Chapter 33
Incident Response and Forensic Analysis
Introduction
Interruptions to the normal operation of computer and network systems can and will occur. The causes of service interruptions are numerous, and they can include such events as bad production changes, hardware and software failures, and security breaches. For the purposes of this chapter, an incident will be defined as any disruption of the normal operation of a computer system. Organizations need to have systems and processes to detect such disruptions, and they need plans and procedures to respond and recover accordingly. Once a problem is identified, organizations should use their incident response plans to coordinate their response and recovery.
In certain situations, you will need to reconstruct system activity and extract information from affected computer systems. Forensic analysis is the process of identifying, extracting, preserving, and reporting on data obtained from a computer system. Forensics can be used to recover important data from a failed system, to document unauthorized employee activity, or to obtain evidence for the eventual prosecution of a criminal act.
Copyright © 2014 by McGraw-Hill Education.
Incident Response
The ultimate goal of any incident response (IR) plan is to contain, recover, and resume normal operations as quickly and smoothly as possible. Thinking about and developing plans to respond to various types of problems, regardless of the time they occur, can prevent panic and costly mistakes. In addition, creating, reviewing, and testing response procedures will identify weaknesses and failures in the organizations ability to detect, respond, and recover. A good IR plan enables organizations to recover from many types of incidents.
The initial response requires personnel with the expertise to diagnose and chart a course of action, and someone who has the authority to implement identified solutions. The initial responders may also discover that the scope of the incident is larger than originally thought or that it affects additional systems, and they will need additional people or teams. Well-defined escalation lists can assist responders in identifying and contacting such resources. Beyond simply notifying technical personnel, it may be necessary to contact other departments, such as public relations, legal, or human resources to handle the nontechnical aspects of the incident.
Copyright © 2014 by McGraw-Hill Education.
IR Plan
The IR plan should also take into account that the person who discovers a problem is most likely not capable of fixing it and that he will, therefore, need to report the problem. Specifying how and where incidents should be reported is a good starting place for many IR plans.
A good IR plan comprises a number of distinct phases, each of which is discussed in the following sections:
Incident detection
Response and containment
Recovery and resumption
Review and improvement
The details of the IR plan consist mainly of how personnel are notified, what the escalation procedures are, and who has decision-making authority for a given incident. For example, the failure of a critical transaction-processing system most likely requires different people to be involved than would a suspected security breach or a power outage.
Copyright © 2014 by McGraw-Hill Education.
Incident Detection
Incident detection comes in many forms. It may come from an intrusion detection system (IDS) or Security Information and Event Management (SIEM) system, from a user phone call, or from a dedicated system that sounds an alarm. A notification or warning may also come from a public service, however. The first obstacle to effective incident response is detecting an actual incident such as a process failure or a security breach. Systems based on the Simple Network Management Protocol (SNMP) are typically a popular choice for monitoring.
SNMP management system
Recent Comments