- Email: [email protected]
The responsibilities of an incident responder
INCIDENT RESPONDER
The responsibilities of an incident responder
Dario Forte
Dario V Forte, CFE, CISM, CGEIT. Founder and CEO DFLabs Italy Being part of an incident response and digital forensics team is still a good choice in terms of income and career opportunities. Security incident and digital investigation management is not an area of cyclical importance, but a fullyfledged part of all company security governance processes, which involves both legal compliance and business continuity. The result is that many companies, suppliers and individual professionals invest in related skills and structures, quite rightly in my opinion, in order to increase their competitive edge. With the passing of time, the levels of responsibility associated with security incident management have risen, both regarding legal issues and in terms of business processes. It is clear that both aspects are quite important. In this article we will get an idea of the evolutionary trend in responsibilities assigned to practitioners of this profession.
Incident response: personal duties The nature and size of a company will determine to what extent it has an organised and permanent incident response team. This team may be in the service of the Chief Security Officer or of other internal company functions, such as the auditing, legal or fraud departments. Regardless of whom they answer to, the responsibilities of security operators are pretty much the same. Before we describe them, we should add that in all cases advanced computer forensic, data recovery, hacking and electronic discovery skills are demanded. This means that a technical background by itself is not enough; strong communication skills and the ability to meet individual department’s expectations are also required. The responsibilities listed below have been obtained from my analysis of a great number of job descriptions. Let’s have a look: Planning, preparation, management and performance of the most common digital forensics activities, such as live analysis of systems, networks and mobile devices, including cloud computing. 18
Network Security
This is by no means a simple responsibility but rather one that requires both technical and managerial skills. The first two tasks are part of what is known as forensic readiness, the implementation of preparatory measures that can immediately be put into effect in the event of an incident having implications regarding either for internal processes or legal compliance.
“Incident responders not only act in an advisory role within the incident response team but also within the company at large to which they provide services” Planning and preparation involve the drafting of guidelines, procedures and standards, the development and preparation of training programs tailored to the various figures involved, and the selection and validation of technologies to use in incident response and digital investigation processes. It is also quite clear that these responsibilities entail keeping abreast of the state of the art in terms of both tools and skills, and keeping all documents, hardware and software up to date. Provision of internal consulting services to solve problems relating to
individual tasks, especially those of a technical nature. This means that incident responders not only act in an advisory role within the incident response team but also within the company at large to which they provide services. Once the response procedures have been set forth, it will be necessary to provide support to technicians (for example, system and network engineers) for routine and emergency tasks. We see this particularly in cases where the team answers directly to a CIO who actively seeks interaction with all levels of the organisation to favor company-wide synergies. Execution of computer forensic tasks throughout the digital evidence management process. Following up on point 1 (preparation and management), point 3 regards evidence preservation and data recovery, including backup tape management, email extraction, database examination and so forth. In my opinion, we are going to witness an increasing relevance of this role, with particular reference to the need for companies to have an internal team for ediscovery tasks (something now required by law in a number of countries). The incident response team will always handle these tasks, in this case under the direction of the legal department and with the support of technology (SaaS – Software as a Service) that can optimise costs and operations. Support for technical analysis of company IT and network architectures. This is a responsibility that has long been highlighted in much of the literature, including that of the IETF (RFC 2350) and CERT Carnegie Mellon (www.cert.org). It involves managing and performing technical analyses of the
January 2010
INCIDENT RESPONDER architecture in order to identify pertinent, court-admissible evidence prior to the occurrence of an incident and to determine points of vulnerability to hacking. Proper application of best evidence collection and preservation practices. It should be clear that this personal responsibility is highly relevant to the company. Risks here include legal liabilities, and hence this type of professional figure has a relatively high intrinsic value. However, with the increasing number of laws (both civil and criminal), regulations and standards governing the application of the above practices, it is clear that the job is no cakewalk. As an example, according to Stephen Wu, Esq., the Federal Rules of Civil Procedure say that the requesting party can specify that it wants the producing party to produce ESI (electronically stored information) in a certain form (Fed. R. Civ. P. 34[b][1][C]). The rule is the same in the California state courts, under its Code of Civil Procedure (“CCP”) (CCP 2031.030[a][2]). In response to the request for ESI, the producing party is entitled to object to the requested form of production and must then state the form of production it is willing to make (Fed. R. Civ. P. 34[b][2][D]; CCP 2031.280[c]). The issue is thus joined in this way, but these rules do not answer the question as to which party’s preferences win out.
“Just about every analyst in the world has predicted that ediscovery processing in 2010 will become the responsibility of the IT organisations within corporations” That this is a growing area of responsibility within IT is confirmed by many analysts and experts, including Charles Skamser, president and CEO of eDiscovery Solutions Group, who says, “Just about every analyst in the world has predicted that ediscovery processing in
January 2010
2010 will become the responsibility of the IT organisations within corporations. This will result in a dramatic reduction in revenue for the litigation services and ediscovery departments within law firms and third party service providers.” Verification and validation of hardware and software, as required by local regulations. This is part of the tool validation process, which has always been handled by security operators. However, the fact that this responsibility has never been formalised (at least not so far) has delayed the formal establishment of this type of role. But it is no longer possible to do without a training and information plan or program to formalise processes and procedures for validation (internal and external) that involves both internal company resources and, possibly, those of suppliers. Performance of security assessments, penetration testing, and other tasks, including exams of compromised computers and servers. This is the traditional responsibility of the incident handler, who is always called in the event of a compromise. The evident novelty is the addition of responsibility for security assessments. This is a commonly recognised principle in the literature that is considered fundamental for ensuring the effectiveness of the entire incident management lifecycle. Intrusion response times can only be reduced by knowing ahead of time the points of exposure and vulnerability of a structure or organisation. It is equally clear that this type of preventive activity principally regards possible hacking episodes (whether they constitute bona fide attacks or are “merely” preparatory actions for something else).
Conclusions: and the money? There are many who say that, among its other burdens of responsibility, the team
also has to manage its allocated budget. While this might seem obvious and automatic, it actually isn’t. If, as many say, incident response and computer forensics will be, at least operatively, within the IT department, the budget issue has a larger scope, in that IT itself has witnessed a decline in budget allocation. The worry of many is thus that the lower funding will have a negative impact on the team’s ability to operate effectively, both technically and, more critically, within the legal arena. If companies understand that this is not an area where they can achieve savings, then their legal exposure will be reduced. Otherwise, it is more apt than ever to speak of the risks involved in failing to invest in security. There are already cases where the lack of compliance and effectiveness in the management of digital evidence has resulted in multi-million dollar payouts by the imprudent companies. We should also bear in mind that in no other sector are legal responsibilities so closely shared by operators and the company. We will see how things develop.
About the author Dario Forte, CFE, CISM, CGEIT former police detective and founder of DFLabs, a firm specialised in business security. He has worked in the field since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com
Network Security
19
The responsibilities of an incident responder
Dario Forte
Dario V Forte, CFE, CISM, CGEIT. Founder and CEO DFLabs Italy Being part of an incident response and digital forensics team is still a good choice in terms of income and career opportunities. Security incident and digital investigation management is not an area of cyclical importance, but a fullyfledged part of all company security governance processes, which involves both legal compliance and business continuity. The result is that many companies, suppliers and individual professionals invest in related skills and structures, quite rightly in my opinion, in order to increase their competitive edge. With the passing of time, the levels of responsibility associated with security incident management have risen, both regarding legal issues and in terms of business processes. It is clear that both aspects are quite important. In this article we will get an idea of the evolutionary trend in responsibilities assigned to practitioners of this profession.
Incident response: personal duties The nature and size of a company will determine to what extent it has an organised and permanent incident response team. This team may be in the service of the Chief Security Officer or of other internal company functions, such as the auditing, legal or fraud departments. Regardless of whom they answer to, the responsibilities of security operators are pretty much the same. Before we describe them, we should add that in all cases advanced computer forensic, data recovery, hacking and electronic discovery skills are demanded. This means that a technical background by itself is not enough; strong communication skills and the ability to meet individual department’s expectations are also required. The responsibilities listed below have been obtained from my analysis of a great number of job descriptions. Let’s have a look: Planning, preparation, management and performance of the most common digital forensics activities, such as live analysis of systems, networks and mobile devices, including cloud computing. 18
Network Security
This is by no means a simple responsibility but rather one that requires both technical and managerial skills. The first two tasks are part of what is known as forensic readiness, the implementation of preparatory measures that can immediately be put into effect in the event of an incident having implications regarding either for internal processes or legal compliance.
“Incident responders not only act in an advisory role within the incident response team but also within the company at large to which they provide services” Planning and preparation involve the drafting of guidelines, procedures and standards, the development and preparation of training programs tailored to the various figures involved, and the selection and validation of technologies to use in incident response and digital investigation processes. It is also quite clear that these responsibilities entail keeping abreast of the state of the art in terms of both tools and skills, and keeping all documents, hardware and software up to date. Provision of internal consulting services to solve problems relating to
individual tasks, especially those of a technical nature. This means that incident responders not only act in an advisory role within the incident response team but also within the company at large to which they provide services. Once the response procedures have been set forth, it will be necessary to provide support to technicians (for example, system and network engineers) for routine and emergency tasks. We see this particularly in cases where the team answers directly to a CIO who actively seeks interaction with all levels of the organisation to favor company-wide synergies. Execution of computer forensic tasks throughout the digital evidence management process. Following up on point 1 (preparation and management), point 3 regards evidence preservation and data recovery, including backup tape management, email extraction, database examination and so forth. In my opinion, we are going to witness an increasing relevance of this role, with particular reference to the need for companies to have an internal team for ediscovery tasks (something now required by law in a number of countries). The incident response team will always handle these tasks, in this case under the direction of the legal department and with the support of technology (SaaS – Software as a Service) that can optimise costs and operations. Support for technical analysis of company IT and network architectures. This is a responsibility that has long been highlighted in much of the literature, including that of the IETF (RFC 2350) and CERT Carnegie Mellon (www.cert.org). It involves managing and performing technical analyses of the
January 2010
INCIDENT RESPONDER architecture in order to identify pertinent, court-admissible evidence prior to the occurrence of an incident and to determine points of vulnerability to hacking. Proper application of best evidence collection and preservation practices. It should be clear that this personal responsibility is highly relevant to the company. Risks here include legal liabilities, and hence this type of professional figure has a relatively high intrinsic value. However, with the increasing number of laws (both civil and criminal), regulations and standards governing the application of the above practices, it is clear that the job is no cakewalk. As an example, according to Stephen Wu, Esq., the Federal Rules of Civil Procedure say that the requesting party can specify that it wants the producing party to produce ESI (electronically stored information) in a certain form (Fed. R. Civ. P. 34[b][1][C]). The rule is the same in the California state courts, under its Code of Civil Procedure (“CCP”) (CCP 2031.030[a][2]). In response to the request for ESI, the producing party is entitled to object to the requested form of production and must then state the form of production it is willing to make (Fed. R. Civ. P. 34[b][2][D]; CCP 2031.280[c]). The issue is thus joined in this way, but these rules do not answer the question as to which party’s preferences win out.
“Just about every analyst in the world has predicted that ediscovery processing in 2010 will become the responsibility of the IT organisations within corporations” That this is a growing area of responsibility within IT is confirmed by many analysts and experts, including Charles Skamser, president and CEO of eDiscovery Solutions Group, who says, “Just about every analyst in the world has predicted that ediscovery processing in
January 2010
2010 will become the responsibility of the IT organisations within corporations. This will result in a dramatic reduction in revenue for the litigation services and ediscovery departments within law firms and third party service providers.” Verification and validation of hardware and software, as required by local regulations. This is part of the tool validation process, which has always been handled by security operators. However, the fact that this responsibility has never been formalised (at least not so far) has delayed the formal establishment of this type of role. But it is no longer possible to do without a training and information plan or program to formalise processes and procedures for validation (internal and external) that involves both internal company resources and, possibly, those of suppliers. Performance of security assessments, penetration testing, and other tasks, including exams of compromised computers and servers. This is the traditional responsibility of the incident handler, who is always called in the event of a compromise. The evident novelty is the addition of responsibility for security assessments. This is a commonly recognised principle in the literature that is considered fundamental for ensuring the effectiveness of the entire incident management lifecycle. Intrusion response times can only be reduced by knowing ahead of time the points of exposure and vulnerability of a structure or organisation. It is equally clear that this type of preventive activity principally regards possible hacking episodes (whether they constitute bona fide attacks or are “merely” preparatory actions for something else).
Conclusions: and the money? There are many who say that, among its other burdens of responsibility, the team
also has to manage its allocated budget. While this might seem obvious and automatic, it actually isn’t. If, as many say, incident response and computer forensics will be, at least operatively, within the IT department, the budget issue has a larger scope, in that IT itself has witnessed a decline in budget allocation. The worry of many is thus that the lower funding will have a negative impact on the team’s ability to operate effectively, both technically and, more critically, within the legal arena. If companies understand that this is not an area where they can achieve savings, then their legal exposure will be reduced. Otherwise, it is more apt than ever to speak of the risks involved in failing to invest in security. There are already cases where the lack of compliance and effectiveness in the management of digital evidence has resulted in multi-million dollar payouts by the imprudent companies. We should also bear in mind that in no other sector are legal responsibilities so closely shared by operators and the company. We will see how things develop.
About the author Dario Forte, CFE, CISM, CGEIT former police detective and founder of DFLabs, a firm specialised in business security. He has worked in the field since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com
Network Security
19