Sunday, November 29, 2009

Incident Preparation

In the course of my work, I will often encounter a customer's computer security incident response plan, or CSIRP...often, not always. In some cases, it may be that the customer had a CSIRP, and simply wanted validation of the plan and their processes, or a gap analysis. However, in most cases, responders such as myself encounter a complete lack of a CSIRP all together, which is an indicator that the organization we're assisting was not prepared for an incident at all.

In the end, the true impact of this fact is on the customer themselves (which, in may cases, may be passed on to their customers), who may have already been subject to an intrusion/compromise, and may be facing notification costs, fines...and maybe more.

The Art of Preparation
No, preparation for incident really isn't an art...I just wanted to get you to read further. The fact is, we all know what incident preparation is and consists of, because we do it all the time. An easy example of incident preparation is when we notice that the fuel gauge in our car is nearing the big "E". We anticipate a potential incident (i.e., running out of gas) was we take steps to prepare and mitigate the risks associated with an empty gas tank...we go to the gas station and fill up.

How about those of us who live in states where it may snow? We anticipate the risks associated with a driveway covered in snow, and we prepare to mitigate those risks; we get shovels, maybe some driveway de-icer compound, make sure we have a scraper available, etc. These aren't all the steps we may really depends on where we live, and how willing we are to prepare.

So let's say someone lives in Maine or Minnesota, and makes a habit of NOT having a shovel, de-icer, tire chains, a full tank of gas, etc? Is this person prepared? Given that they're in a state with a high probability of it snowing, wouldn't it be prudent to take the necessary steps to prepare for an incident that has a high likelihood of occurring?

I would suggest to you that if your organization uses any sort of computing resources, the likelihood of you having (or, having had) a computer security incident of some kind is akin to that of it snowing in Maine in the winter months (and I know that this year, it already has!)...that is, the probability is rapidly approaching certainty. So why not be prepared?

Temporal Proximity
This is a term I heard a friend of mine use several years ago, and because I like stuff like Star Trek and the SciFi Channel, I keep it in the back of my brain housing group, ready to bring forth and assault my readers with. Oddly enough, it has a purpose here...that is, the closer proximity to the incident (with respect to time) that you begin collecting information and containing that incident, the greater your ability to really understand what's going on and address the issues of the incident. I'll use an example to illustrate what I mean...actually, a combination of several examples: a "victim" organization is notified of a breach of data by an outside third party, fully three months after the breach occurred. After about a week of trying to understand what could have happened, a responder such as myself is called in to assist. At that point, logs have rolled over and not been saved, systems have been taken out of service and reprovisioned, and IT staff is so busy that they can't remember what they had for breakfast, let alone what happened almost four months previously.

Another good example (by good, I really mean "seen often", not that the issue itself is good) is adding to the temporal dispersion by having relatively untrained staff conduct an "investigation" into the incident. By this point, systems have been scanned and rebooted (sometimes several times), patches installed, and again, some systems may have been rotated into or out of service. At this point, there is so much time (temporal dispersion) and activity between when the incident occurred and when any really meaningful steps are taken to respond to the incident, that the actual response activities are close to futile.

Consider an episode of your favorite variation of CSI, and let's say a crime occurred in a residence; if there is nothing mentioned about the crime for three years, and in that time, the residence has been burned to the ground, the structure completely razed and carted off to the dump, and a commercial structure built up in it's place, how is Grissom or Mac Taylor gonna to solve the crime?

Key Elements
Some of the key elements of Incident Preparation are your CSIRP, an understanding of your infrastructure (in particular, where your critical assets/data are located), and instrumentation. Without instrumentation, you have no visibility into what's happening within your infrastructure. Guys in submarines don't troll around the ocean depths without some sort of ability and instrumentation to determine where they are and what's going on around them. Instrumentation gives you visibility, and as such, decreases temporal proximity, particularly for intrusions or incidents of sensitive data leakage/theft.


Anonymous said...

After having read the title I was really looking forward to this post, hoping I could compare our "CSIRP" against one you suggest - or at least making sure we've covered all the "must dos" and avoided the common traps...

Oh well, maybe in a follow up post?

H. Carvey said...

Unfortunately, I can't suggest a CSIRP...for several reasons. Perhaps that follow-up post you referred to would be the best way to go about that...