Cyber Security Incident Response Plan - Newlebanoncsd
Cyber Security Incident Response PlanOctober 1, 2021Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;1
Table of ContentsCyber Security Incident Response Plan . 3Supporting Documents - See Appendix . 3Introduction . 4Purpose . 4Definitions – Are there other items to be included? . 4Organizational Approach to Cyber Security Incident Response . 5Cyber Security Incident Response Team (CSIRT) . 6Roles and Responsibilities . 6RACI Matrix . 6Communications with Stakeholders.10Cyber Security Incident Assessment .10Impact Criteria .10Scope Criteria.11Threat Escalation Protocol .12Response Procedures .13Phase 1 - Preparation .13Phase 2 - Detection .15Phase 3 - Analysis .17Phase 4 - Containment .20Phase 5 - Eradication .22Phase 6 - Recovery .24Phase 7 – Lessons Learned .25Appendix .28Response Team Contact Information .28Help Desk Ticket Information .28Runbooks – These are samples for illustration purpose . Error! Bookmark not defined.Reporting Requirements .35Communications Templates .37Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;2
Cyber Security Incident Response PlanRevision HistoryVersion0.1ChangeInitial DraftAuthor(s)Date of Changexx/xx/2021Supporting Documents - See Appendix Cyber Security Incident Response Policy (to be developed) Cyber Security Incident Communications Template Cyber Security Incident Runbooks:oooooooooooooooo Social EngineeringInformation LeakageInsider AbusePhishingScamTrademark InfringementRansomwareWorm InfectionWindows IntrusionUnix Linux Intrusion DetectionDDOSMalicious Network BehaviorWebsite DefacementWindows Malware DetectionBlackmailSmartphone MalwareLessons learned Analysis Report TemplateSource: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;3
IntroductionPurposeThe purpose of this document is to define a high-level incident response plan for any cyber security incident. It isused to define general communication processes for managing cyber security incidents, which may help minimizethe impact and scope of the incident on the organization.Defining standard incident handling protocols helps reduce ambiguity in the case of an incident and helps keepstakeholders accountable and aware of the incident.This Cyber Security Incident Response Plan will be regularly reviewed, evaluated, and updated as part of NewLebanon CSD on-going cyber security program. This also involves appropriate training of resources expected torespond to cyber security incidents, as well as the training of general employees regarding New Lebanon CSDexpectations of them regarding cyber security responsibilities.Definitions –TermCyber Security EventCyber SecurityIncidentData Loss Prevention(DLP)Family EducationalRights and Privacy Act(FERPA)Incident ResponderIndicators ofCompromise (IoC)Intrusion DetectionSystem (IDS)Intrusion ProtectionSystem (IPS)Protected HealthInformation (PHI)Personally IdentifiableInformation (PII)DefinitionIdentified occurrence of a system, service, or network state indicating a possiblebreach of information cyber security policy or failure of controls, including falsealarms.Single or series of unwanted or unexpected information cyber security events thathave a significant probability of compromising business operations and threateninginformation security.A systems’ ability to identify, monitor, and protect data in use, data in motion, anddata at rest through content inspection, contextual security analysis of transaction,within a centralized management framework. Data loss prevention capabilities aredesigned to detect and prevent the unauthorized use and transmission of data orinformation. (NIST Computer Security Resource Center)The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34CFR Part 99) is a Federal law that protects the privacy of student education records.The law applies to all schools that receive funds under an applicable program of theU.S. Department of Education.A member of an incident response team, which is established to handle the intake,communication, and remediation of security incidents. If there is no dedicatedincident response team, staff responding to incidents when required may be referredto as “incident responders.”Indicators of Compromise are “pieces of forensic data, such as data found in systemlog entries or files that identify potentially malicious activity on a system or network.”Indicators of compromise aid information security and IT professionals in detectingdata breaches, malware infections, or other threat activity. By monitoring forindicators of compromise, organizations can detect attacks and act quickly to preventbreaches from occurring or limit damages by stopping attacks in earlier stages.Software that looks for suspicious activity and alerts administrators. (NIST ComputerSecurity Resource Center)Software that has all the capabilities of an intrusion detection system and can alsoattempt to stop possible incidents. (NIST Computer Security Resource Center)Protected health information is considered to be individually identifiable informationrelating to the past, present, or future health status of an individual that is created,collected, or transmitted, or maintained by a HIPAA-covered entity in relation to theprovision of healthcare, payment for healthcare services, or use in healthcareoperations (PHI healthcare business uses). (HIPAA Journal)PII refers to information that can be used to distinguish or trace an individual’sidentity, either alone or when combined with other personal or identifying informationthat is linked or linkable to a specific individual. The definition of PII is not anchoredto any single category of information or technology. Rather, it requires a case-bycase assessment of the specific risk that an individual can be identified. In performingSource: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;4
Runbookthis assessment, it is important for an agency to recognize that non-PII can becomePII whenever additional information is made publicly available - in any medium andfrom any source - that, when combined with other available information, could beused to identify an individual. (OMB Memorandum M-07-1616)A Runbook consists of a series of conditional steps to perform actions, such as dataenrichment, threat containment, and sending notifications, automatically as part ofthe incident response or security operations process. This automation helps toaccelerate the assessment, investigation, and containment of threats to speed up theoverall incident response process. Runbooks can also include human decisionmaking elements as required, depending on the particular steps needed within theprocess and the amount of automation the organization is comfortable using.SIEMSecurity Information and Event Management is a software solution that aggregatesand analyzes activity from many different resources across the entire ITinfrastructure. SIEM software typically collects security data from network devices,servers, domain controllers, and other monitoring systems.Threat EscalationProtocol (TEP)Incidents should be assessed based on their impact on the organization and thescope of IT systems within the organization. The combination of these two factors willprovide insight into the threat escalation protocol, indicating the types of stakeholderstypically needed for those types of incidents.Organizational Approach to Cyber Security Incident ResponseNew Lebanon CSD’s organizational approach to cyber security incident response and management is based onand follows the general guidelines in alignment with NIST SP 800-61 Rev. 2, which includes the following icationRecoveryLessons LearnedIncident Response Phases based on NIST SP 800-61 Rev. 2This program fits into the New Lebanon CSD overall cyber security incident response program by following similarprocedural protocol. By adhering to similar processes across the board, we can maintain consistency and to ensurethat responses are comprehensive, preventing as many potential incident information gaps as possible.Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;5
Communicating the cyber security incident both internally and externally (as needed) is an important part of thisprocess. However, depending on the nature of the cyber security incident, communications may occur at differentstages and are likely to be necessary more than once to update stakeholder groups as new information becomesavailable during the cyber security incident response process.Cyber Security Incident Response Team (CSIRT)A Cyber Security Incident Response Team (CSIRT) has been created to help New Lebanon CSD respond to cybersecurity incidents. The CSIRT is NOT just for IT Staff nor Management, but instead is comprised of staff withdifferent skillsets and from different New Lebanon CSD organizational levels.Roles and ResponsibilitiesThe CSIRT is comprised of individuals who have roles and are responsible for responding to a cyber-securityincident, also known as the incident responders. CSIRT members include:Internal Members: Incident Commander – Andrew Kourt Management – Ethan Race/Francis Rielly Technical – Ethan Race Legal – Whiteman, Osterman, Hannah- Beth Bourassa Compliance – Andrew Kourt Human Resources – Andrew Kourt Communications – Jason Laz Public Relations – Jason Laz Finance – Francis Rielly Facilities – Francis Rielly Security – Deputy Patrick McMahon, Sheriff’s DeputyExternal Members: Insurance Company: Utica National Legal: Whiteman, Osterman, Hannah- Beth Bourassa Cyber Incident Response – Andrew Kourt Law Enforcement - Columbia County Sheriff, State Police, Homeland Security, FBI (As Needed)RACI MatrixThe RACI matrix below is used to identify and avoid confusion in roles and responsibilities during a cyber-securityincident remediation. The RACI acronym stands for: Responsible. The person(s) who does the work to accomplish the activity; they have been tasked withcompleting the activity, and/or getting a decision made.Accountable. The person(s) who is accountable for completing the work. Ideally, this is a singleperson and is often an executive or program sponsor.Consulted. The person(s) who provides information about the work. This is usually several people,typically called subject matter experts (SMEs).Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;6
Informed. The person(s) who is updated on progress of the work. These are resources that areaffected by the outcome of the activities and need to be kept up to date.SuperintendentBusiness Officialand FacilitiesLegal / ComplianceCommunicationsR – Responsible – Who does the workA – Accountable – For completing theworkC – Consulted – Provides info aboutthe workI – Informed – Who is updated onprogress of CR------AIR-CA---R/AII--C----R/AII--C---Law EnforcementIT ManagerNERICUsersR/ALegend:DetectionReport a suspected incident, such as aservice disruption, a suspicious email, oran unusual endpoint behavior.AnalysisGather answers to incident-relatedquestions.Perform Indicators of Compromise (IoC)search (firewall, IDP, email gateway,SIEM, logs, etc.).Determine what, if any, systems ordevices were compromised (e.g., enduser devices, servers, applications).Assess the impact to servers,applications, storage, or other systems.Determine the scope/breadth of theincident.Review security events and determine if atrue security incident occurred.Communicate with senior managementabout significant incidents.Communicate with organization aboutsignificant incidents.Determine if any regulatory, legal, orcompliance mandates have beenimpacted, including breach notificationrequirements.Determine if any employee disciplinaryactions are required.Determine if any public reputational orbrand damage needs addressing.Determine if a crime was committed.-ContainmentIsolate or disconnect any infectedendpoints or servers from the network, ifnecessary.Disable compromised user accounts,change passwords, or remove privileges,if necessary.Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;7
Notify affected users and stakeholders ofcontainment efforts that will affectservices.Create an OS-level image of anyendpoint, servers, or storage arrays.Provide senior management with incidentupdates.Commence any legal actions, ifnecessary.Implement publicrelations/communications campaign toreduce reputational damage --EradicationSeize, prepare replacement, and reissueend-user device(s).Eliminate the root cause of the incident(e.g., remove malware, blockunauthorized users).Install system and security patches toresolve malware/network/othervulnerabilities.Build replacement servers, if necessary.RecoveryRe-issue devices and/or credentials, ifnecessary.Restore data from backups.Restore servers and other systems, asnecessary.Perform vulnerability assessments, antivirus, anti-malware scans, and other teststo verify that operations are back tonormal.Maintain communication with end users(e.g., informing when operations are backto normal).Communicate with stakeholders that theincident is resolved, next steps, etc.Ensure appropriate incident record/ticketis updated and closed, if resolved.Lessons LearnedPerform root-cause analysis.R/AIICFacilitate post-incident lessons learnedCRAACmeetings, when appropriate.Identify changes to current technology toRAACreduce the chance of reoccurrence.Implement updates to current technologyRAACto reduce the chance of reoccurrence.Update incident response material,RAACincluding runbooks, with new processes.Enforce any employee disciplinaryR/A R/ACactions, if required.Conduct tabletop exercises or attackRR/A R/ACSource: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;-8
simulations.Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;9
Communications with StakeholdersCyber security incident response communications, both internal and external, should be drafted and deliveredaccording to a formal process designed to maximize the efficiency and effectiveness of statements, memos, pressreleases, etc. made during the discovery and remediation of a cyber-security incident.Cyber security incidents are often chaotic, and they pose a significant risk to an organization's reputation and clientbase. Stability can be provided by outlining regulatory obligations and their reporting procedure and by definingproper communications protocols for various groups, such as employees, external stakeholders, and the media.Communicating during an incident is a critical part of the Incident Response Process. To the extent possible it isrecommended that pre-written templates be used. During an incident it is very important that relevant parties areinformed, and that messaging conveys the proper tone and level of information necessary.The communications should be specifically tailored to the end user of the messaging which could be employees,the public, or possibly law enforcement.Please see the “Communication Templates” section in Appendix A for more details.Cyber Security Incident AssessmentCyber security incidents should be assessed based on their impact to the organization and the scope of IT systemswithin the organization. The combination of these two factors will provide insights necessary to develop an effectiveTEP, indicating the types of stakeholders typically needed for those kinds of incidents.Impact CriteriaEvaluate the impact on business functions, information, and recovery efforts. Overall incident impact should beassessed based on the highest impact level of the three incident types below:1. Functional impact: The impact as it relates to the availability and delivery of services and businessfunctions. Is a critical system affected? Does it hinder functionality for users?2. Information impact: The impact as it relates to the confidentiality, integrity, and availability of theorganization’s data. What sensitivity of data is affected? What does it mean for the organization (e.g.,notification requirements, regulatory fines)?3. Recoverability impact: The time and resources required to recover from the incident. What needs to bedone for recovery?Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;10
Table 1. Impact CriteriaRatingHighMediumLowNoneImpact CriteriaDefinitionThere is a high impact if at least one of the following is true: The organization is no longer able to provide some critical service(s) to any usersand a critical business function cannot be performed OR Regulated or highly sensitive data has been compromised. Regulatory actions maybe required OR Full recovery from the incident is not possible or will require significant externalresources. There is severe reputational damage OR Financial loss is 50,000 or greater.There is a medium impact if at least one of the following is true and the impact was nothigh: The organization is no longer able to provide some secondary services to anyusers OR The organization is no longer able to provide some critical services to a subset ofusers, but a workaround is available OR Sensitive/confidential data has been exposed, but no regulatory actions arerequired OR Recovery from the incident is possible, but requires additional resources (e.g.,overtime) OR Financial loss is between 10,000 to 50,000.There is low impact if at least one of the following is true and the impact was not high ormedium: The organization is experiencing minimal effects to services. All services areavailable, but efficiency has been affected OR Public data has been affected, but no regulatory actions or penalties are requiredOR Recovery from the incident is possible and predictable with existing processes OR Financial loss is less than 10,000.There is no impact if all the following are true (e.g., false alarm; not a true security incident): There is no effect to the organization’s ability to provide service to users AND No information was exposed or affected in an unauthorized manner AND No significant recovery time or resources are required AND Financial loss is negligible.Scope CriteriaEvaluate the scope (i.e., breadth/magnitude) of the incident on systems, users, endpoints, etc. Incident scope is acritical component that aids in decision making throughout the incident response process.Table 2. Scope CriteriaRatingHighMediumLowScope CriteriaDefinition 99 individuals, systems, or processes affected AND/OR 1 server was compromised,AND/OR 1 executive was targeted, AND/OR 9 sensitive records exposed, AND/OR acrime was committed.11-99 individuals, systems, or processes affected AND/OR 1-9 sensitive records exposed. 10 individuals, systems, or processes affected.Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;11
Threat Escalation ProtocolA Threat Escalation Protocol (TEP) outlines the types of stakeholders needed during the cyber security incidentresponse process. Informing and consulting these stakeholders during the cyber security incident response processis crucial when defending the organization against incidents. The TEP clearly defines escalation procedures forincidents.Table 3. Threat Escalation ProtocolThreat Escalation Protocol (TEP)ScopeImpactLowMediumHighHighTier 2Tier 1Tier 1MediumTier 2Tier 2Tier 1LowTier 3Tier 2Tier 2Threat EscalationProtocol (TEP)Tier 1Criteria Tier 2Tier 3 High impact, high scopeHigh impact, medium scopeMedium impact, high scopeHigh impact, low scopeMedium impact, mediumscopeMedium impact, low scopeLow impact, high scopeLow impact, medium scopeLow impact, low scopeStakeholders End UserHelp DeskIT OperationsTechnical LeadLegal / ComplianceHuman ResourcesCommunications / PRSenior ManagementExecutive ManagementExternal Third Parties End UserHelp DeskIT OperationsTechnical LeadLegal / Compliance (asneeded)Senior Management (asneeded)End UserHelp DeskIT Operations Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;12
Response ProceduresThe actions required to deal with cyber security incidents are detailed below for each relevant stakeholder, in eachof the seven phases (preparation, detection, analysis, containment, eradication, recovery, and lessons learned).Phase 1 - PreparationDuring the Preparation Phase teams begin to put in place what they will need to help them respond to an incident inthe best way possible. Proper policies, procedures, and tools need to be put into place.Technologies involved in this phase include: FirewallsIDS/IPSWeb proxyAntivirusAnti-malwareEmail gatewaySIEMPreparation PhaseTeamPreparation:End UserPreparation:Help DeskPreparation:IT OperationsPreparation:Technical LeadDescriptionNo incident responseresponsibilities.During thepreparation phase,help desk staff willmake sure they areready to respond toincidents.During thepreparation phase,cybersecurity staffconfigure firewall,IDS/IPS, web proxy,antivirus, antimalware, emailgateway, SIEM, DLP,and other systems toenable them to betterdetect potentialissuesDuring thepreparation phasethe TECHNICALLEAD will ensure thatthe CSIRP is up todate and tested andthat the organizationis ready to respond toan incident.Questions ActionAm I aware of myresponsibilities as theyrelate to incidentresponse?Do I need any additionaltraining?Have we kept up to datewith patches to oursystems?Have we researchednew technologies toincrease ourcybersecurity posture?Are we taking advantageof new features andfunctionality?Do we need anyadditional training? Review and understand incidentresponse roles andresponsibilities. Take training courses andparticipate in available webinarsHas the IR plan beenupdated and tested?Have employeesreceived up to date,relevant cyber securitytraining?Do employees know howto report a potentialincident?Are the members of the Plan and execute a tabletopexercise. Ensure all employees are trainedto help avoid and report potentialcybersecurity incidents. Hold meetings with the CSIRT ona regular basis. Review new technologies on aregular basis. Update firewalls, IDS/IPS, DLP,web proxy connections, antivirus,anti-malware, and other systems. Take training courses andparticipate in available webinarsSource: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;13
Preparation:Legal,Compliance,HR, g thepreparation phasethese areas will try toidentify changes tolaws, policies, etc.that could requirechanges to the IRplan or responseprocedures. Theseareas will worktogether to createappropriatecommunicationstemplates.No incident responseresponsibilities. CSIRT aware of theirroles andresponsibilities?Are there any new lawsor policies that NewLebanon needs tocomply with?Do we have anyadditional reportingrequirements? Take training courses andparticipate in available webinars.Source: crr resources guides/CRR Resource Guide-IM.pdfDistribution Statement A: Approved for Public Release;14
Phase 2 - DetectionDuring the Detection Phase, teams evaluate a potential cyber security incident. Once an incident has beendetected, a help desk ticket or incident record/ticket is opened to initiate the detection phase.Incident triggers can include:1.2.3.4.End users reporting to help desk.Technology trigger (FW, IDS/IPS, etc.)Pen tests (vulnerability management)Hunt function (threat intel)Technologies involved in this phase include: FirewallsIDS/IPSWeb proxyAntivirusAnti-malwareEmail gatewaySIEMDetection PhaseTeamDetection:End UserDescriptionDuring the detectionphase, the end usermay reportsuspicious behaviorsor issues andsystem/servicedisruptions.Questions Detection:Help DeskDuring the detectionphase, help deskstaff will monitor callsand submittedtickets. Detection:IT OperationsDuring the detectionphase, cybersecuritystaff monitor firewall,IDS/IPS, web proxy,antivirus, antimalware, emailgateway, SIEM, DLP,and other events,and escalate toincidents as needed. Did I receive a suspiciousemail?How do I resolve theissue with my endpoint?Why is a system orservice not available orbehaving abnormally?Is my device possibly lostor stolen?Why can’t I access mydata or account?Are any end usersexperiencing potentialsecurity incidents?Are assets or servicesbeing impacted by asecurity incident?Has data been exposedor exfiltrated?Has an executive beentargeted or affected by asecurity incident?Are security technologiesidentifying one or a seriesof events?Action Report a suspected incident orissue to help desk. Examplesinclude:o Data is missing/altered.o Passwords aren’t working.o Experiencing significantnumber of pop-up ads.o Computer keeps crashing.o Account/network cannot beaccessed. Open a help desk ticket.(see Appendix for examples ofinformation to be included in ahelp desk ticket.) Determine
Cyber Security Event Identified occurrence of a system, service, or network state indicating a possible breach of information cyber security policy or failure of controls, including false alarms. Cyber Security Incident Single or series of unwanted or unexpected information cyber security events that
the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.
What is Cyber Security? The term cyber security refers to all safeguards and measures implemented to reduce the likelihood of a digital security breach. Cyber security affects all computers and mobile devices across the board - all of which may be targeted by cyber criminals. Cyber security focuses heavily on privacy and
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
practice of managing cyber security incidents. Incident management involves the development, implementation and operation of capabilities that include people, processes and technology. Incident handling and incident response are operational activities. These involve tactical practices to detect, respond to, and recover from cyber incidents.
information security should therefore be a critical function within your organisation. We also know that you face targeted cyber-attacks, and that these . Incident Handler's Handbook" and the NIST "Computer Security Incident Handling Guide", we will review or draft your current 'Cyber Incident Response Plan'.
Cyber Security by qualified and competent professionals. preparedness indicators 07 Reporting Cyber Incidents Strengthen information security incident monitoring and management processes to include cyber security incidents and attempts. Report all unusual cyber security incidents (whether they were successful or were attempts which did not
Resume business as usual LIFE CYCLE OF A CYBERSECURITY INCIDENT. Rule # 1 for Incident Response. Have a plan! Texas DIR Incident Response Team Redbook. . ThreatAdvice Cyber-Security Education: NXTsoft Cyber Security Solutions. Optiv - Security Awareness Circuit Training: Optiv Security
Chapter in The Handbook of Computer Networks, Hossein Bidgoli (ed.), Wiley, to appear 2007 Network Traffic Modeling Thomas M. Chen Southern Methodist University, Dallas, Texas OUTLINE: 1. Introduction 1.1. Packets, flows, and sessions 1.2. The modeling process 1.3. Uses of traffic models 2. Source Traffic Statistics 2.1. Simple statistics 2.2. Burstiness measures 2.3. Long range dependence and .
