How do attackers exploit the absence of this control?
Considerable damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response plans in place. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.NIST Special Publication 800-61 contains detailed guidelines for creating and running an incident response team (http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf).
How to Implement, Automate, and Measure the Effectiveness of this Control
- Quick wins: Organizations should ensure that they have written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling consistent with the NIST guidelines cited above.
- Quick wins: Organizations should assign job titles and duties for handling computer and network incidents to specific individuals.
- Quick wins: Organizations should define management personnel who will support the incident handling process by acting in key decision-making roles.
- Quick wins: Organizations should devise organization-wide standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting should also include notifying the appropriate US Community Emergency Response Team in accordance with all government requirements for involving that organization in computer incidents.
- Quick wins: Organizations should publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
- Configuration/Hygiene: Organizations should conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Incident Response and Disaster Recovery PlansTraining
Procedures and Tools to Implement and Automate this Control
After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents.Control 18 Sensors, Measurement, and Scoring
Sensor: Incident response planMeasurement: Simulate an incident and determine how quickly the team responds and remediates the issue.
Score: Compare the actual results with the expected results and take the overall percent.