Cyber Incident Response

Communication/notification of an incident

Where are the tools?

  • On the internal network

  • On each endpoint (i.e., memory forensics agents)

  • Internet service provider

  • In the cloud

    • Sometimes with your cloud provider

Things that shape communication plan for IR

  • Legal requirements

  • Compliance

  • Media and public disclosure

  • Internal communications

Legalities

Regulations are different for some industry groups

Different countries have different requirements

Privacy may be of concern

Compliance

  • HIPAA

  • SOX - Sarbanes-Oxley

  • PCI

  • Others

Communications with media

Should be filtered through legal team and PR team

Who should receive reports (daily updates, etc)?

Internal communications

  • Who has the need to know?

  • Use standard normal communications?

  • Set up separae communication paths

  • Dedicated internet connections

  • Out-of-band file storage and digital communications between the team

Do we continue to use internal messaging email if that system is compromised?

If the network is compromised, does that potentially include mail servers?

  • Bad guys might be monitoring our IR process!

Out-of-band communications

Set up separate email and messaging and file storage system outside the network

Used exclusively for these type of incidents

Consider backup/alternate devices for connectivity to these massaging and storage systems

Reporting

Reports should be treated as highly confidential, distributed as need-to-know only

Daily status report to be shared among incident handlers

Weekly status report for upper management ar a minimum

  • Sometimes management will request daily reports, usually depending on the severity of the incident

PreviousIncident Response classification levelsNextIdentification tools and techniques

Last updated