Home » Security for Faculty & Staff » What You Should Know » Incident Handling Guidelines

Incident Handling Guidelines

Computer security incident handling can be divided into six phases: preparation, identification, containment, eradication, recovery, and follow-up. Understanding these stages, and what can go wrong in each, facilitates responding more methodically and avoids duplication of effort.

The six phases:
Phase 1: Preparation
Phase 2: Identification
Phase 3: Containment
Phase 4: Eradication
Phase 5: Recovery
Phase 6. Follow-up

The SANS Institute provides Sample Incident Handling Forms to help in the development of your Guidelines.

In the event that an emergency occurs, and the department's Incident Handling Guidelines are not in place, an Emergency Action Card can be used. This offers a simple prescription for what to do if you find yourself in an unpleasant situation.

 

 

PHASE 1: PREPARATION: In the heat of the moment, when an incident has been discovered, decision-making may be haphazard. By establishing policies, procedures, and agreements in advance, you minimize the chance of making catastrophic mistakes. The following steps should be taken in the preparation phase:

  • Establish a security policy, develop management support for an incident handling capability, monitor and analyze the network traffic, assess vulnerabilities, configure your systems wisely, install updates regularly, and establish training programs.  
  • Post warning banners.  
  • Establish an organizational approach for handling incidents. Select incident handling team members and organize the team. Establish a primary point of contact and an incident command and communications center. Conduct training for team members. Involve system administrators and network managers early.  
  • Establish a policy for notifying outside organizations that may be connected to operating unit systems.  
  • Update the operating unit's business continuity plan to include computer incident handling.  
  • Passwords and encryptions should be up-to-date and accessible.  
  • Back up systems on a regular basis.
  • Develop a listing of law enforcement agencies and Computer Incident Response Teams (such as Network Security at security@tamu.edu ) to notify when an incident occurs.

PHASE 2: IDENTIFICATION: Identification involves determining whether or not an incident has occurred, and if one has occurred, determining the nature of the incident. The following steps should be taken in the identification phase:

  • Assign a person to be responsible for the incident.  
  • Determine whether or not an event is actually an incident. Check for simple mistakes such as errors in system configuration or an application program, hardware failures, and most commonly, user or system administrator errors.  
  • Identify and assess the evidence in detail and maintain a chain of custody. Control access to the evidence.  
  • Coordinate with the people who provide operating unit network services.  
  • Notify appropriate officials such as immediate supervisors or managers, the operating unit's IT Security Officer, and the Department of Commerce's IT Security Program Manager.

PHASE 3: CONTAINMENT: During this phase the goal is to limit the scope and magnitude of an incident in order to keep the incident from getting worse. The following steps should be taken in the containment phase:

  • Deploy the on-site team to survey the situation.  
  • Keep a low profile. Avoid looking for the attacker with obvious methods.  
  • Avoid potentially compromised code. Intruders may install trojan horses and similar malicious code in system binaries.
  • Back up the system. It is important to obtain a full back up of the system in order to acquire evidence of illegal activity. Back up to new (unused) media. Store backup tapes in a secure location.  
  • Determine the risk of continuing operations.  
  • Change passwords on compromised systems and on all systems that regularly interact with the compromised systems.

PHASE 4: ERADICATION: This phase ensures that the problem is eliminated and vulnerabilities that allow re-entry to the system are eliminated. The following steps should be taken in the eradication phase:

  • Isolate the attack and determine how it was executed.  
  • Implement appropriate protection techniques such as firewalls and/or router filters, moving the system to a new name/IP address, or in extreme cases, porting the machine's function to a more secure operating system.  
  • Perform vulnerability analysis.  
  • Remove the cause of the incident.  
  • Locate the most recent clean back up (to prepare for system recovery).

PHASE 5: RECOVERY: This phase ensures that the system is returned to a fully operational status. The following steps should be taken in the recovery phase:

  • Restore the system.  
  • Validate the system. Once the system has been restored, verify that the operation was successful and the system is back to its normal condition.
  • Decide when to restore operations. Management may decide to leave the system offline while operating system upgrades and patches are installed.  
  • Monitor the systems. Once the system is back on line, continue to monitor for back doors that escaped detection.

PHASE 6: FOLLOW-UP: This phase is important in identifying lessons learned that will prevent future incidents.

  • Develop a detailed incident report and provide copies to management, the operating unit's IT Security Officer, and the Department of Commerce's IT Security Program Manager.  
  • Send recommended changes to management.  
  • Implement approved actions.

 

 

 

The Emergency Action Card
When a computer security incident occurs, and you are not prepared, follow these ten steps:

Emergency Step 1. Remain calm. Even a fairly mild incident tends to raise everyone's stress level. Communication and coordination become difficult. Your calm can help others avoid making critical errors.

 

Emergency Step 2. Take good notes. Use the forms in the back of this (Incident Handling: Step-by-Step) guide. Start with the one titled "Incident Identification." Then work your way through the others that are relevant. As you complete the forms, keep in mind that your notes may become evidence in court. Make sure you answer the four Ws - Who, What, When, and Where- and, for extra credit, How and Why. You may find a small hand-held tape recorder to be a valuable tool.

Emergency Step 3. Notify the right people and get help. Begin by notifying your security coordinator and your manager and asking that a coworker be assigned to help coordinate the incident handling process. Get a copy of the corporate phonebook and keep it with you. Ask your helper to keep careful notes on each person with whom he or she speaks and what was said. Make sure you do the same.

Emergency Step 4. Enforce a "need to know" policy. Tell the details of the incident to the minimum number of people possible. Remind them, where appropriate, that they are trusted individuals and that your organization is counting in their discretion. Avoid speculation except when it is required to decide what to do. Too often the initial information in an incident is misinterpreted and the "working theory" has to be scrapped.

Emergency Step 5. Use out of band communications. If the computers may have been compromised, avoid using them for incident handling discussions. Use telephones and faxes instead. Do not send information about the incident by electronic mail, talk, chat, or news; the information may be intercepted by the attacker and used to worsen the situation. When computers are being used, encrypt all incident handling e-mail.

Emergency Step 6. Contain the problem. Take the necessary steps to keep the problem from getting worse. Usually that means removing the system from the network, though management may decide to keep the connections open in an effort to catch an intruder.

Emergency Step 7. Make a backup of the affected system(s) as soon as practicable. Use new, unused media. If possible make a binary, or bit-by-bit backup.

Emergency Step 8. Get rid of the problem. Identify what went wrong if you can. Take steps to correct the deficiencies that allowed the problem to occur.

Emergency Step 9. Get back in business. After checking your backups to ensure they are not compromised, restore your system from backups and monitor the system closely to determine whether it can resume its tasks.

Emergency Step 10. Learn from this experience, so you won't get caught unprepared the next time an incident occurs. This guide, "Incident Handling: Step-by-Step," is designed to help you by providing a systematic approach to incident handling.

Note: This listing contains extracts from The SANS INSTITUTE's guide on "Computer Security Incident Handling: Step-by-Step," version 1.5, 1998.