Analyst Journal @ 03 Nov 2008 11:51 am by ayoi
Most of the time whenever I have meetings with clients, the topics will be based on penetration testing, system hardening and some about having monitoring services as well. OK, that because the purpose of having those meetings are to discuss on that topics anyway. But then they( the client of cause) somehow never mention about their response if there’s any incident occurrs. Yeah they did mention about the SLA or SLG but it concentrates more on the escalation process between MSSP and them. Most of the time, we have either little or no idea on how they perform any form of response or handling on the reported incidents detected.
Yup. That’s the question that keep on playing on my mind for most of the time. I’m not thinking about this matter just because I’ve attended the Incident Handling class by SANS or I am one of the certified incident handlers. Most of the time, when talking about their own network security posture, the favourite topics are penetration testing, application assessment, server hardening or patch management, anti virus, monitoring services and of cause regarding the policy (if they had one).
Sometimes from my observation and experience, the security process will stop up until the detection process where the moment we performed escalation, we just hoping that the affected party will do all the necessary incident handling and response. We did provide some countermeasure guidelines and analysis on the detected security incident but still the best way is to be there at the affected assets and perform the appropriate actions.
Most of the times, the favourite reply or response that we received from the affected party is “noted and thanks” or “The source IP has been block at our perimeter firewalls”. You might ask me “what’s wrong with that kind of reply?” For that perhaps it will be another post I guess.
I also received some comments from my colleagues which are my clients as well. The common complaint or comment is that they (the security team) received either less or none co-operation from other department in their organization when ever they escalate our notification to them. Thus we always see the same machine succumb to the same attacks. Now that is not a good thing to happen on your network..
So this is my view:
a). Form an Incident Response Team. Remember, this IRT must not exclusively meant for security guys only. This IRT must have representative from any department that may affected if any security incident occurrs. HR, Finance, Network and System admin (both Linux and Windows), Legal and you might want to have a representative from the management as well. With this setup, every department will have to provide co-operation as one of their guys is in the IRT. The best thing is to have at least 2 representative from each department.
b). Draft/create Incident response Plan. Generally this plan will provide guidelines on roles and responsibilities of the IRT team members. Btw, please have a good meeting or discussion with your IRT team members. Revise your Incident Response Plan annually (is possible) and identify any key areas that require improvement in order to smoothen the incident response process. Perhaps a simple drill and debriefing after that drill will give you a good picture about your IRT and the effectiveness of your IRP.
c). Let the higher management to endorse or acknowledge your IRT and IRP. At least if any incident occurred that of cause requires you to respond, then you can either get or “received” some co-operation from others.
d). Even though your IRT comprises of representatives from other department as well, make sure that you have a good relationship with them as well. Try to project an image that you and your team are there to help them when something bad happen, you are not there to be a policy enforcer or finding others’ fault when incident occurs.
e). If you have a third party MSSP who performing the network security surveillence on your network, don’t leave everything to them. Try to have an active roles or keep in touch with them as many as you can. You can ask for their assistance in doing some of the response or handling process you know? Some of our client just leave everything to us but when we escalate any security incidents, the response are pathetic and of cause if those incidents have obvious impact (web defacement is a good example) on their systems, we always can see the “that’s your fault” game over and over again.
f). Try to assess your MSSP whether their analyst really performing their tasks. Sometimes even the world class MSSP need some kick at their back though 
There are many things which we can take into account when preparing to respond to instrusion. Yeah some of the points that I mentioned above clearly stated in The Tao of NSM book. But like I said, from time to time most of our client still failed to address the last process of security which is response. So next time when your MSSP notifying you on possible intrusion that occurrs in your network or you managed to detect one, you better have everything in place to assist when you try to respond to that events.
So how’s your organization respond to an intrusion?
