Respond to Network Intrusions

Learning Objectives

After completing this unit, you’ll be able to:

Describe the key elements of an incident response plan.
Explain how organizations should test the plan.
Identify incident response communication strategies.

Create an Incident Response Plan

Imagine a soccer team playing in the World Cup. The team is highly trained and expects to win by a landslide. But by the end of the first half, they are down by two goals and feeling defeated. In the locker room, the coach decides to make an adjustment to the plan. They are going to implement a different play that they have been practicing, which exploits the other team’s weak right defender. Each player knows their role and how to execute the moves. With the help of the coach, the leadership of their captain, and the second wind of a few crucial subs, they manage to come back and win the game by one goal in the final seconds, taking home the gold medal.

A coach is reviewing a strategic play on a chalkboard with the players in the locker room.

Much as the coach implements a plan to win the game, network security engineers implement an incident response plan when things are going wrong on the network. The plan helps stop, contain, and control the damage that an adversary can inflict in trying to take services offline, steal data, or illicitly access information. Having a plan in place makes it faster and cheaper to respond to an incident. Typically, the dedicated incident response team (IRT), made up of security professionals, leads the incident response. And just as the coach, captain, and subs played a role in winning the game, other members in the organization, such as lawyers, communications specialists, the executive suite, and even law enforcement, have a role to play. The plan lists these roles and responsibilities and ensures 24/7 coverage during the response.

In putting together an incident response plan, the network security engineer:

Identifies and prioritizes the most critical components of the network.
Replicates and stores sensitive data in remote locations that can be used as backup in the case where hackers destroy or alter data.
Identifies single points of failure on the network and fortifies them with redundancies.
Thinks about continuity of operations: If hackers compromise the email system, how does the company send messages to the employees about what action to take next?

The next phase of incident response involves detecting an intrusion. Network security engineers have a critical role to play at this phase, as described in the previous module. When a network security engineer detects an incident they follow documented procedures as to what information should be collected, how it should be communicated, and to whom. First and foremost, the network security engineer needs to collect additional information for the IRT to analyze.

During the analysis phase, the IRT seeks to understand when the event happened, what the entry point was, and how it was discovered. They try to quickly determine the scope and impact of the compromise. During this phase, the network security engineer may need to provide logs and additional information to help the IRT assemble the pieces of the puzzle.

This analysis enables the IRT to manage the response, starting by containing the breach from spreading. This can be done by disconnecting devices from the Internet, isolating network segments, quarantining malware, or updating and hardening systems. The network security engineer likely needs to take action to assist in these tasks. Once the threat has been contained, it’s important to completely eradicate it from the network by finding and eliminating the root cause. All malware must be removed, authentication mechanisms should be changed, and systems re-imaged if necessary. Additional hardening and patching of systems may also occur. As the team moves into the recovery phase, the network security engineer may also need to coordinate on system backups to restore business operations.

Security professionals perform this type of planning not only to help the organization, but often to fulfill regulatory requirements. The plan must be approved, have executive buy-in, and be funded. It should be actionable and flexible to ensure roles, responsibilities, and procedures are clear, but also allow room to respond to unforeseen situations. Finally, all members of the organization should be aware of and trained on the plan, and the plan should be tested by the security team—a subject you learn more about in the next section.

Test the Incident Response Plan

Security professionals also ensure organizational awareness and understanding of the plan, and test and update the plan regularly. Both the business and tech teams should understand the plan and its importance and understand basic security concepts. Training can help with this.

Security professionals also test the plan at least annually. Drill scenarios can help the IRT prepare to implement the plan, just like practice helps a soccer team prepare to win the big game. They can use a tool, such as table-top exercises, with the executive team to simulate a mock data breach.

Taking executives through a response scenario that could occur in real life helps prepare the entire organization to respond, communicate, and make decisions during an incident. This not only helps the team feel prepared when an incident actually occurs, but also demonstrates the security team proactively thinks about threats. It also can point to places where clearer policies or procedures are needed to help guide the response or where additional staff or financial resources are needed. Additionally, it helps emphasize to the executive team the importance of the security organization, which can only help when creating buy-in for the plan.

Finally, the plan should be reviewed and updated regularly. Beyond scheduled updates, security teams review the plan after a breach, in response to evolving threats, or when there are significant changes in the technology that the organization uses or in the organization’s structure or leadership.

Communicate During an Incident

As part of the incident response plan, security professionals document the internal and external communications strategy to follow during an incident. Who should communicate, what should they communicate, and through what channels? There should be a designated point person to communicate externally. The plan should also include criteria to involve law enforcement and use regulatory guidelines in forming escalation criteria. It should also provide a backup communication strategy in case normal communication avenues (such as email) have been compromised by the breach.

As part of the communication strategy, security professionals document how an organization communicates to its customers; specifically, the what, when, and how to communicate information about a breach. Organizations must treat this matter carefully, not only because customers may be angry or lose faith in the brand in the wake of an incident, but also because privacy and security regulations and laws have specific guidelines about how these matters should be handled.

If the company covers up the incident, fails to report it within a required time frame, or botches the communication, it may affect the business’s reputation, and the company may face fines or legal action. Knowing what regulations and best practices apply to the organization and detailing how to follow them when responding to an incident are key parts of a communication plan.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, arrange the list of items in the correct sequence to reflect the order in which they should occur. When you finish reordering all the items, click Submit to check your work. If you’d like to start over, click Reset.

Great job! You’ve reviewed the importance of having a plan in place when responding to an incident and outlined the network security engineer’s role in identifying single points of failure in the network. You’ve also explored detecting the incident, providing information for the IRT to analyze, and being aware of and trained on the incident response plan, communication plan, and associated test scenarios. The next and final unit discusses the network security engineer’s responsibilities when recovering from the incident and restoring operations to normal.