CISOs form an incident response team with the hope it will never have to be called on. With any luck, it won’t. But in addition to deciding who should be on the team — which I’ll deal with later — what it needs to do to collect and analyze data can sometimes be overlooked.
Shelly Giesbrecht, a member of Cisco Systems’ computer incident response services team, has outlined what’s in her group’s ‘go bag.‘ which has to be ready for the team to grab when it’s called by customers for help. If you want to build one for yourself, here are the ingredients:
–The heart is a powerful laptop (an i7 processor, 64 GB of memory) with multiple solid state hard drives for speed;
–One or two hardware or software-based write-blockers, to ensure the data collected is unchanged from the original media from which it was sourced. The write-blocker is deployed between the original media and the laptop during the data collection;
–Licensed forensic software that collects the data and ensures the data is what was expected, This copy of the data is also hashed and compared to the original to verify it is identical;
–A USB portable drive;
–Other tools including boot disks, cables, small toolkits, a digital camera, anti-static bags, labels and multiple external storage drives to ensure all data can be collected.
This will help the team do a number of things including help with business continuity, security incident response and forensics (whether done by the internal infosec team or handed to an external expert for processing).
Every organization’s incident response plan is different, but broadly speaking Cisco notes it has to ensure the cause of the incident should be fixed as soon as reasonably possible without further jeopardizing the security or integrity of systems or data, and without destroying important evidence (for example, over-writing a corrupt database from a backup without preserving the original).
As to who should be on the IR team, this paper from the SANS Institute will be helpful. Again, there is no set rule but it is recommended members include
–a member of upper level management who can give the team authority to do its job and make big decisions;
–infosec team members who are trained in assessing the extent of damage, containment, basic forensics, and recovery;
–an IT auditor, if the organization has one, who’s role is to observe, learn why the incident came to be, ensure procedures are being followed, and work with IT/security to avoid problems in the future;
–someone from the physical security team;
–someone from the human resources department, in case stolen data includes employee information;
–internal or external public affairs, for dealing with employees and the press;
–external resources (from vendors, expert recovery and forensic consultants).
“Creating a Computer Incident Response Team is not going to be the best solution for every company,” says SANS, “but in many if not most settings, it can be an invaluable tool. It will improve response time to any computer base problems you may encounter, ensure that the incident handling methods are supported by the company, and prevent a state of chaos and panic when an actual incident occurs.”