MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Incident response is the process of identifying and then responding to a problem as it occurs. For the Microsoft exam, you need to know the underlying concepts behind incident response. In this section of the chapter, we look at all the underpinnings of incident response, chain of custody, and how to deal with a problem that occurs on a Microsoft-based network.

Defining an Incident Response Plan

Now that you know what an incident response plan is, you need to know why it is important. Problems will occur, and if an incident does crop up, you and your staff need to know how to deal with it appropriately. You should consider the following actions and incorporate them into your plan:

• Making an initial assessment  Making an initial assessment is critical to the plan's success. You need to know how to see an incident and assess whether it is an incident or not. Take initial steps to determine if you are dealing with an actual incident or a false positive. Your initial assessment should be very brief.

• Communicating the incident  Communicating the incident is probably one of the most important steps in the process. Make sure that if an incident occurs, you get this fact to the leader of the team so that the incident plan can be put in action.

• Containing the damage and then minimizing the risk  Containing the damage and minimizing the risk are critical to tackling an incident. For instance, if the incident in your initial assessment is a worm that is self-replicating across your network, you can contain the damage by unplugging the affected workstation from the switch or hub. This steps contains the damage and minimizes the risk.

• Identifying the type and severity of the compromise  Identifying the type and severity of the compromise is essential to see the kind of resources you need to put on it. If you have a very large problem that costs the company millions (or worse yet, puts it out of business), you need to label it as such and give it a severity level such as High Priority. You should attempt to determine the exact nature of the attack. In addition, try to determine the attack point of origin—where exactly it is coming from. Directly after, try to identify the systems that have been compromised.

• Protecting evidence  Protecting evidence is essential for a couple of reasons. For one, you never want to contaminate the evidence yourself. You might also want to make sure that someone else doesn't damage it intentionally.

• Notifying external agencies  Notifying external agencies such as law enforcement is something you need to plan for. Hopefully it doesn't need to come to this, but if it does, you need to know how to deal with it and whom to contact. Most law enforcement agencies these days are either building or have built some form of cybercrimes division.

• Recovering systems  Recovering systems is one of the most critical incident plan steps you can perform. After the incident; you have to get your systems back online.

• Assessing incident damage and cost  Assessing incident damage and cost is something you need to do for your company. Especially with companies that are held publicly by stockholders, if a major loss occurs, this data will be very critical. This step needs to be done by a leader in the incident response team.

• Reviewing the response and updating policies  Reviewing the response and updating policies on a constant or regular basis is something you need to implement as part of your strategy. Planning is no good unless it's up to date and well prepared. Updating a plan after an actual response is also a good idea so that you can assess the plan itself and how you might have been able to do things better.