The Effective Incident Response Team
Authors: Julie Lucas and Brian Moeller
Pages: 336
Publisher: Addison-Wesley
ISBN: 0201761750
Available for download is chapter 2 entitled “What’s Your Mission?”.
Introduction
With every year that passes it seems that the amount of computer security incidents is bigger than ever, yet it’s obvious there’s more security awareness. As the incidents increased in severity it was a natural step for organizations to form an incident response team or hire a team to respond to those incidents. It’s much easier to be prepared than to have to clean up after the damage has been done.
How do incident response teams function? Who are the people in the team? What steps do they take in order to increase the security of your network? The answer to these and numerous other questions lie within the pages of this book.
About the authors
Julie Lucas is currently the director of security operations for a Fortune 500 financial services company. In this role, she has a direct impact on the daily operations and security monitoring of the company’s backbone. Prior to her current role, she served as the general manager for security solutions for Enterasys Networks.
Brian Moeller, CISSP, is a firewall and network security consultant and member of the Ohio State University Network Security/Incident Response Team. He usually functions as the ‘incident cleanup’ person. He follows up after an incident is complete, and helps the network administrators apply various security tools and tactics to prevent further incidents.
Inside the book
The authors start the book by providing some background information. Here you learn a bit of history as you see when computer incident response teams first emerged and you begin to realize how your organization could benefit from having one. You discover when the Computer Emergency Response Team (CERT) was formed by the Defense Advanced Research Projects Agency (DARPA) as well as some insightful statistical information related to cyber attacks.
Now that the foundations have been laid out, the authors proceed to illustrate the numerous considerations that have to be addressed during formation of a team. In order to help you define your team’s mission you can use a set of basic questions presented in chapter two. You also learn about working with law enforcement as well as defining the operational strategy of your team – will it be just reactive or both reactive and proactive in nature? If the team is also proactive it can offer some services. Emphasized is the importance of the team’s credibility backed with an example including CERT.
Next the authors focus on terminology and they provide an in-depth explanation about what computer incident is before moving on to discuss various types of computer attacks and the related consequences. Of course, not all types of attacks are presented here but what you read about are some of the most common ones like Denial of Service and social engineering. When it comes to software titles, the authors note several tools used for password cracking. To close the chapter the authors write about computer viruses and hoaxes. Something original here is a comparison table of computer viruses and biological viruses.
What follows is the largest chapter of the book where you learn a myriad of details related to the people that are part of the team. In order to make the right selection of people you have to estimate what you need. The authors identify the roles and responsibilities of the team members and teach you how to interview potential candidates. Also important is the issue of coverage and this chapter helps you determine whether you need in-house coverage or if you’re going to outsource it. When an incident occurs there’s bound to be some media coverage so naturally you get some advice on how to deal with the media.
As the book continues the authors underline the importance of teamwork and write about the process of selecting products and tools. To my pleasant surprise, the authors defined training as a tool. There’s no better first line of defense than user security awareness training that gives your people the possibility to identify social engineering attacks, choose stronger passwords, etc. They note that the training has to be refreshed from time to time and that the end users should be rewarded for their efforts. This is an excellent way to reduce some of the most common attacks on your organization and let the team concentrate on the possible serious intrusion attempts.
The threat from attack doesn’t come just from the outside though. Companies are realizing that there’s a substantial insider threat and that’s exactly why the authors provide you with a list of areas where your systems may be vulnerable to attacks and should receive extra attention. A problem can also be the system administrators that need to keep track of basic security measures even in the event of a big threat like a fast spreading virus. To avoid these problems the incident response team should conduct periodic vulnerability assessments and here you learn what types of tests can be done. In a few pages, you get a text that explores the myth versus reality issues surrounding penetration testing.
The following chapter focuses on the operational aspects of computer incident response and you can use this information to write computer incident policies and procedures. You learn how to prepare yourself for compromise, identify an incident, notify the authorities, analyze the incident, remediate to what happened, restore the system(s) and learn from what occurred. In order to give you an understanding on how things are done in the real world, the authors just take what they’ve presented before and apply it to some sample incidents. One of the biggest problems that both system administrators and incident response teams face today is the problem of keeping up-to-date with the latest vulnerabilities and the authors try to help you achieve that goal with some advice that depending on your skill level and experience you may already be aware of.
Something that the security community often comments on is the fact that companies and the media tend to enlarge the cost of a particular incident. A small chapter is this book will help you determine just that. Another important aspect of computer incident investigation is the need to be knowledgeable about the law and the authors suggest a lawyer familiar with computer incidents and computer laws and a law enforcement officer to be part of the team at the time of the investigation of an incident.
If you’re interested in computer forensics than chapter 11 is for you as the authors introduce the readers with the subject and address specific considerations that must be taken into account when dealing with an incident. I wish this chapter was longer but it does serve it’s introductory purpose well, and if you want to find out more about forensics you’ll get a book dedicated specifically to the subject.
There’s more material in the appendices where you can see a sample incident report form, federal code related to cyber crime, some frequently asked questions, etc. This makes a part of this book a perfect reference guide.
Final thoughts
The audience of this book is not the hardcore security professional; you won’t find any deep technical details in this title. It’s basically aimed at all the people in the incident response team that apart from their in-depth technical knowledge also have to know some best practices when working as a team. It basically teaches professionals how to put their knowledge together and effectively manage an incident response team. It’s also an interesting read for managers that can get a better understanding of how a crucial team within their company operates and can therefore be more prepared and open for discussion when financing needs arise.
It’s also much more than that since many of you don’t really know if you need an incident response team or what type of team you should hire. I feel that the authors give you all the information necessary for a good assessment of your needs so you can make some sound decisions. The book is very easy to follow and understand and basically the only thing I feel is missing is an extensive list of resources, a simple thing to correct in the next edition.
If you want to be part of an incident response team, you’re putting one together or you’re just curious how things are done, this is the right book to read.