The six stages of post-security incident grief avoidance

AusCERT Audio Security and forensics man Ashley Deuble has outlined the six stages of good incident response that if followed could bring an enterprise in line with Fortune 50 best practice.

The Griffith University security manager says the steps of preparation; identification; containment; eradication; recovery, and lessons learned are core to help organisations successfully recover from data breaches.

Deuble says these six steps allow the extent of a breach to be determined, including the systems and data that is possibly compromised, while also helping to preserve chains of evidence and identify possible actors for later legal action.

"The state of incident response (IR) is not good," Deuble told the AusCERT security conference on the Gold Coast yesterday.

"Other places, especially Australian-based companies, operate on a best-effort approach.

"But it's not all about IR - it's about detection, understanding what security means, and having budget, so you're local fish and chips shop is not going to have this."

Throughout the incident response process, documentation is king; Deuble says security types should "document everything", answering questions of who, what, when, and how.

The preparation phase is the first step, and involves people, policy, and tools part of a jump bag. The latter should include live operating systems, net access, and forensics tools.

Identification requires security systems to be consulted in order to tell an event aberration from a true security incident. One a breach is confirmed it should be reported immediately so that evidence collection can begin.

Podcast download: The six stages of incident response. (nb: audio is a phone recording, and not El Reg's usual high quality).

With full identification done, containment begins. System images are snapped, systems isolated, and as part of long term containment patches pushed and servers rebuilt.

Eradication follows where defences are bolstered ahead of the recovery phase.

"At the end of this incident response process we gather all the information from the 'lessons learned' section and feed this back into the preparation phase," Deuble says.

Many internal security teams bork incident response. Documentation is insufficient, digital evidence is trampled by ad-hoc remediation efforts, and systems are not sufficiently cleansed of malware and backdoors.

It is for this reason Mandiant forensics boffins and others may punt security teams during data breach investigation and take full command of incident response. ®