When you have decided on your team’s basic services, and recruited and assembled your team according to the guidelines mentioned earlier in this chapter, it is time to make sure that your concept of “team” extends beyond the individuals who are directly assigned, matrixed, or contracted to the core team. In fact, the actual incident response team should really just be the process and technical experts who lead the charge in response to a security problem. During a crisis event, the concept of a team needs to extend far beyond those boundaries. The overall team, in a macro sense, needs to involve a much larger group of the organization’s employees beyond simply the technical incident response staff.
We were involved in a role playing desktop exercise with a client in which we simulated an incident with a group of the client’s senior management and executive personnel. During the exercise, we stepped through a realistic hypothetical incident involving the theft of large amounts of money from the client. Although the actual incident response team was represented in the room during the incident, it very quickly became obvious to everyone in the room that it would be impossible to have the team run the show during an actual crisis. Some of the most unlikely people in the room rapidly found themselves key figures in the actual handling of the incident, even though they were not members of the incident response team and were never even told what their incident response roles and responsibilities would be. At one point during the scenario, a camera team in the lobby of the building surprised the company’s CEO with a surprise “interview.” Fortunately, the CEO had been fully apprised of the situation and been given, by the office of public affairs, a recommended statement to make to the media. Thus, he was able to give the reporters a statement that helped them in putting together their story, while neither making the company look foolish in the eyes of the media nor giving away any critical information about an ongoing investigation. In this example, the public affairs office played an invaluable role in the overall handling of the incident by briefing the CEO and making sure that he would be fully prepared for a possible media assault. Even though this may not seem like a normal function for an incident response team, attention to detail can make the difference between a successfully handled incident and a public embarrassment. As a result of this exercise, the company now considers their incident response team to be a dynamic entity made up of a wide range of people from throughout the company.
In a sense, every employee should be part of the incident response team and your organization’s information security program . Recall our previous example involving an employee who noticed some suspicious activity by a fellow employee and reported it to his manager. That employee was acting responsibly as a front-line component of the emergency response team by alerting the appropriate people to the potential problem.
The company’s senior decision-makers need to be involved in incident response planning. For starters, they should have some degree of oversight and approval in the planning process. And, perhaps more importantly, they need to be available to make key business decisions during crises as requested by the Team Leader. In order to do that effectively, they must have a clear understanding of the role of incident response. One of the most effective ways of achieving that level of understanding is to hold mock incident exercises, when a situation is stepped-through and examined closely. Role-playing exercises are covered in more detail later in this chapter in Section 4.8.
The GC should be closely involved with the incident response team from the beginning. It should be part of the planning and execution of everything that the team does, making sure that the team’s actions are in compliance with any applicable laws. For example, a common investigative process in responding to an incident is to monitor a user’s activity on a network. While practical ten years ago, such actions have strong privacy implications today, and the GC must insure they are in compliance with the law and the company’s own policies. Similarly, during an actual incident, it is often necessary to expand an investigation outside of the local area -- sometimes out of the country. Naturally, any such activity also needs to be in compliance with the laws in those areas, and the company’s GC should closely protect the company’s liability exposure during incident response operations. While such reviews and authorizations can be accomplished during the development of the incident response process, good practices dictate that the GC be kept informed during an actual incident.
Similarly, incident response operations frequently require the close synchronization and support of the PS department. Restricting or removing physical access to computer systems or office spaces is important when conducting internal incident response activities involving company employees.
In almost any information systems-related incident, the IT department plays an integral role, if for no other reason than they run the computers and network systems affected by the incident. However, during our time as responders, we’ve found that IT shops frequently feel that the incident response team is an adversary when it seems to swoop in and take charge of IT staff and resources during an incident. This sort of adversarial sentiment can be destructive and should be avoided at all cost. Not only should the IT department be included in the team’s planning and execution meetings, it should be treated as a key player whose sage counsel is well respected. They should not be in any way patronized, but treated as truly integral to the incident response process, because they usually are!
An often-overlooked yet vital detail is to involve law enforcement in the planning phases of an incident response program. Law enforcement, both local and national, should be approached during the planning of the team and included to an appropriate extent. One of the most useful things is to call the local police department and talk to the person responsible for investigating white collar crimes, usually the department that investigates computer crimes. Talk to them, get to know who they are, and find out their capabilities. From your chat, you should be able to determine if they have experience with computer-related crimes and are computer savvy. By getting to know them prior to an incident, you will better understand what to expect from them -- and they from you -- during an actual incident. Likewise with national law enforcement, find out who does what. In the United States, the principal national law enforcement agencies are the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). The USSS typically investigates crimes involving financial fraud or theft, while the FBI investigates other online criminal activity. Talk to the local USSS and FBI representatives and get to know their capabilities, strengths, and weaknesses.
When an incident becomes widely known, public image is often one of senior management’s top priorities. Depending on the nature of the incident and the company’s business, the PR office’s involvement will vary, but public image and shareholder concern is always going to be a major motivator for the senior executives of the company. It is the job of the PR office to act as the company’s spokesperson and provide the executives with useful recommendations on what to say to the media. A mistake can carry disastrous results. Imagine a CEO who is not aware of the nature of the incident gets ambushed by the media, and in a panic simply says something like “No comment,” and brushes the reporters off. Most reporters will take this as a sure sign that a major incident really is taking place, even though the CEO didn’t say so. Prepare the entire team on what to say before the media asks for information; this can mean the difference between an image of a confident company correcting a minor problem and a company that has been overwhelmed by a security incident and is in a state of chaos. The PR office needs to be constantly informed of any even slightly substantive incident. As a corollary, the PR office should report media reports regarding the incident to the Team Leader -- such information is invaluable in drafting the incident report and determining the severity of the incident. We’ve found that there are three answers to such questions:
Yes, I know, and can tell you.
Yes, I know, and I can’t tell you.
No, I don’t know but will find out.
Anything else will send the reporters on wild hunts to dig up dirt, since they know you’re hiding something. Stay on top of rumors and media relations.
Although the board of directors isn’t always involved in the day-to-day operations of a company, it is frequently approached as senior executives by media, customers, and other companies. The directors can thus be vital parts of a company’s overall image, at the very least. Further, they are in charge of making the strategic decisions on the company’s direction. And, aside from the fact that they are likely to call and ask for it regardless, it is important to provide them with accurate and timely information during major incidents. The trick is in giving them the right amount of information. It is usually best for the incident response team to work with the senior management to put together information updates for the directors in a format that best suits everyone. The directors will need accurate information on major incidents and the incident response team would be well served to anticipate that and prepare executive-level briefings.
Clearly, any business unit that is impacted by an incident is going to rapidly become an integral part of the incident response process. However, it can make a lot of sense to inform the senior management of other business units as well. For example, if the media smells a story, they are likely to start making phone calls to everyone and anyone that they know in the company. If the PR office has worked with senior management, who, in turn, has briefed its employees on the company policy and procedure for media inquiries, the story that gets published is much more likely to contain the information the company wants to see in it. Furthermore, other business units, even if not directly impacted by an incident, may be indirectly impacted by it. Keeping the senior managers updated on the status of events will work wonders in controlling the rumor mill that accompanies every major incident.
These issues need to be balanced with the company’s priorities. For example, an incident involving a company employee might necessitate including some people or organizations because of the nature of the incident. In practice, the decision of who to include during an actual incident should be based on the Team Leader’s experience on a case by case basis. The important thing is that the incident response team should have a core set of “players” who become part of the incident response team during a crisis. The make-up of the team will vary from time to time, but the core will probably be quite similar with each major incident. Each of these players should be familiar with the team, its charter, its policies, and its procedures, as well as the role that each is to play during an incident.
In order to accomplish this, it is necessary to spend the time with each person or office to ensure that they know what is expected. It is also necessary to include these people and offices in the planning phases of the team. There is no better way to get cooperation from someone than to include the person in designing the solution. This carries with it an administrative and often bureaucratic burden, but it is justifiable if the end result is a team that acts as a single cohesive unit during a crisis.