incident response plan example (1)

8/12/2019 Incident Response Plan Example (1)

1/4

Sample Intrusion Detection Incident Response Plan

Incident Response Plan Example

This document discusses the steps taken during an incident response plan. To create theplan, the steps in the following example should be replaced with contact information and

specific courses of action for your organiation.

!" The person who disco#ers the incident will call the grounds dispatch office. $ist

possible sources of those who may disco#er the incident. The known sourcesshould be pro#ided with a contact procedure and contact list. Sources re%uiring

contact information may be&

a" 'elpdesk

b" Intrusion detection monitoring personnel

c" ( system administrator

d" ( firewall administrator

e" ( business partner

f" ( manager

g" The security department or a security person.

h" (n outside source.

$ist all sources and check off whether they ha#e contact information and

procedures. )sually each source would contact one *+- reachable entity such as

a grounds security office. Those in the IT department may ha#e different contactprocedures than those outside the IT department.

*" If the person disco#ering the incident is a member of the IT department oraffected department, they will proceed to step .

/" If the person disco#ering the incident is not a member of the IT department or

affected department, they will call the *+- reachable grounds security departmentat xxx0xxx.

+" The grounds security office will refer to the IT emergency contact list or effected

department contact list and call the designated numbers in order on the list. The

grounds security office will log&

a" The name of the caller.

b" Time of the call.c" 1ontact information about the caller.

d" The nature of the incident.

e" 2hat e%uipment or persons were in#ol#ed3

f" $ocation of e%uipment or persons in#ol#ed.

g" 'ow the incident was detected.


2/4


h" 2hen the e#ent was first noticed that supported the idea that the incident

occurred.

" The IT staff member or affected department staff member who recei#es the call4or disco#ered the incident" will refer to their contact list for both management

personnel to be contacted and incident response members to be contacted. The

staff member will call those designated on the list. The staff member will contactthe incident response manager using both email and phone messages while beingsure other appropriate and backup personnel and designated managers are

contacted. The staff member will log the information recei#ed in the same format

as the grounds security office in the pre#ious step. The staff member couldpossibly add the following&

a" Is the e%uipment affected business critical3

b" 2hat is the se#erity of the potential impact3

c" 5ame of system being targeted, along with operating system, IP address, and

location.

d" IP address and any information about the origin of the attack.

6" 1ontacted members of the response team will meet or discuss the situation o#erthe telephone and determine a response strategy.

a" Is the incident real or percei#ed3

b" Is the incident still in progress3

c" 2hat data or property is threatened and how critical is it3

d" 2hat is the impact on the business should the attack succeed3 7inimal,

serious, or critical3

e" 2hat system or systems are targeted, where are they located physically and onthe network3

f" Is the incident inside the trusted network3

g" Is the response urgent3

h" 1an the incident be %uickly contained3

i" 2ill the response alert the attacker and do we care3

8" 2hat type of incident is this3 9xample& #irus, worm, intrusion, abuse,

damage.

-" (n incident ticket will be created. The incident will be categoried into thehighest applicable le#el of one of the following categories&

a" 1ategory one 0 ( threat to public safety or life.

b" 1ategory two 0 ( threat to sensiti#e data

c" 1ategory three 0 ( threat to computer systems

d" 1ategory four 0 ( disruption of ser#ices


3/4


:" Team members will establish and follow one of the following procedures basing

their response on the incident assessment&

a" 2orm response procedure

b" ;irus response procedure

c" System failure procedure

d" (cti#e intrusion response procedure 0 Is critical data at risk3

e" Inacti#e Intrusion response procedure

f" System abuse procedure

g" Property theft response procedure

h" 2ebsite denial of ser#ice response procedure

i" Database or file denial of ser#ice response procedure

8" Spyware response procedure.

The team may create additional procedures which are not foreseen in this

document. If there is no applicable procedure in place, the team must documentwhat was done and later establish a procedure for the incident.


4/4


c" 'ow the incident occurred, whether through email, firewall, etc.

d" 2here the attack came from, such as IP addresses and other related

information about the attacker.

e" 2hat the response plan was.

f" 2hat was done in response3

g" 2hether the response was effecti#e.

!+" 9#idence Preser#ation@make copies of logs, email, and other communication.

Aeep lists of witnesses. Aeep e#idence as long as necessary to complete

prosecution and beyond in case of an appeal.

!" 5otify proper external agencies@notify the police and other appropriate agenciesif prosecution of the intruder is possible. $ist the agencies and contact numbers

here.

!6" (ssess damage and cost@assess the damage to the organiation and estimate both

the damage cost and the cost of the containment efforts.!-" Re#iew response and update policies@plan and take pre#entati#e steps so the

intrusion canBt happen again.

a" 1onsider whether an additional policy could ha#e pre#ented the intrusion.

b" 1onsider whether a procedure or policy was not followed which allowed the

intrusion, and then consider what could be changed to ensure that the

procedure or policy is followed in the future.

c" 2as the incident response appropriate3 'ow could it be impro#ed3

d" 2as e#ery appropriate party informed in a timely manner3

e" 2ere the incident0response procedures detailed and did they co#er the entiresituation3 'ow can they be impro#ed3

f" 'a#e changes been made to pre#ent a re0infection3 'a#e all systems been

patched, systems locked down, passwords changed, anti0#irus updated, emailpolicies set, etc.3

g" 'a#e changes been made to pre#ent a new and similar infection3

h" Should any security policies be updated3

i" 2hat lessons ha#e been learned from this experience3

incident response plan example (1)

Documents