How to Develop an Information Security Incident Response Team and Plan

Instructor: Fred Avolio, Avolio Consulting, Inc.

You will learn:

You will leave with:

This course will help you handle your next security incident, by working through how a CSIRT is put together and how it operates under fire. During this two-day working seminar, we will draft a charter for a CSIRT as well as an Incident Response Plan.

This course is not about digital forensics. It is not about doing police work.

Day One: Creating the Team and the Plan

Introduction to the course -- We will discuss the goals of the course and non-goals. After a brief discussion of the challenges, the class will break into teams and we will look at different incident scenarios and brainstorm how we would and should react. Each team will represent the core computer security incident response team of a different company.

Introduction to Investigative Respose -- We will discuss one type of incident response called "investigative response." The teams will helo define terms and decide what critical pieces of information might be required during a computer security incident.

Preparation and Planning -- Looking at a brief case study, we will look at the top ten things not to do as well as recommendations for what to do.

ComputerSecurity Incident Response Team (CSIRT) -- The teams will learn the initial steps in creating a CSIRT, and will walk through exercises to describe the team, and its goals, objectives, and responsibilities. We will identify the team leader, and other members of the team. The team members will decide the the CSIRT's philosophy and who else from the organization should be part of the CSIRT. In class exercises, each team will develop the charter, membership, and organization of the CSIRT.

Duties of the CSIRT -- We will look at a flow diagram for an incident and work through each of the duties of the team including communication, assessment, response, securing the crime scene, documentation, evidence collection, and evalation.

Day Two: The CSIRT in Action

Assessment and Response -- The class will come up with and look at ways we might know we have been attacked. We will look at the initial steps in response: declaring an incident, assembling the team, and communication -- internal and external.

Securing the Crime Scene -- What not to do is as important as what to do. We will work in teams to come up with things to do to protect evidence and how to improve the admissibility of evidence.

Gathering Evidence -- We will learn the right way to handle and gather evidence, the importance of documentaion and maintaining a "chain of custody," how to use various tools to collect evidence, and how to create a "computer forensics evidence kit." The teams will create procedures for securing a system after an incident, indicating who does what, the reporting requirements, timeframes, etc. The teams will also dDocument procedures for evidence handling, indicating who does what as well as reporting requirements, timeframes, etc.

Post Event Evaluation -- We will learn what we should do after an incident is declared over in order to learn from the incident.

Review, Summarize, and Next Steps -- We will finish up, by assembling our work into a draft incident response plan. We will also review the things we've tagged as "to do later" and walk through an action plan.