Print Icon  Printable Page
Print Icon  Web Page

October 2002

Practical IR

Sooner or later, you'll have a security event. If you fail to plan, you plan to fail.

BY Fred Avolio

It's hard to plan for the unexpected. Yet that's precisely what incident response (IR) teams are required to do. The problem is that many organizations are failing at this task. According to a recent Information Security survey, only 38 percent of IT security professionals said their company's IR plan guides their responses to cybersecurity breaches and malware attacks.1

Nobody said it would be easy. But developing a "living" IR plan shouldn't intimidate you. As always, you have to start with the basics.

Proof Is in the Plan

The key to an incident response plan is, well, the plan. Our tendency is to procrastinate on difficult projects. But with IR planning, we don't have a choice: it's too late to plan once your network is under attack.

The first step is to form a computer incident response team (CIRT). Typically, the team has three types of members with different skills and responsibilities: managers, fixers/solvers and communicators.

The top security person in the organization (CSO, CISO, ISSO, IT security program manager, etc.) should be the team leader. He or she must be authorized to declare a security incident (with team input), as well as make other security- and business-related decisions (e.g., whether to shut down the Internet connection when under attack).

Someone from senior management should oversee the team and--more importantly--empower it.

Someone from the legal department (or corporate law firm) should provide guidance and knowledge about evidence handling. This person should also act as the liaison to law enforcement.

An IT and/or network security practitioner should be on the team, as should someone from human resources and public relations. The HR member can provide data about employee rights in the case of an internal attack. The PR person should be the only contact with the press and public.

Obviously, you'll also need some IT specialists on the team. A computer forensics technician will be responsible for securing the crime scene. This technician will also secure the logs and gather evidence, as well as work with outside investigative experts.

The Charter

The first order of business for a CIRT is to flesh out its own charter, which outlines the team's responsibilities: responding to an alert, prioritizing actions, securing the crime scene, collecting and handling evidence, and documenting everything every step of the way.

In addition, the charter should:

  • Identify additional, "transient" team members.

  • Formalize responsibilities, reach and range for the team.

  • Describe the team members' organizational structure. Working on a CIRT isn't a full-time job.

  • Plan and coordinate communications, including interteam communications following an incident. The plan should also include outside communication to employees, partners, investors, customers, law enforcement, the press and the public.

CIRT members should also understand whether the organization intends to "protect and proceed" (recover from the incident, fix the problem and keep the company out of the news) or "pursue and prosecute" (catch the bad guy).


Responding to an alert starts with evaluating whether there is an incident. The response might be to note and ignore it (e.g., in the event of a false alarm). A CIRT must be prepared to respond to all types of incidents, from malicious attacks to natural disasters.

Securing the scene and conducting the investigation must be carried out with knowledge and care. The legal expert on the team will give guidance here, but the forensics technician does the actual evidence collection, with another team member documenting everything. A CIRT should also do a complete evaluation of the process afterwards, deciding what worked and what didn't, and revising the plan accordingly.

Is that it? Of course not. But these procedures are a good starting point. After you've formed a CIRT, you'll be in a better position to respond to the next incident with something more than a wing and a prayer.

Columnist FRED AVOLIO is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.

Copyright 2002 TechTarget