Defining Incident Response
Incident response is generally defined as the term for investigating a data breach within an organization. Normally, attackers use malware or exploits as one of the primary tools to breach the organization. This may mean using sophisticated programs to attack and bypass security devices and software. In other cases, it may mean attackers simply exploit the people using the technology by means of social engineering or phishing. In general, an incident response is necessary when the attacker uses technology as part of an attack.
An incident response team, often referred to as an IRT, is a team of individuals who are available, are ready, and have the expertise to investigate a data breach. In most cases, these teams have expertise in both the technical and nontechnical aspects of an organization’s business and technology. This enables them to make quick decisions, understand and interpret results from their investigations, and quickly take any necessary action as needed.
An incident response team must have and follow a well-defined incident response methodology. The basic incident handling methodology described here follows a variation of several public methods and techniques we have modified and feel work best in most environments. Our incident response process consists of the following areas:
Create and practice a breach preparedness plan.
Secure your data and investigation site.
Assemble your incident response team.
Contain the data breach.
Access the severity and extent of the breach.
Follow all legal and organization notification procedures.
Perform follow-up actions and procedures.
Many different incident response models are publicly available and widely used. The US Federal Trade Commission has an excellent guide, Data Breach Response: A Guide for Businesses, that can be found at www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf. Additionally, compliance and standards organizations may have their own guide. For example, the Payment Card Industry (PCI) publishes its own guide for data breach response at www.pcisecuritystandards.org/documents/PCI_SSC_PFI_Guidance.pdf. In many cases, these guides do not provide a complete policy that you can implement in your organization as they currently stand. Our recommendation is to take parts of these guides and customize them to meet your specific organization’s business and legal requirements. The same goes for the concepts in this book.
One last point to keep in mind is that there generally aren’t laws or requirements for individuals to become incident responders or incident handlers. In other words, normally, no certifications or government registration is required as there is for lawyers and doctors. However, each geographic region, state, and country may be different. You need to check the local laws in your area to be sure of those requirements.
Do not confuse an incident responder with a forensics specialist. Many places require a forensic specialist, or anyone in the field of collecting any type of evidence, to have a private investigator’s or other type of license. In the United States, laws differ not only by state but also by industry (such as medical, industrial, manufacturing, education, and financial) on the requirements by individuals for conducting incident response and digital forensic investigations. Even though a certification may not be required for you to be an incident handler, you may be required to follow extremely strict state, federal, and other national reporting requirements during your investigations.
In some complicated cases, you are required to report your findings to law enforcement and other government officials. Those reporting requirements may directly contradict nondisclosure and privacy policies you have agreed to within the organization. Failure to comply with all policies and laws may result in personal legal liability for you as the incident handler. If this sounds complicated, do not worry; you are not alone! This is the conundrum many incident and forensic investigators face every day. We suggest you speak with a legal professional if you have any concerns for incidents you are being considered to investigate. Many independent consultants typically purchase business liability insurance or work closely with expert legal professionals. It is likely that if you work for a corporation, your legal liability may be limited because you are acting on behalf of your corporation. Once again, remember laws differ greatly from country to country and sometimes even within the same country.