University of Maryland, University College CYB 670 Incident Response Plan CMP 670 9046 Cybersecurity Program Development (2198)

Document Content and Description Below

University of Maryland, University College CYB 670 Incident Response Plan CMP 670 9046 Cybersecurity Program Development (2198) University of Maryland Global University Table of Contents P... urpose....3 Roles and Responsibilities....4 Incident Response Phases....5 Tools, Techniques, and Technologies.10 Internal and External Communication and Coordination.....13 Security Controls and Tracking...14 Incident Response Plan Checklist......15 Data Protection Mechanisms.....16 System Integrity Checks......16 Network Behavior Plan17 Threat Bulletin.....17 Triggering Mechanisms Throughout the Cyber Incident18 Containing an Incident on the International Domain....18 Reference......22 Purpose The purpose of this Incident Response Plan is to define the organizations approach to handling a cyber security incident. An Incident Response Plan is intended to be a living document so that it can be improved upon or clarified if needed. Having an Incident Response Plan in place allows for each person that is on the response team to know their duties if an incident occurs. The plan if crafted and followed correctly will allow for a better response that isolates the attack, mitigates its affects, quickly recovers, and attempts to prevent another attack. Scenario: Distributed Denial-of Service Attack (DDOS Attack) A DDOS attack is a malicious attempt from multiple systems to make computer or network resources unavailable to its users, by interrupting its communication. The Australian CISO contacted our team and informed us that the network we set up for the summit has been compromised by a DDOS attack. As a team, we must stop this attack following the incident response plan we have developed. The other members of the FVEY alliance are also suffering from the same attack. It has been agreed that as each country makes progress with the attack information will be shared. While it is believed that China or Russia are responsible for the attack everybody is still under suspicion even members of the FVEY alliance. This incident was trigger when the nation hosting the summit detected exfiltration in its IDS. All As a result, it is feared that the network could face buffer overflows or DDOS risking each nations server. The conditions to close this incident will be when the network is restored to full working order with no latency or network connectivity loss. Roles and Responsibilities When an Incident Response Plan is developed who is on the team and the roles and responsibilities of each team member should be well defined. There is not a standard size requirement for the number of personnel assigned within these roles; the nature of the incident will ultimately determine how many personnel are tasked. When the Cybersecurity Incident Response Team (CIRT) is selected the main thing to keep in mind is the goal of the team. The goal of the team is to detect the attack, then contain and eradicate, followed by restoring the system within a reasonable time. The Australian team will have a CIRT Manager, a Technical Lead, and then will have multiple team members. The CIRT manager will do the coordination of the team, keep upper level management updated on the statues of the attack, and document control for all incident response documents. The Technical lead will update the CIRT manager and oversee and assign technical work to the team members. The team members will be responsible for doing incident response activities, detecting intrusions, issuing recommendations, and doing the remediation work after the event (Henri, 2018). The Authority of CIRT comes from upper level management. While CIRT will handle all of the technical detail of the incident there are other consideration that need to be mad on who is involved. Other areas that may need to be brought in are Legal, Human Resources, and Public Relations. Legal would be able to provide any advice on the usability of evidence if legal action is taken. It will also provide advice on liability if the incident affects customers, venders, or shareholders. Human Resources would need to be brought in if the incident involved an employee. They would provide advice on the best way to handle the employee involvement. Public Relations role would be to do its best to protect the company image. Public Relations is there to be the face of the company if needed. They now best how to get the word out honestly about wat happen without causing a panic in the public and among shareholders. Another consideration when forming the CIRT team is how you are going to staff it. The first option for staffing is 100% outsourcing. This means that all of the roles will be done by someone outside of the organization. The second option is to outsource certain roles on the team and staff the rest with employees. This could happen if an organization does not have all the expertise it needs or needs more staffing to accomplish the job. The last option is to staff 100% with employees. Incident Resp [Show More]

Last updated: 1 year ago

Preview 1 out of 22 pages