Incident Report Planning
Incident Response Planning
Technological advancement can be beneficial to organizations, as it provides fast and easier way of dealing with every day operations. However, due to the same advancement of technologies, there are scenarios that can put the organization to circumstances that may breach essential information of the organization. Additionally, it can cause firewall breaches, malware, or virus outbreaks, and other internal cyber-attacks. These events call for the need of incident response (IR), as it is encompasses essential protocols that will address the occurrence of any security breach. The goal of this study is to present the significance of the incident response planning through discussion of three incident indicators. D.L. Pipkin presented three broad categories that represent the incident indicators, such as Possible, Probable, and Definite. Each of these indicators will be discussed thoroughly and will explain how each of them holds essential role in forming an incident plan. Thus, the study will also provide details as to why the identification of real incidents is crucial to the incident response planning. Overall we argue that the identified real incidents post potential harm to the organization, but can be addressed through application of effective incident response that will further the strength of any enterprise against vulnerabilities.
Part of the roles of the Department of Homeland Security or DHS is to address the potential cyber security attacks against both public and private enterprises. There is a continuous growth on the number of cyber security attacks as the technology becomes more and more advanced. In relation, such serious attacks on important cyber networks are considered direct threats to the country’s national and economic security (U.S. Department of Homeland Security, 2016).
The occurrence of incidents is the primary indicator that the problem is already happening. Thus, this problem normally provides more serious damage if it is not going to be handled appropriately. That is why, identifying the incidents themselves could be very important in the creation of incident response plan. When it comes to the severity of the incident, it can be identified as something that can even lead to business interruption, and much worse, business loss (Ayehu Software Technologies, 2015).
Some of the identified incidents that may have been happening to numerous organizations include attempts to obtain an unauthorized data or system access, unwanted service disruption, unauthorized system use for storing or processing data, and any changes to the system’s software, hardware, or firmware without the consent and authorization.
Real incidents also include Phishing, or the individual or group’s attempt to solicit sensitive information through different techniques. Normally, phishing is being done though sending of emails, along with the link that if once clicked by the user, he or she will be redirected to a website that present itself as a legitimate one. Another real incident that normally happens to many computer users is the malware attack. It refers to a software, which intends to damage the computer system through unwanted system activities.
The real incidents that happen to millions of computer users hold various vulnerabilities, not only to the computer system itself, but also to the stored information. Cyber security breach is a serious issue that has the power to impact the national security as well as the economic stability of every country. Therefore, it is important that individuals must be aware of these vulnerabilities and make sure to have a well-configured computer system against these incidents.
Possible Incident Indicators
According to D.L. Pipkin, there are three categories that serve as incident indicators and these are (a) Possible, (b) Probable, and (d) Definite indicators of an incident (Whitman, Mattord, & Green, 2013). These indicators are essential when it comes to detecting incidents, thus, there are various events that occur inside and outside the organization, which signal the occurrence of any incident candidate. To explain further, the first indicator which is “possible” indicator is subdivided into four types, such as (1) presence of unfamiliar files (2) presence of unknown programs (3) Unusual consumption of computing resources and (4) unusual system crashes (Whitman, Mattord, & Green, 2013).
The first sub-category of the possible indicators pertains to files, such as rootkits, that are normally trying to penetrate the computer system in order to gain access. On the other hand, the second sub-category pertains on programs and processes that automatically executes both processes and services of the computer system. Furthermore, the unusual consumption of the system’s resources penetrates within the system that consumes memory as well as the hard disk. Lastly, the fourth sub-category can be one of the most damaging as it has the ability to damage the whole computer system. Thus, it is one of the usual problems of many computer systems that has been damaged by such attack. If these indicators occur, then it is highly possible that the computer system has been attacked and possible incidents might happen.
Probable Incident Indicators
The second category, which is “probable” indicators states the probability of an actual incident. Thus it is also sub-categorized into four types. These include (1) Activities at unexpected times (2) Presence of unexpected new accounts (3) Reported attacks and (4) Notification from IDPS (Whitman, Mattord, & Green, 2013).
The first sub-category of the probable indicator explains that if there is an unusual levels of traffic within the organization’s network, then it is probable that incident candidate is present within the system. On the other hand, the existence of unexpected accounts within the system that holds special privileges is an indicator of an actual incident. Moreover, the third sub-category states that if there is a reported attack, then there is a high probability that an incident attack is currently happening. The fourth sub-category explains that if the organization’s installation and configuration of network-based IDPS has been done correctly, then it would automatically report an incident in progress.
Definite Indicators
The third category according to D.L. Pipkin is the “definite” incident indicator (Whitman, Mattord, & Green, 2013). This is categorically defined the indicators as clear and positive that an incident is in progress. Therefore, there is no doubt that if the following sub-categories are present, then something is wrong to the computer system that needs to be addressed as soon as possible. In cases that a definite incident has happened the incident response should be activated right away. The following types of definite indicator includes (1) Use of dormant accounts, (2) changes to logs, (3) the existence of hacker tools, (4) notifications by peer or partner, and (5) notification coming from the hacker itself (Whitman, Mattord, & Green, 2013).
Various network servers often maintain different accounts and one of which is the account from former or old employee. If such account begin to access system resources and other unusual activities, then it is definite that incident has been occurring. On the other hand, the second type explains that if there is an individual change to system log outside the system administrator’s routine, then an incident has occurred (Whitman, Mattord, & Green, 2013). The third type is an obvious signal that an incident is happening. Sometimes, network administrators are using network evaluation and system vulnerability tools so as to scan internal networks in order to identify what hackers can see. That is why, many enterprises are prohibiting the use of similar tools without obtaining permission from CISO (Whitman, Mattord, & Green, 2013). The notification by peer or partner refers to a report coming from other organizations that normally connects to the enterprise’s computer system. If any report has been raised, then an incident of attack has occurred. Lastly, hackers sometimes like to taunt the victims. If a certain organization’s webpage is impaired, it is definitely an incident. However, if there is an existence of extortion in exchange for the victim’s credit card details, then an incident is actually in progress.
Conclusion
Identifying real incidents is an important factor in creating an Incident Response Plan. The primary step must be the acknowledgement that incident may happen or is already happening. However, before such attack occurs, it is essential that the plan is already in place so that once an incident occurs, it can be activated as soon as possible. Incident response plan aims to provide guidelines when it comes to responding to numerous scenarios (TechTarget, n.d.). Thus the IR teams must also be equipped with enough knowledge in addressing various scenarios. That is because, an IR plan is normally designed to identify, investigate, and remediate the organizational assets especially during crucial event (Torres, 2014). Therefore, the essence of identifying real incidents can also help in forming the different response phases (The Computer Technology Documentation Project, n.d.) to ensure that the response plan will be able to provide robust solution to any forms of incident
References
Ayehu Software Technologies. (2015, December 10). Why it’s So Important to Have an Incident Response Plan in Place. Retrieved from http://ayehu.com/why-its-so-important-to-have-an-incident-response-plan-in-place/
The Computer Technology Documentation Project. (n.d.). Incident Response Plan. Retrieved from www.comptechdoc.org/independent/security/policies/incident-response-plan.html
TechTarget. (n.d.). What is incident response plan (IRP)? - Definition from WhatIs.com. Retrieved from http://searchsecurity.techtarget.com/definition/incident-response-plan-IRP
Torres, A. (2014, August). Incident Response: How to Fight Back. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-35342
U.S. Department of Homeland Security. (2016, March 4). Report Cyber Incidents | Homeland Security. Retrieved from https://www.dhs.gov/how-do-i/report-cyber-incidents
Whitman, M. E., Mattord, H. J., & Green, A. (2013). Principles of incident response and disaster recovery. Boston, MA: Course Technology, Cengage Learning.
