The following chapter provides incident response procedure. Incident response procedure describes a set of steps to be performed by the incident response team (IRT) when an information security incident happens within an organization. Incident response aims at revealing the intruder, mitigating the damage, recovering and preventing further penetration.
Typically, incident response procedure includes the following stages:
Preparation.
See the recommendations below.
Detection.
A user or installed security service such as IDS, firewalls, or sandbox generates an alert.
Containment.
Investigation.
Remediation.
Prevention.
IRT writes recommendations to IT service describing incident prevention steps. For example:
Lessons learned.
Recommendations for the preparation stage:
Create a plan or strategy to handle incidents.
Create IRT, which may include IT and security specialists, as well as an attorney, PR, and HR specialists.
For access control, add a system administrator to IRT to adjust permissions for IRT accounts during incident handling.
Prepare software and hardware tools for incident handling. As an option, you can create a Security Domain in your cloud that may contain network sniffers, malware scanners, debuggers, and a sandbox. Once an incident happens, you can switch the affected project (tenant) from the Internet to the Security Domain so the network traffic will go through network scanners and the suspicious files extracted from the traffic can be analyzed in a sandbox.
Note
Consider the reference model provided by ESTI (ETSI GS NFV-SEC 004) for lawful interception of a communication content (streaming traffic) and related information (event logs) that you can use for monitoring, auditing, forensic, and incident response purposes.
Allocate storage for forensic dumps of compromised VMs and hosts.
Prioritize incidents based on organizational impact, which will determine resources allocated for IRT.
Create a communication plan to know who to contact during an incident and why. Create a contact list of IRT members.
Document an incident. IRT should use Incident Handlers Journal to record any actions performed during incidents handling. Later you can use this documentation as evidence to bring the attacker to justice.
Train your IRT and organize drills.