Had a chat with a lovely analyst the other day doing a briefing paper for his clients and here were a few lessons learnt I have picked up;
*It's all about the CSIRT
The Computer Security Incident Response Team is who gets called to help when a security incident is identified. Often security incidents are identified due to an outage or degredation in performance through standard ITIL style incident mangagement processes.
The CSIRT should comprise a virtual team (who have been pre-warned and educated as to their roles) of security operations personnel and IT operations personell (desktop, server, network, app support and database). A "management team" of media liason, legal and senior managemement should operate in parallel and concentrate on communications and public relations.
One method in use is to have a conf call running for the tech team and have a comms person dial in every 30 mins to gather intel for a sitrep for the "management team" so that the CSIRT can get on with responding to the incident rather than returning calls from senior management and producing status updates.
*A preemptive media blitz
Having a pre-approved press release all ready to go in case of customer impact is a good idea IMHO as this will pre-empt bad press. In this day of twitter driven instant communications waiting for half a day to get the message out is far too long.
*Build in resiliancy
Have a hard copy CSIRT manual available with an insert with the latest numbers of the CSIRT members and issued to the IT Help Desk and CSIRT members. This manual and your intranet should reference a contact number (ugh for the hellphone I mean cellphone) that the security ops team will carry on a roster and an email address like csirt@company.com that is CC'd to all current CSIRT members.
*Have a plan of attack
For commonly anticipated incidents have a brief plan of attack documented in the CSIRT manual. Don't go overboard and the process followed should be sanity checked by CSIRT members at each stage during the incident.
*Liaise BEFORE the incident so you have a friend to phone
Identify who you may need to contact in case of a security incident and make friends. This will help you later. This could be your bank, CIO of customers, govCERT, AHTCC, local computer crime unit etc. Who you contact may vary based on your organisation and the type of incident you experience. For example finding illegal content on a computer may require you to call local law enforcement. Experiencing a sustained DDOS attack may require you to call your telco. Fraud conducted via computer maybe your bank and local fraud squad etc.
* Know where to get your intel and practice
Do some exercises based on your commonly anticipated attacks and figure out where you can monitor outbound traffic from your desktops etc. so that you can take actions based on facts not hunches.
*Outsource the forensics
Once you know you have a significant incident on hand that is likely to result in employee dismissal or a civil or criminal case, call in a professional computer forensics team who can independently capture, analyse and present in court the results and stand up to intense cross examination.
*Prepare to capture the info
Think about what incidents you are likely to encounter and hence what logging needs to be turned on. Stream the logs in real time over an encrypted channel to a secured central log server, so that an admin can't tamper with the logs. Sync up all the time sources to the same timezone and time server.
Comments welcome from experienced first responders!
