that he decides to immediately take steps to contain it before notifying
your Incident Response POC or beginning a log of the incident. For all incidents, these
steps should all be carried out regardless of the sequence.
Is this a real incident? You need to determine if a problem really exists. Use the list of
indicators you developed during the preparation phase to quickly assess the possible
type of incident. Check for simple mistakes such as errors in system configuration,
hardware failures, and user or system administrator errors. Too often people leap to the
conclusion that there is a hostile intent behind every problem. Once you have ruled out
simple mistakes it is easier to determine the total scope of the incident. To help in
identifying whether there really is an incident, you may need to examine system logs
and logs from any detection systems you have.
As soon as an incident is suspected, the person handling the incident should start
taking notes to keep a Log of Events, or Running Sheet. (Have a read of your Forensic
Plan section on Contemporaneous Notes.) Log all information observed about the
incident, and record all steps that you take. Log entries should include such details as
who did what, when, how and why they did it. The notes should be chronological with
the date and time of each entry notated. Record facts only, and avoid speculation. If
any equipment is to be removed and sealed as evidence, be sure to record any
identifying information such as make, model, or serial number. Have a look at a sample
Log of Events form included in an Appendix F of this document.
4.3 Triage - identify the nature of the incident and its impact
You need to evaluate the scope and impact of the problem. It is important to correctly
identify the boundaries of the incident in order to effectively deal with it and prioritise
responses.
• What is the entry point of the incident (network, phone line, internal etc)?
• Is the press involved?
• What is the potential damage of the incident?
• What resources could be required to handle the incident?
• Is law enforcement involved?
You should document the answers to as many of these questions as possible as part of
gathering background information for handling the incident.
Previous risk assessments undertaken within your agency will have already identified
critical servers/machines, and so provide important input to this step. (You have done a
risk assessment of critical systems, haven’t you☺.)
At this point it is not necessary, or usually possible, to absolutely determine the cause or
extent of the incident; doing so may require days of careful analysis. The goal is to
determine the most likely and worst case risks, based on what is known about the
incident and/or compromised system(s).
If the nature of the incident and the answers to questions asked in incident triage
indicate that this incident is of high severity, and may cause escalating damage to
information assets or computing resources that are of critical business value to the
organisation, you may need to advance immediately to the Containment phase.
A chain of custody should also protect each piece of evidence – have a read of your
Forensic Plan sections on Seizing the Evidence and The Chain of Custody.
Share all information on a need-to-know basis and sanitise sensitive information as per
your information dissemination policy.
In the process of analysing an intrusion, you are often able to gain information about
systems not belonging to your agency that were:
You have a responsibility to inform the administrators of all other organisations about
the involvement of their systems so that they can take the necessary steps to respond
to an intrusion. This includes any ISPs that may have been involved in transmitting and
receiving intruder messages. However, in the event of an ongoing legal investigation,
your ability to inform other organisations may be restricted. For example, action on your
part may affect the outcome of the investigation in some way or users from the other
organisation may, in fact, be the subjects of the investigation.
Depending upon what type of incident has occurred, it may be worthwhile reporting it to
ServiceNet, our WA Government ISP, even if ServiceNet is not your ISP. This is
because they may be able to:
Included in this plan is the ServiceNet Incident Response Procedure that details their
site procedure of what actions are to be taken when an incident occurs at ServiceNet.
Refer to Appendix J for this plan and ServiceNet contact details.
Containment
The goal of this phase is to stop or limit the extent of the incident and to determine
operational continuity.
When an incident has been detected and notified, steps must be taken to stop or limit
the extent of the incident. This can be achieved by exercising tactical precautions to
deny further attacks and to limit the extent of damage caused. The compromised
systems and networks may also be isolated to regain control of these systems for
investigating and resolving the incident. Incident response personnel must determine
whether or not to discontinue operations. All information about the compromised
systems and networks must be acquired and secured. Information collection must also
be on going throughout the incident response process. Containing an incident provides
a short-term security solution until sufficient information about the incident is acquired
for resolving and recovering from the incident.
Refer to 3.1.2 Networked systems security policy for more information on policy
considerations that may be needed to be in place to underpin some of the following
steps.
Depending on the incident you are containing, you may need to decide whether or not
to shut systems down or disconnect from the network. These decisions require
management involvement. However, if you have an intruder whose activities are
malicious, your system administrators or Incident Response personnel may need to
take more immediate action. This is why the decision-making process and the level of
authority need to be articulated in your policies and made operational in your
procedures. Determine whether you need to:
Refer to your Forensic Plan for more detail on what information may be needed for
evidence before proceeding. You may need to capture and record system information
that may be lost or not captured during the execution of your backup procedure, or lost
if the system is shutdown.
Shutting down a compromised system may also destroy important information that you
need for analysis. For example, an intruder’s programs may only be available in main
memory because he or she deleted the files on the hard drive to avoid their detection.
In an emergency, you need to be able to weigh the risk of further damage against the
possibility of losing this information by shutting down.
• disconnect the local area network or corporate network to which the system is
connected from the local or public networks that an intruder is using; or
The first alternative ensures that the system and all communication with it is still
available from within your agency. However, this may alter critical information on the
compromised system as normal use continues, and will prevent your users accessing
the local or public networks you have disconnected from.
The second alternative allows your users of systems other than the compromised
system to continue to access the local or public networks. However, if you incorrectly
determined the scope of an intrusion (that may include other systems on the same local
network), you run the risk of an intruder continuing to have access to that network and
the remaining systems connected to it, which may also be compromised.
This is where the network information you documented on the services each machine is
running comes in handy. Refer to 3.2.2 Establish standard build procedures
Using this approach, you can identify subsequent intruder access attempts more quickly
and more easily. This may also reveal other access paths not previously identified
which allows you to disable these access paths.
5.1.6 Verify that redundant systems and data have not been compromised
If you are running hot, warm, or cold backups in support of your configuration
redundancy policy (if you have one), you need to ensure that an intruder’s actions have
not been replicated, thereby affecting those systems and data.
In addition, ensure that any containment, elimination and restoration steps you take on
the primary system are also taken on your backup systems including the elimination of
vulnerabilities that were used by the intruder to gain access.
Great care should be taken to collect all necessary information about the compromised
system(s) and the cause of the incident, as they will likely be lost when cleaning up the
system. All information about the compromised system(s) and cause(s) of an incident
needs to be captured and securely stored. This may include system and network log
files, network message traffic, user files, results produced by intrusion detection tools,
analysis results, system administrator console logs and notes, and backup tapes that
capture the before-incident and after-incident states of the affected system. All
information must be carefully collected, labelled, catalogued, and securely stored at
each stage of your incident analysis.
This is important because if you do not collect and protect this information, you may not
be able to learn from the experience and improve your systems, their operation, and
your staff capabilities. If the incident is internally generated, you may not be able to
take appropriate action to educate, reprimand, or terminate an employee found
responsible.
If you intend to prosecute the perpetrator of an incident, you need to have complete,
thorough, and convincing evidence that has been protected through a secure chain of
custody procedure that tracks who has been involved in handling the evidence and
where it has been stored. Refer to your Forensic Plan for more information about the
chain of custody.
Document all information in a notebook that addresses the questions who, what, where,
when, why, and how. This includes:
• name of system;
• date/time of each entry;
• what actions were taken;
• what was said;
• who was notified;
• who had access;
• what data was collected;
• what information was disseminated, to whom, by whom, when, and for what
purpose;
• what was submitted to legal counsel, to whom, by whom, and how it was verified
(eg notarised).
It is important to be aware that your notes may be subject to subpoena in any legal
proceedings, so document responsibly. Make sure you use a separate notebook for
each incident so that if it is subpoenaed it doesn’t contain information about other
incidents.
If you choose to keep your systems running and connected to collect more information
about an intruder and an intrusion (as contrasted with disconnecting or shutting down
your systems), you may be liable if your system is used as a launch point to attack
another site. You need to have law enforcement involved ASAP, and take action as
they advise to limit this liability.
Information you collect and interpret through analysis is key to your decisions and
actions throughout the response process. It is extremely important to obtain a full
backup, preferably using disk imaging of the compromised system, with known good
binaries. In specific instances or for critical environments, the backups may be used to
reinstall the compromised system on another host in a controlled environment (an
‘isolation ward’) for further investigation, while the original host is preserved as
evidence.
This is where the cryptographic checksums of critical system files generated as part of
your preparation to respond is useful. Refer to 3.4.5 Generate information required to
verify systems and data integrity
5.3.2 Backup
Do not allow the system to be altered in any way until you have completed a full system
backup. Make at least two full backups of the system(s) that have been identified as
compromised, as well as the user data on those systems, preferably using disk imaging
of the system with known good binaries. Do so using hardware-write-protectable or
write-once media.
Use new media for your backups because it may appear that the evidence is faulty or
contaminated if it is written over old information. Besides, the old information is not part
of the incident and it may not be appropriate for it to be handed over to an external
party.
Eradication
The goal of this phase is to eliminate or mitigate the factor(s) that resulted in a
compromise of system security.
After an incident has been contained, steps must be taken to completely resolve the
incident. This requires a thorough investigation of the compromised systems and
networks to determine the attack method used and damage that may have been
caused. To exercise caution and ensure the preservation of evidence, it may be
necessary to reconstruct the compromised systems on a test environment for
investigating the incident. All system backups used to reconstruct the compromised
systems must be protected to ensure the preservation and admissibility of evidence.
Information acquired about the compromised systems and networks must be
consolidated and analysed. The attacks and potential vulnerabilities used to
compromise the systems and networks may then be identified and eliminated, and the
damage resolved.
Compromised systems and networks must be restored using trusted backups and
reliable programs. After recovery, incident response personnel must verify the integrity
of the restored systems and networks using audit information generated during the
Preparation phase. To exercise caution, signs of the incident on similar systems must
also be corrected. Security and detection mechanisms currently installed must also be
strengthened to prevent further incidents.
Refer to 3.1.2 Networked systems security policy for more information on policy
considerations that may be needed to be in place to underpin some of the following
steps.
In the event that an incident evolved into a crisis situation, you may also (thru the
WACSIRT) decide to communicate with the WA Computer Crime Investigation Unit
and/or AusCERT to help monitor and resolve the incident.
Information collected during the Detection and Containment phases may be sufficient to
determine the root cause of the incident. However, in most incidents there are multiple
causes for a compromise. For example, the absence of adequate technical controls
may result from:
For this reason, you should conduct a comprehensive review of the data gathered, and
not just assume that one factor alone contributed to the incident. When analysing
incident information, remember that you are looking for the answers to the questions
what, where, when, why, how, who? Information gathered might also reveal other
systems that have been compromised.
• transferring one copy of the backup files to a test system that is isolated from
your operational systems and restoring the compromised system(s) on the test
system for analysis; or
• systems that are in the same IP address range or are on the same network
segment. Intruders perform scans across large ranges of IP addresses to locate
security vulnerabilities;
• systems that are in the same “trusted” domain. These systems provide access to
users from other systems within the same domain without further authentication;
• systems that have at least one network service in common. Intruders often
check for well-knows services such as DNS (Domain Name System), FTP (File
Transfer Protocol), HTTP (Hyper-Text Transfer Protocol), and SMTP (Simple
Mail Transfer protocol); and
Why this is important. If you find other systems that have been compromised, this
must be documented as part of the incident. All the steps in the Detection,
Containment, and Eradication must be iterated for each system compromised until there
are no further signs of the incident.
Firewall, network monitor, and router logs often remain intact and contain valuable
information even if an intruder gains local access, manages to get administrator
privileges, and deletes the local system logs to hide the information about the attack
method, an intrusion itself, and the access methods used. These programs and
devices, if properly configured, may record connections and message traffic generated
by an intruder. The logs that they each produce may reveal intruder activity. For
example, firewall logs can be configured to store information about the source of any
connection, the destination, and characteristics of connections such as the amount of
data transferred.
By analysing this information (including date, time, and systems attacked) you can
locate related records in these logs that reveal more detailed information about an
intrusion or information missed altogether. Look for similar connections, including
connections from the same source or going to the same destination.
Building a complete picture can be a tedious task. Log formats of many systems are
not compatible and no general purpose tools currently exist that chronologically
synchronise logs produced by multiple systems. However, there are monitoring tools
that will collect information from multiple systems and consolidate the logs produced by
those systems. In addition, the timing source and time zone used by systems may
differ. Protocols such as NTP (Network Time Protocol) can be used to synchronise the
time for multiple systems.
6.2 Identify the attack method used and the damage caused
6.2.1 Identify the attacks used to gain access to your systems
You cannot fix the security problem that led to a system compromise if you don’t know
what happened. You need to isolate the attack and determine how it was executed.
Search the local logs of the compromised systems for information that reveals what kind
of attack was used in addition to making use of logs produced by firewalls, routers, and
network monitors. Usually, intruders attempt a number of different attacks, or scan for
the presence of one particular vulnerability before they gain initial access. Depending
on how your systems are configured to detect signs of intrusion, your system and
network logs may contain:
You may also find date, time, and source in the logs that can be quite useful.
After gaining access, an intruder may try to delete all logs or specific log entries.
Therefore, it is possible that you will not find any useful entries. Sometimes the deletion
of log entries is detectable. If so, this notifies you that something suspicious has
happened to your system and you need to conduct further analysis. This is where it is
extremely useful to have a duplicate log on a logging server separate to the
compromised system.
A successful intrusion usually occurs in two parts. The first phase is when a
vulnerability is exploited and the system is accessed. The second phase is that once in,
the intruder typically installs back doors or other means for obtaining future access to
the compromised system, or sniffer programs to collect additional passwords and user
ids. The following steps describe how to eliminate this access to the greatest possible
extent. These steps are likely to be sufficient if you have prepared properly, performed
thorough analysis, and if you are able to identify all changes made by an intruder.
If you are not prepared, then your only option is to reinstall the systems and restore all
user data to the extent possible. You may wish to reinstall the systems in any event to
ensure that all intruder changes are eliminated, or if you are in doubt of the accuracy of
the information you relied on to identify the system changes.
Why this is important. Intruders widely advertise compromised systems and regularly
trade system addresses and access information in exchange for attack tools or similar
information. Victims of intrusions indicate that intruders try to access their system
addresses long after the original intrusion has occurred. Such addresses are not only
distributed amongst intruders, but also are available in databases on the Internet.
You need to ensure that your systems are no longer vulnerable before returning them to
service. Otherwise, they can be compromised by the same kind of attack that resulted
in the successful intrusion. The absence of elimination actions undermines your ability
to operate securely and, in effect, negates all efforts you expend to respond to the
original intrusion.
You need to cater for the fact that doing this will create a fair amount of work for users
and may confuse them. If passwords cannot be changed, an alternative is to lock out
the compromised accounts and reassign new accounts.
A root kit attack embeds so much malicious code in so many hidden places in a
computer system that cleaning the system is almost never a viable option. If there is
evidence of a root kit style attack, it may be better to avoid restoring from backups. You
should completely wipe the disk and rebuild the operating system from original
distribution media.
If you decide to restore the system from backups, it is essential to first determine the
integrity of the backup itself. You will need to restore from the most recent backup
made before the system was compromised. You need to make every effort to ensure
that you are not restoring compromised code. If in doubt, reinstall the system from
original distribution media or copies you trust.
If you have reinstalled the system from distribution media, you must then patch the
vulnerability, configure the operating system safely, patch the operating system with the
latest patches, and reload the data.
• known vulnerabilities for which patches are available; install the patches.
• the presence of malicious code (back door, Trojan horse) with an unknown and
hidden function such as deleting log files or starting a service on unused ports to
permit access without requiring a password; reinstall a trusted version of the
affected software.
• adding new users to the list of authorised users including levels of system
privileges up to full privileges; reinstall a trusted version of your authorised user
file.
• setting new passwords for existing users; reinstall a trusted version of your
password file.
• weak or inadequate procedures (e.g. password setting and aging); update the
procedures and enforce them.
• inspect all files executed at boot time for the presence of Trojan horses or back
doors; reinstall trusted versions of files executed at boot time.
If you possess detailed logging or audit information about files an intruder accessed and
programs an intruder executed, this step is made easier by allowing your staff to
concentrate on specific files instead of all existing and deleted files.
• installing back doors to provide future access. For example, an intruder installs a
program in a local user directory that is called each time the user logs in,
providing an unprotected login shell that can be accessed by anyone via the
Internet;
• compromising user data to sabotage the user’s work. For example, an intruder
makes small changes to spreadsheets that go unnoticed. Depending on how the
spreadsheets are used, this can cause minor to major damage.
Use the latest trusted backup to restore user data. For files that have not been
compromised, you can consider using the backup that was made closest in time to
when an intrusion was detected to avoid user rework. This should be done with caution
and is based on having a high level of confidence that restored user files were not
compromised. Regardless, you need to encourage users to check for any unexpected
changes to their files and warn them about the risk of compromise.
Users should review all restored data files that resided on the compromised system to
ensure they were not affected by an intruder’s activities.
All executables or binary files residing in user areas should be handled in the same way
as system executables and binary files. If no authenticated, cryptographic checksum is
available, you need to reinstall from the original distribution media.
• user accounts
• system services and their configuration
• audit and monitoring facilities
• access control lists
Compare all system configuration files with authoritative copies of these files or
compare cryptographic checksums with trusted checksums collected before the
incident.
If authoritative copies are available, you may choose to overwrite the current set of files
with these copies.
In the absence of trusted copies or checksums, you need to review all files manually.
Clearly, this will take significant time and resources. The review can be effectively
conducted as a peer review performed by multiple system and network administrators
or by members of your response team.
6.4 Verify that the means of attack and potential vulnerabilities are
correctly eliminated
In response to a specific incident, you need to ensure that the affected systems are
protected against the same or similar types of access and attacks in the future, once an
incident is contained and systems are returned to normal. The use of automated
vulnerability assessment tools can assist you not only to validate the correctness of
eradication procedures, but also to anticipate and correct factors that might facilitate an
attack.
Both host-based and network-based assessment tools can determine the robustness of
your system and network configurations. Host-based tools provide a higher degree of
accuracy than do network-based tools. Increasingly, host-based tools such as bastille,
available at http://www.bastille-linux.org or the tools from the Center for Internet Security
http://www.cisecurity.org/ have the capability to actually correct or to strengthen the
security of a system. Network-based tools such as nmap, available at
http://www.insecure.org/nmap or nessus, available at http://www.nessus.org can
identify, and in some cases stress, common vulnerability exposures that may have
resulted in a compromise. A combination of tools is beneficial because each tool may
have unique capabilities.
Depending on your environment, many procedures may be outside the control of the
compromised system’s owner. For example, typically in large agencies, firewalls and
router configurations are the responsibility of another organisational entity. In this case,
your IR team should serve as the liaison between the system’s owner and these entities
to ensure adequate protection.
• Review and update the conditions under which your detection mechanisms
generate alerts to system and network administrators and the forms in which the
alert is made (email, phone, pager, printouts etc).
The goal of this phase is to return the affected systems and networks to operational
status.
After an incident is completely resolved, the compromised systems and networks that
were isolated must be restored to operational status to allow business continuity.
Incident response personnel must determine how to restore compromised systems and
networks with minimum risk of incident recurrence and impact to current operations. All
systems and networks must also be continually monitored to prevent incident
recurrence. After recovering business operations, your legal counsel may advise on
whether to report the incident to law enforcement.
You need to fully determine the requirements to be met and the priority they should
have before you return the affected system to normal operations. This determination
requires input from both the management of the affected system and their system
administrators.
If the requirements do not include completion of incident analysis and the eradication of
vulnerabilities due to a business-critical need to return the system to operations as soon
as possible, continue analysis in parallel and upgrade the system as soon as possible.
In this case you must recognise that the system is vulnerable to another occurrence of
the same type of incident until you do so. One way to mitigate the risk is to increase the
level of monitoring and intrusion detection to ensure that a new intrusion does not go
unnoticed.
Your agency’s networked systems security policy should specify the order in which
system services are returned to normal operation. Refer to 3.1.2 Networked systems
security policy for more information on policy considerations that may be needed to be
in place to underpin some of the following steps.
Enable previously disabled services that are either known as not vulnerable or have
been corrected to eliminate the vulnerability used by an intruder.
Only enable those services that are required by the users of the system (as contrasted
with enabling all available services).
Reconnect the restored system to its local network. In the case where a local or
corporate network containing the compromised system was previously disconnected
from the public network used by an intruder, reconnect the local or corporate network.
Management and users want to know whether the problem has actually been
eradicated. Once the system has been restored, verify that the operation was
successful and the system is back to its normal condition. Ideally you have a system
test plan to evaluate the system. More commonly, the system is run through its normal
tasks while being closely monitored by a combination of techniques such as network
loggers and system log files. Take notice that sometimes patches or techniques used
to prevent a vulnerability may cause the system to function differently than it did before
the incident.
You need to watch for any scans, probes or other suspicious activity that may signal the
return of an intruder. Back doors and malicious code can be very well hidden. Once
your system is back online, continue to monitor for backdoors that escaped detection
and eradication.
In many cases, you can gather much more information about an intruder when they
attempt to return than you can immediately after an intrusion. This is particularly true if
you have installed improved monitoring tools and procedures as a result of lessons
learned from a previous intrusion.
Monitor for failed login attempts, attempts to access back doors, attempts to re-exploit
the original vulnerability, and attempts to exploit new vulnerabilities. Each occurrence of
these should be analysed further.
Once your system has been compromised and this becomes known in the hacker
community, the system becomes a bigger target for future attacks. Improved monitoring
may reveal new attacks more easily and provide the opportunity to defeat the attack.
As part of the Detection phase, you will have notified all parties that needed to be aware
of the incident. All these parties now must be informed that the incident has been
resolved and closed.
Follow-up
The goal of this phase is to review the incident response process to identify and
implement security lessons learned. It is important that this phase feeds information
directly back into the Preparation phase so that lessons learned as you responded to an
incident result in a more secure operational environment.
As soon as possible after business operations are recovered, all involved parties should
hold a post-mortem analysis and review of the incident response process to identify
what worked well and what did not. Experience must be captured quickly. A follow-up
report, including lessons learned, is the accepted method of protecting the knowledge
so that it can be used in the future.
An executive summary of the incident, including costs and impacts, should be prepared
for management so as to assist them in assessing the cost of reconstituting information
assets and computing resources damaged by the incident. This assessment conveys
the value of an incident response capability, and provides information for revising the
incident response plan and the security policy of the organisation.
Why this is Important. If you do not learn from the experience of responding to a
successful intrusion, you will continue to operate at risk and will likely have to deal with
the same or similar type of incident again. Every successful intrusion indicates
weaknesses in your systems, networks, and operations that provide opportunities to
make them more secure. It may also point to an inadequate level of staff preparedness
that can be remedied through additional training or other forms of skill development.
• Did your detection and response processes and procedures work as intended? If
not, where did they not work? Why did they not work?
• Methods of discovery and monitoring procedures that would have improved your
ability to detect an intrusion;
• Improvements to procedures and tools that would have aided you in the
response process. For example, consider using updated router and firewall
filters, placement of firewalls, moving the compromised system to a new name or
IP address, or moving the compromised machine’s function to a more secure
area of your network;
• Updates to policies and procedures that would have allowed the response and
recovery processes to operate more smoothly;
Make a monetary estimate of the costs associated with an intrusion to support the
business case for the level of investment you should make in security improvements.
This should include the estimated value of proprietary or sensitive information assets
that may have been accessed by an intruder.
Prepare a final report. Prepare an Incident Executive Summary and brief these results
to senior management for their review and comment. This ensures they are aware of
the vulnerability of their systems and continue to be educated about these issues.
Distribute the incident report in advance so that the meeting can focus on recounting the
incident and identifying what lessons have been learned.
Provide management with a prioritised set of recommended changes from the lessons
learned process, along with cost estimates, high-level schedule, and impact of
implementing or not implementing the recommended actions.
Include any new, improved methods resulting from lessons learned in your current
security plans, policies, and procedures.
Make sure that you are regularly reviewing the public, legal, and vendor information
sources necessary to protect your systems from further attacks of this type. These
sources regularly report current intruder trends, new attack scenarios, and tools that will
improve the effectiveness of your response process.
This is a decision that management would need to make after reviewing the Executive
Incident Summary report and the recommended changes from the lessons learned
process.
You may need to generate new information required to verify the integrity of your
systems and data. Review your Preparation phase step 3.4.5 Generate
information required to verify systems and data integrity.
Refer to your Forensic Plan for more information about evidence handling.
Acknowledgements
6. IT Audit & Consulting (ITAC) Pty Limited. Strategy paper for the establishment of
a Whole of Government Incident Response Team. 2000
10. Information was also drawn from various papers and documents freely available
on the Internet.
Appendix A Glossary
artefact – instances of malicious code or other file remnants left behind by intruders.
Examples include Trojan horse programs, Ethernet sniffer log files, password files,
exploit scripts, and other program source code.
computer – a device that consists of one or more associated processing units and
peripheral units, that is controlled by internally stored programs, and that can perform
substantial computations, including numerous arithmetic operations, or logic operations,
without human intervention during execution. Note: May be stand alone, or may
consist of several interconnected units.
corporate raiders – employees who attack computers of competitors for financial gain.
data in transit – data that are being transmitted across a network, or otherwise
emanating from a source. Examples include packet data travelling across the Internet,
and the data content of electromagnetic radiation surrounding a computer terminal or
network cable.
distributed pool – a tool that can be distributed to multiple hosts, which can then be
coordinated to anonymously perform an attack on the target host simultaneously after
some time delay.
file – a collection of data, which is designated by name and treated as a unit by a user
or process.
hackers – attackers who attack computers for challenge, status, or the thrill of obtaining
access.
incident –Any real or suspected adverse event in relation to the security of computer
systems or computer networks.
incident handling – actions taken to protect and restore the normal operating condition
of computers and the information stored in them when an adverse event occurs;
involves contingency planning and contingency response.
intrusion – any intentional event where an intruder gains access that compromises the
confidentiality, integrity, or availability of computers, networks, or the data residing on
them.
IP – Internet Protocol.
number of sites – the overall number of sites known to have reported or otherwise to
have been involved in an incident.
other sites – the site names of sites known to have been involved in an incident, but
that did not report the incident.
professional criminals – attackers who attack computers for personal financial gain.
read – obtain the content of data in a storage device, or other data medium.
reporting date – the first date that the incident was reported to a response team or
other agency collecting data.
reporting sites – the sites names of sites known to have reported an incident.
scan – access a set of targets sequentially in order to identify which targets have a
specific characteristic.
site – the organisational level with responsibility for security events; the organisational
level of the site administrator or other authority with responsibility for the computers and
networks at that location.
site name – the portion of the fully qualified domain name which corresponds to a site.
sniffer – any hardware or software device that monitors network traffic. The traffic can
be stored and archived for later viewing. Intruders commonly use sniffers to capture
userid and password data that are passed in clear text over a network.
spies – attackers who attack computers for information to be used for political gain.
steal – take possession of a target without leaving a copy in the original location.
taxonomy – a classification scheme that partitions a body of knowledge and defines the
relationships among the pieces. It is used for classifying and understanding the body of
knowledge.
terrorists – attackers who attack computers to cause fear for political gain.
voyeur – attackers who attack computers for the thrill of obtaining sensitive information.
Modify
Delete
You may wish to devise your own incident numbering scheme, use the WACSIRT
scheme within your own agency, or notify WACSIRT when an incident is detected and
ask them to allocate a number from their records. Regardless of what numbering
scheme you decide to use, I encourage you to notify the WACSIRT of your incidents so
that they can build a central repository of incidents that occur across WA Government
agencies.
Also refer to your Forensic Plan, section 5.1 Property / Exhibit Numbering Scheme that
details how equipment of a computer forensic nature is subject to a standardised
numbering scheme, which is based around an incident number.
The term "incident" encompasses, but is not limited to, the following examples of
adverse events (based on those defined by AusCERT).
The following incident categories are based on those used by the Defence Signals
Directorate, Information Security Incident Detection, Reporting and Analysis Scheme
(ISIDRAS). I have included some additional incident types into the categories based
upon incident investigations undertaken by the WACSIRT.
Category 1
Category 1 incidents include events that cannot definitively be identified as attacks, and
have no effect on system operation, such as:
Category 2
Category 2 incidents also have no effect on system operations, and comprise identified
but unsuccessful attempts to actively breach an information system security policy.
Such events include:
Category 3
Category 4
Category 4 incidents include any situation in excess of the examples given above,
particularly where high-level intervention or crisis management is required. Such
incidents will usually have a major effect of system operations. This category also
includes the use of any system or network resources for criminal activity, and those
incidents of criminal activity (eg fraud, prohibited content) resulting in escalation to law
enforcement.
LOG OF EVENTS
Incident Number: _______________
Sheet: _______
Date Time Actions Taken Comments/Reason Action Taken Who Took Action Signature
Procedure Name:
Incident Response
Procedure
REVISION HISTORY
PROCEDURE FOR INCIDENT RESPONSE
1. Purpose
The purpose of this document is to detail the site procedure of what actions are to be taken
when an incident occurs or is identified/discovered at ServiceNet. This document covers or
provides references for all actions when such an event occurs.
2. Responsibilities
The person responsible for implementing a procedure change or creation must provide
details of the new procedure to all other ServiceNet staff and to clients who may be affected
by the change. It is the responsibility of the person implementing change to ensure the
authenticity of information reported as part of this procedure. ‘DTF Online Services’ and the
engineer’s responsibilities are further defined in respect to this procedure.
Any person that updates this document must complete the Revision History Table at the
start of this document.
3. Procedure
In ITIL terminology, an incident is defined as, ‘any event which is not a part of the standard
operation of a service and which causes, or may cause, an interruption to, or a reduction in,
the quality of service’.
It is important that all incidents are reported to the Help Desk and logged in every instance.
As the Incident Management process is mostly reactive, the primary goal is to restore
normal service operation as quickly as possible and minimise the adverse impact on ‘Online
Services’ operations.
The Engineer who first attends to the incident is responsible for the resolution process and
final reporting. The Engineer attending to the incident is also responsible for it’s Escalation
Process, as per the ‘Rules of Engagement’.
3.3 Escalation & Control of information
Responsibility: Provides a single point of contact for all ServiceNet customers and DFT
users; and to facilitate the restoration of normal operational service within agreed service
levels and business priorities.
After an incident has been addressed and all systems have been restored to a normal mode
of operation, a follow-up postmortem analysis should be performed.
Performing the follow-up is one of the most critical activities in responding to incidents. It
helps improve the incident handling procedures. Follow-up analysis is dependent upon the
history of the actual incident itself.
All Incidents need to be fully detailed. The logs of every task, discussion, action and
escalation made during the incident, by every party involved in the incident, needs to be
collated and checked for accuracy and documented.
The current ServiceNet SLA requires an Incident Report to be submitted within 24 hours of
an incident occurring. If the service is not restored within 24 hours, a progress report is
required daily. All progress report updates are to be appended as a historical event at the
end of the initial Incident Report, until the service is restored and a final copy submitted.
Client contact information can be obtained by using the Internet to access the following
page http://www.servicenet.wa.gov.au/cgi-bin/logon.pl.
The page provides both business hours and out of hours contact details for all monitored
agencies.
ServiceNet Notified
Refer 7.2
NMC
Responds AlphaWest Help Desk &
and SN support Notif ied
investigates via automated e-mail
No
NMC
Call NMC Contacts
ServiceNet Contacts 120 Mins Senior
Hardw are Fault Yes Call Resolved No Yes Call Resolved
Rep Supplier elapsed Product
Refer 7.8 Ref er 7.6 Eng.
Ref er 7.8
No
No
No
Yes
Call
Operating ServiceNet NMC 60 Mins
Yes Call Resolved No
Softw are f ault Rep investigates elapsed No
Refer 7.8
Yes
No
Eng. Notif ies
Ops Man
Refer 7.8
Call Resolved
Yes
No
15 Min C all
Yes
Elapsed resolved
No
No
Eng Lo gs
Link Pro vider 60 Mins
Yes call with Yes Yes C all resolved
res pons ibility elaps ed
Pro vider
No
No
No
Yes
F rom Go To
Infras tructure Infras tructure
H ardw are Yes
F ault 7pm to F ault 7pm to
7am Procedure 7am Procedure
Yes
No
N MC
Escalates to
O ps Man
R efer 7.8
End of Document