Security Incident Response Team (SIRT)
Many organizations are not prepared to deal with security breaches and security incidents. One of the most important post-assessment activities is to define how the organization will handle security breaches and security incidents. This requires preplanning and an understanding of how to handle the situation and physical evidence in the event that the organization pursues criminal charges. Assessment and management of threats must be identified and prioritized for the organization's IT assets and data assets. After threats are identified for the organization's IT assets and data assets, monitoring the security of the IT infrastructure, IT assets, and data assets can be defined and implemented. Monitoring threats requires documented operational procedures that specify how security and network management personnel are to examine system audit logs, review intrusion detection system logs, and react to security breaches or incidents. Reaction or response to real-time security breaches or incidents is typically handled by the organization's internal Security Incident Response Team (SIRT).
Security Incident Response Team (SIRT) This responsibility is the equivalent of a security Tiger Team that will take full responsibility for addressing and handling all critical security breaches and incidents that are logged and identified by the organization's Network Operations Center (NOC) or Security Operations Center (SOC). Given the nature and sensitivity of critical security breaches and incidents, the SIRT shall have full authority and jurisdiction to pull resources and obtain information from any of the seven areas of information security responsibility or end users and their workstations directly if the security breach or incident was conducted by an internal employee. The SIRT's primary role and responsibility is to lead the efforts of a consolidated SIRT response effort for identified and documented critical security breaches and incidents. This responsibility is a 24x7x365 operational and support task that must be reactive to critical security breaches and incidents as they occur. Typically, the SIRT will not be called upon unless a critical security breach or security incident is identified and documented by the organization's NOC or SOC. SIRTs are usually composed of an organization's IT and IT security personnel, human resources, legal, the data owner, and executive management. Typically, organizations require that the SIRT members sign a Confidentiality Agreement to maintain the privacy of the SIRT data collection and information gathering, especially if the incident is of a criminal nature and conducted by an internal employee. It is recommended that the SIRT team be led by the organization's IT security department or designated officer or official given their expertise in handling forensic analysis and conducting such an investigation. SIRTs typically are given the highest authority and responsibility to pull one designated resource from each of the seven physical domains as deemed necessary, depending upon the scope of the security breach or incident. Executive management support and approval to pull these designated resources together for the SIRT team is required. SIRTs are required to conduct forensic analysis, maintain the integrity of the breached IT asset or systems, and provide assistance with law enforcement and legal officials to collect evidence and data needed to conduct an investigation. In some cases, criminal charges are warranted if the security breach or incident is in violation of a law, mandate, statute, or regulation. |
SIRT Response Procedures
An important post-assessment task is to define an appropriate SIRT response procedure for the organization. The following is a sample procedure definition for an organization's SIRT. This procedure definition is typically implemented to handle critical security breaches and incidents such as a new virus spreading rapidly throughout the IT infrastructure. These procedures are as follows:
1. |
A security breach or incident is called into the NOC or SOC on which the trouble ticket is classified as CRITICAL.
|
2. |
For all CRITICAL or MAJOR security breach/incident trouble calls, document and describe the problem on the trouble ticket and provide the necessary contact information for the affected end users or IT assets.
|
3. |
Page the SIRT team leader immediately upon logging of the trouble call and creation of the trouble ticket and inform the team leader of the incident.
|
4. |
The SIRT team leader is to identify the scope of the security breach or incident and immediately contact the necessary SIRT team participants depending on the scope of the problem, if deemed necessary. If any non-SIRT team members are required, ensure that the new participant completes the Confidentiality Agreement prior to involvement. The SIRT team leader must create a preliminary action plan based on the nature of the security breach or incident.
|
5. |
The SIRT team leader is to contact the CSO/CIO/CEO and inform him/her of the nature and scope of the CRITICAL or MAJOR security breach or incident and review the preliminary action plan prior to commencement.
|
6. |
The SIRT shall commence with a security incident response based on the guidelines presented in the SIRT report. This may or may not require physically or logically disabling the system or servers that are affected. During the investigation period, the SIRT must document everything based on known information under the assumption that the data collected could be used as evidence in a court of law. The SIRT must be careful not to alter, taint, or manipulate the IT assets that the security breach or incident affected.
|
7. |
After the incident, the SIRT must prepare a security incident report with relevant details, SIRT meeting minutes, and any recommendations for action items. Copies of logs, intrusion detection logs, systems or server access information, and copies of reports from other areas should be included in the incident report
|
8. |
After the incident, the SIRT must be prepared to describe what happened, why it happened, and what can be done to prevent a reoccurrence of the security breach or incident prior to placing the system or servers back in production after the system and its application data has been fully recovered. The SIRT must present its recommendations to the CIO/CSO/CEO and the affected IT asset owner prior to placing the IT assets back into production.
|
9. |
The SIRT and its incident report must remain confidential and made known only to the CIO/CSO/CEO and other pertinent officials on a need-to-know basis. If legal action or charges are to be made, the SIRT incident report may become part of the physical evidence used in a court of law. Refer to Appendix E for a sample SIRT Incident Report template.
|
Security Workflow Definitions
Many organizations lack the proper security workflow definitions and procedures for their NOC and/or SOC operations personnel. This is a common weakness found in many organizations that first conduct a risk and vulnerability assessment on their IT infrastructure and IT assets. These workflow definitions and procedures provide the road map for how to handle information security breaches and incidents throughout the organization. The organization's final assessment and recommendations report typically will define and make recommendations for how security workflow definitions and procedures are to be defined for the organization, depending upon the internal IT and IT security resources available.
Recommendations for security workflows and definitions should describe the interaction and communication that is needed among the different departments, roles, responsibilities, and accountabilities throughout the organization. The goals and objectives of these security workflows and definitions are as follows:
- To define the roles and responsibilities for security monitoring, auditing, and SIRT involvement within each of the seven areas of information security responsibility as defined in Chapter 3, "Why Risk Assessment."
- To define categories or classes of security breaches and incidents that correlate to the level of response that must be provided within each of the seven areas of information security responsibility.
- To define the interaction and communication between the defined organizational structure for all seven areas of information security responsibility.
- To define who is to be held accountable for specific security responsibilities within each of the seven areas of information security responsibility.
An example of a security workflow definition is how to handle security breaches and incident calls into the NOC or SOC for the organization. This is depicted in Figure 10.5.
Figure 10.5. Security workflow definition for handling security-related trouble tickets.
Security Workflow Procedures
The following defines the procedures for the handling of security breaches and incident-related trouble calls:
- All security-related breaches and incidents throughout the organization are to be called into the NOC or SOC help desk for proper documenting and trouble-ticket assignment.
- End users, service providers (if applicable), and departments within the organization must interface and interact with the NOC or SOC help desk to capture, document, and process all security related breaches, incidents, or actions that are required.
- Upon contact with the NOC or SOC help desk, the help desk technician will respond to the call and determine whether the call is security related. If not, the call is processed according to existing NOC procedures. If the call is security related, a criticality determination will be conducted, depending upon the severity of the security breach or incident.
- After it is documented and logged, to determine the severity of the trouble call the security trouble ticket must immediately be classified as CRITICAL, MAJOR, or MINOR as per the organization's definition for problem severity.
After a trouble call is logged and documented with the appropriate contact information and problem description, classification of the trouble call is imperative to provide the appropriate level of response. The organization's NOC or SOC help desk must be properly trained to handle security-related trouble calls with special care and attentiveness, especially if it is a security breach or incident and not a configuration management request.
Security trouble calls will be categorized based on their level of severity. Typically, all other security related breaches and incidents will be classified based on their severity or classification definition. Classification of the level of severity for security breaches or incidents is typically documented as an organizational standard within an IT security architecture and framework. A sample classification of severity for security breaches or incidents is shown in Figure 10.6.
Figure 10.6. A sample security breach/incident severity classification.