INCIDENTRESPONSE.

COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
  

Automate Response Did you know?

Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook
guide. This guide has been created especially for you for use in within your security response team. We In 2014, incidents increased by
hope you find it valuable and ask that you share it with the rest of your organization so you can collectively 78% since 2013.1
be successful in managing incidents and reducing risk throughout the business.

1,023,108,627 records were

breached in 2014.1
Your playbook overview - “Improper Computer Usage”
54% of the breaches consisted
of Identity Theft.1

Prepare Detect Analyze Contain Eradicate Recover Post-Incident

$3.5 million is the average
cost of a breach for a
company.2
Incident Response: A Top Priority in Security Management Programs
Companies experience an
In the April 2014, U.S. Government Accountability Office reported (GAO-14-354) it’s noted that “major average of 10 unauthorized
federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a access incidents per month.2
security breach of a computerized system and information).” The GAO projects that these agencies did not
Malicious insiders and
completely document actions taken in response to detected incidents. While the agencies identified the
criminal attacks are the top
scope of an incident, they frequently did not demonstrate that they had determined the impact of an
causes for breaches.2
incident, nor did they consistently demonstrate how they had handled other key activities, such as whether
preventive actions to prevent the reoccurrence of an incident were taken. The GAO notes, “without com-
plete policies, plans, and procedures, along with appropriate oversight of response activities, agencies
1. Source: Gemalto - Breach Level Index
face reduced assurance that they can effectively respond to cyber incidents.” 3 2. Source: Ponemon 2014 Cost of a Data Breach
3. Source: GAO-14-354, p.2

-1-

PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
  

What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation,
detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below:

Prepare Detect & Analyze Contain, Eradicate Post-Incident Handling

& Recover
The initial phase where organizations The second phased where Because the handling of malware
will perform preparatory measures to organizations should strive to detect The third phase, containment, has incidents can be extremely
ensure that they can responsd and validate incidents two major components: stopping the expensive, it is particularly important
effectively to incidents if and when rapidly because infections can spread of the attack and preventing for organizations to conduct a robust
they are uncovered. spread through an organization further damage to systems. It is assessment of lessons learned after
within a matter of minutes. Early important for an organization to major malware incidents to prevent
detection can help an organization decide which methods of similar incidents from occurring.
minimize the number of infected containment to employ early in the
systems, which will lessen the response. Organizations should have
magnitude of the recovery effort and strategies and procedures in place
the amount of damage the for making containment-related
organization sustains as a result of decisions that reflect the level of risk
the incident. acceptable to the organization.

Improper Computer Usage

You’ve selected the “Improper Computer Usage” playbook. On the pages that follow, you will find your
incident response playbook details broken down by the NIST incident handling categories.

To view your playbook online, visit https://incidentresponse.com/playbooks/improper-computer-usage

-2-

PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
P R E PA R E - I M P R O P E R C O M P U T E R U S A G E

Determine Core
Ops Team Vulnerability Threat Risk
& Define Roles Manager Manager Manager

Review &
Maintain
Timeline

Interviews Physical Key

User Manager
Security Stakeholders

Document Internal Path External Path Document

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
DETECT - IMPROPER COMPUTER USAGE

Prev
Step

Excessive amount of Identification of large Increase in spam

web browsing traffic or emails being sent or delivered to user’s email
downloads received by a user account

Define

Unexplained malware,
Threat
Indicators
Custom Custom Indicators
Notification from other
employees, partners or
adware, spyware or
virus infections on
Standard
vendors
computer system

Categorize
Incident

Use of unauthorized Web filtering alerts of

communication access or attempted
methods or network access to unauthorized Request Packet
protocols websites
Capture

Conduct Scans

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
A N A LY Z E - I M P R O P E R C O M P U T E R U S A G E

Prev
Step

Internal user PII or other External user PII or PII or other protected
protected information other protected information been
has been stolen information has been compromised
stolen

Public or personnel
safety affected
Customers are affected
by this incident
Standard Define Risk
Factors
Custom Custom Factors

Ability to control /
Products/goods record/measure/track There is internal
/services are affected by any significant amounts knowledge of this
this attack of inventory/products / incident Determine Patch
cash/revenue is lost Methods

There is external Worst-case business

impact if unable to System(s) have been
knowledge of this
mitigate this attack affected Log Collection
incident

Data has been Vulnerability or services

compromised IT services are impacted
have been exploited
Evidence Collection

Data Capture

Analysis

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
C O N TA I N - I M P R O P E R C O M P U T E R U S A G E

Prev Identify the system(s)

Servers Desktop Laptop Mobile VM LDAP
Step that have been affected
Directory

Identify user credentials

compromised
or at risk

Identify any malicious

code on any systems

Identify types of
network protocols
being utilized

Identify means and

methods used by the
suspected offender

Incident Threat
Identify any persons
Database Database
that may have received
data from suspect

Determine where
Vulnerability System
residual data may Select Database Query Database Generate Report
remain related to this Logs Logs
suspected offense

Identify any
undiscovered suspicious View Report View Record Details Select Records Copy Record Details
files, programs or data

Network
Identify the tools used
to detect the misuse
SIEM IDS Firewall Scanners Scanners
Antivirus Monitoring
Tools

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
E R A D I C AT E - I M P R O P E R C O M P U T E R U S A G E

Prev
Step

Triage & Confirm Request Network

Request Endpoint
Configuration
Incident Report Updates
Policy Updates

Direct Conference
Phone Call Call

In-Person Intranet HR/Employee

Meeting Meeting Communications

Mobile Internet
Messaging Meeting

Add/Change/
Eradicate Offense Warn the Employee Remove Affected
Perform data
forensics
System/Site/Network

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
RECOVER - IMPROPER COMPUTER USAGE

Prev
Step

Apply Network
Recover Systems Reimage IDS/IPS &
Firewall Updates
Monitoring System
Updates

Incident Wipe & Baseline Scan host with

Scan File Share Remove
Vulnerabilities &
with updated
Remediation System updated Signature
Signature Update Routers

Next
Step

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
POST-INCIDENT - IMPROPER COMPUTER USAGE

Prev
Step

Sensitive
Electronic Personal
Incident Review Health Information
Government
Information
(ePHI) Compromised?
Compromised?

Discovery Policy Updates Process Updates Configuration

Lessons Uncovered Meeting Defined Defined Updates Defined

Policies Process Changes Configurations User Training

Lessons Applied Implemented Implemented Applied Conducted

Response Workflow
Updated

INCIDENTRESPONSE.COM
  
 INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
  

Proactive Response Security Management Benefits

An automated playbook helps security teams optimize for efficiency and productivity. Your security team has the
• Be prepared to handle any incident your
ability to analyze, detect and prioritize when all pertinent data and multiple security tools are integrated into one
team faces
system. With one-screen visibility you can identify anomalies, assign tasks, access reporting and communicate
• Control the situation, minimizing the
across multiple departments effectively for quick responses.
impact to the business
• Efficiently manage your response across
Quick Containment multiple departments
Time and speed are crucial in assessing the environment and risk in the context of your business. Playbooks give a
complete view of the necessary tasks to capture the data needed to support proper recovery and forensics. The
Useful Links:
efficiency a playbook brings to a security team allows for quick responses to finding the source of the attack,
NIST Incident Handling Guide
following lateral movement across the organization and taking the proper steps mitigate damage.
SANS Incident Handler’s Handbook

Effective Remediation
Organization and automation are key benefits that result in effective remediation. Automated playbooks help to Risk Management Benefits
organize security processes, mitigation plans and smooth communication between multiple departments. By • Communicate effectively to ensure risk
optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery mitigation methods are applied
with integrity and forensic-quality reporting. • Prioritize resources and activities where
they matter most
• Report and tune based on response
Action Plan learning, reducing risk moving forward

Having a view into what is possible is the first step in taking action. The next step is to bring your team together to
drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. Useful Links:
NIST Risk Management Framework Guide
With this playbook, you will be better prepared to handle the response. To help with the management and automation
Sample Policies and Plans
of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what
they do.

For additional incident response playbook examples, visit https://www.incidentresponse.com/playbooks

- 10 -

PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com