Home > Articles > Cisco Network Technology > General Networking > Computer Incident Response and Product Security: Operating an Incident Response Team

Computer Incident Response and Product Security: Operating an Incident Response Team

Chapter Description

This chapter covers aspects of running an incidence response team (IRT) such as team size, team member profiles, cooperating with other groups, preparing for incidents, and measuring success.

Acknowledging Incoming Messages

Receiving an email about a compromised device is usually how work on a new incident starts. The first step in this process is for the IRT to acknowledge receiving this initial notification. The acknowledgment must fulfill several goals:

  • Ensure the sender that the report is received and given attention.
  • Communicate the incident tracking number back to the sender (if assigned).
  • Set the expectations on what will happen next.
  • Provide information about the IRT and how it can be contacted.
  • The acknowledgment reflects team image, so it must look professional and be courteous.

Giving Attention to the Report

Some teams might opt for an automatic response to the sender, but that, albeit providing a quick response, might be viewed as too impersonal. This autoresponse mechanism is easy to set up, so many groups and organizations (not necessarily related to handling security incidents) use it. Unfortunately, a majority of these groups and organizations never follow up on these reports—or it appears that way, so most of the people now mistrust these automated responses. Mistrust in a sense that the sender does not have confidence that his report will ever be worked on. Some people mistrust these automated responses so much that they do not even consider them as a real acknowledgment.

Most people prefer communicating with another human being than an impersonal machine. Having someone who can compose a reply is much better, even if the confirmation is not as instantaneous as it would have been if it were automatic. It is perfectly fine to have a template answer that will be used to acknowledge the receipt of a report, but it is also acceptable to modify it for the added “human touch.”

Following are some examples of varying the template text:

  • Use the sender’s name in the response.
  • Ask for additional details.
  • Add seasonal greetings (for example, “Happy New Year”) but only if you know the sender. Not all people celebrate the same holidays, and some might get offended if they are wished well for a “wrong” (in their eyes) holiday or occasion.

Incident Tracking Number

If the report represents an incident, it must be assigned a tracking number. That number must be told to the sender so that she can use it in subsequent emails. That way, both parties will always know which incident they are talking about. When exchanging encrypted email, the Subject line should contain only the incident number and nothing else. That way, it gives away the minimum details to whoever intercepts the message.

Setting the Expectations

You must set the right expectations on what will happen next and how long it might take. If the report is not an incident, state so clearly with the explanation on what to do if the sender does not agree with the assessment. If the report is an incident, state whether it is being handled right now, and if not, when it might be taken into the process.

Making sure that the other party knows exactly what is happening now, what will follow, why, and when is important to prevent misunderstandings. It is always better to include more information than to leave the other party guessing what is going on, because most of the time, these guesses will be wrong. In this context, more information means where you are in the process of handing that incident and not more information as in personal information from other compromised sites.

Information About the IRT

Where can more information about the IRT be found and how can it be contacted? This is usually only a pointer to the IRT’s website that contains all the details. There will always be people for whom this is the first time they communicate with the IRT. They obtained your email address from someone but they do not know what the IR team does and how. Adding a pointer to where people can learn more about the team is easy and can help first-time reporters a lot.

Looking Professional and Courteous

To make your responses more professional, you can prepare some template text in advance so that whoever will be composing the actual response can cut and paste parts of the template. The template adds to the uniformity of the acknowledgments that, in turn, helps people who are reading them as they get to know what information will be in the acknowledgment and where. This does not mean that people will now send a prepacked response instead of leaving that to auto-responder software. The template is there so that all relevant elements are included in the acknowledgment, and each team member can add their own touch to the response.

Sample Acknowledgment

An example of an acknowledgment can look like this:

  • Subject: Your report [IRT-1845249561249]
  • Reply-to: irt@example.org
  • Dear Miyamoto-san,
  • We received your report, and it is assigned tracking number IRT-1845249561249. Please keep this number in the subject line of all subsequent emails related to this incident.
  • This incident will be taken by one of our incident managers within the next 48 hours. You should receive a further email from the incident owner around that time. In the case that you are not contacted within 4 working days after you receive this email, please contact us again so that we can investigate the problem.
  • Our contact details, as our incident handling policy and other information about the IRT, can be found at http://www.example.org/security.
  • Regards,
  • Adela
  • ———
  • IRT http://www.example.org/security

    Emergency telephone: (+1) 234 5678 9012

5. Cooperation with Internal Groups | Next Section Previous Section