The SANS six-step Incident Handling Methodology are preparation, identification, containment, eradication, recovery, lessons learned. According to SANS, preparation, identification and lessons learned phases are most affected by company size. In terms of planning for the long term, the steps I would take depends on the size of company. The smaller the organization, the less formal the response needs to be. A smaller company generally leads to a smaller IT staff which could have a positive and negative affect on the scope of the incident.
The Preparation phase is very important as it would dictate if the organization could investigate the incident quickly and effectively. In the preparation phase, it is important to know the size of your incident response team and the roles each person has. It would be good to have a flexible team that could be mobilized if needed. It is also important to know what access and authority these people have. For instance, if it is my job to monitor the network, do I have the right permissions to do so and is that covered in our company policies? A company has to make sure that their monitoring habits are in line with their privacy policies. Other aspects worth planning would be how we interact with law enforcement and if we would conduct our own forensics investigation. For a small business, I would lean against it as it can complicate the incident response plan. It is always something that could be added at a later date. Having the right forms as well comes in handy. Lastly, keeping track of local events and actually reading our user reports will help us in the preparation process.
Identification involves defining what if the event is an incident. Having a simple definition of incident would be where I start here. Also differentiating incident and disaster would further this process. Depending on the definition we have, it would directly affect the amount of resources we use. Also, developing a policy where we declare incidents, even if we are not sure, rather than letting the event pass, would be much preferable. Like the saying goes, it’s “better to be safe than sorry.” Using tools to help you identify incidents is also key in this step. Having Firewall, IDS, and IPS systems could often help notify you when something abnormal is occurring. A couple tools that come to mind are Websense and Snort. Ultimately, in this stage, my company needs to collect enough information to determine how severe the event is and who we should notify and which team members should respond.
With respect to containment, it is important to involve management. I would also ask people who have the right expertise to start making configurations. It would be disastrous if someone who did not have the right training made configurations that caused more harm than good. For containment, I would consider isolating machines that are infected by using Firewalls, VLans or Switching Ports. Other methods can be disabling accounts or temporarily disabling accounts.
By the eradication phase, we should have control of our system again. It is important that we check all the machines. In other words, make sure that no “man” is left behind. At that point we should have a good understanding of the entire scope of the problem and clean up should commence. Processes here include, running a virus scanner to remove infected files and restoring the files from a back up. Others include, using firewalls, IPS or other services to block future attacks. For computers, instead of trying to solve all problems on a computer it is easier to return the system to a company wide accepted configuration.
The next phase, Recovery is when our company should be able to start our processes back up again. Before you do, we need to check if the systems are working correctly like they should and need to be tested like any system would be tested after implementation. After systems are running again it is important to keep a close eye on it as a back door could have been missed, and the threat can manifest itself again.
Lessons Learned is when we gather all the information we learned from the experience and modify any plans for future attacks. For this step I would conduct meetings with my staff and conduct an internal analysis of how effective our current program is.