Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Incident Response at Sony - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Incident Response at Sony

For those of you who are not aware; Sony currently has a job posting for a Manager of Incident Response. Where I come from they refer to that as “closing the barn door after the horse has got out”, They do need to start somewhere and all in all it sounds like a cool job for an experienced Incident Handler. They do mention SANS certifications. Of course they do put SANS certifications on the same level as CISSP and CISM, but it is a step.

My piece of advice for the new IR manager at Sony is to go back and review, and update, their incident response plans since the Sony response to this incident was farcical at best.  Matthew Schwartz at InfoRiskToday has published a post describing “Sony’s 7 Breach Response Mistakes”. If you want to see the details please go over and read his article, but to summarize he says that the 7 mistakes were:

  1. Failure to spot the Breach
  2. Poor breach response
  3. Shooting the messenger
  4. Contradicting themselves
  5. Ceding control of the conversation
  6. Failure to Take Responsibility
  7. Hoarding old emails

Those of you who are students of the SANS Incident Response methodology will be aware that the methodology uses the pneumonic of PICERL; Preparation, Identification, Containment, Eradication,  Recovery, and Lessons Learned. Assuming that Sony had an IR plan, and followed it, comparing this methodology to the Sony “mistakes”,  it struck me that most of Sony’s failures resulted from insufficient time spent in Preparation.

Most people think of preparation as making sure you have the proper preventive and detective controls in place to hopefully prevent, and if not, detect a breach.  But preparation needs to include many other aspects including, an incident management framework, a response strategy, and a communication plan.

The incident management framework defines every aspect of your incident response team, from who the participants are to who is in charge to how the team communication will work.  In most companies IR has become a technical IT function.  While having the correct technical resources to respond to an incident is important, having the correct management structure in place to effectively manage the incident is equally important. Don’t forget to include legal and communications functions in the incident response team. They will be indispensable in a public breach. 

The response strategy comprises the processes and procedures that will be used in the case of an incident.  One great way to develop these processes and procedures is to run table top exercises and mock incident exercises with the IR team.  The output of these exercises should be moderately detailed plans to handle these incidents. By anticipating common scenarios in advance of an incident leads to the actual response to an incident being smoother and less stressful when an incident actually occurs.  It is not possible to anticipate every conceivable incident, but think of the processes and procedures as building blocks that can be reused and modified in the case of a real incident.

An important part of any public incident is effective communication with the press and your external stakeholders such as customers and shareholders.  An important part of this is going to be to get your legal and communications people on the same page as your executive.  The time to be figuring out what you will and won’t release publicly is not in the heat of an incident.  In my experience this usually leads to paralysis and ultimately looks like you have something to hide or are trying to mislead. Much the same as your incident strategy, the communication plan is best divised in advance as part of the mock incidents and table top exercises. In my opinion communicating the truth, early and often, is the best approach. The communication function was where Sony fell down the worst, both with internal and external communications.

With this in mind it seems like a good time for all of us to review our IR plans in the light of some of the high profile breaches this year.

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

290 Posts
ISC Handler
There are outward signals that Sony might not be the sharpest in network security. For example, run sony.com through the test at www.ssllabs.com/ssltest/ Today they get an F. The US subsidiary does better but with the parent company doing so poorly it's likely an attractive target no matter what the politics are.
GordonM

14 Posts
s/pneumonic/mnemonic/

{^_-}

And special thanks to the people on watch tonight possibly making it the loneliest night of the year.

\{^_^}/ Hug from Joanne
JD

11 Posts
That's "mnemonic", not "pneumonic". The former is an aid to memory, while the latter is a lung infection.
Moriah

133 Posts

Sign Up for Free or Log In to start participating in the conversation!