Product SiteDocumentation Site

Chapter 4. Incident Response

Mike McGrath

Fedora Infrastructure Lead
Fedora Project
4.1. Introduction
4.1.1. The Rules
4.1.2. Incident Response Team
4.1.3. Management
4.2. Prerequisite Tasks
4.3. Assessment and Communication
4.3.1. Management Chain Notification
4.3.2. Threat Assessment
4.3.3. Entry Investigation
4.3.4. Impact-Assessment
4.3.5. Partner Communication
4.3.6. Public Disclosure
4.4. Actions
4.4.1. Investigation
4.4.2. Data Integrity Plan
4.4.3. Re-secure Environment Plan

4.1. Introduction

This document sets out the procedures that are to be followed in the event of a security-related incident. Each incident will have an acting incident coordinator at all times. The incident coordinator is charged with coordinating task responsibilities, and with finding another coordinator in the event that he or she becomes unavailable.

4.1.1. The Rules

You have been directed to read this policy because you are either involved in an incident, or because you have been asked to be part of an investigation related to a security incident. While performing the tasks below please keep the following in mind.
Incident Rules
CompleteRequirementActionComment
Must NotMake ChangesUnless it is part of a task that is assigned to you, do not make any changes to a host without permission from the incident coordinator. This includes shutting services down, logging in or out, and other configuration changes.
Must NotTask AssignmentIncident team members must not work on tasks that have not explicitly been assigned to them without discussing it with the incident coordinator or the task leader. [38]
MustInformation DisclosureDiscussion of the incident must only happen between the members of the team chosen by the incident coordinator. Before discussing any incident with someone, make sure they are on the list of team members. [39]
MustAssumptionsDo not make any assumptions about task assignments or completion. Discuss any concerns you have with the incident coordinator.

4.1.2. Incident Response Team

Anyone specifically contacted and assigned responsibility for a task related to this incident automatically becomes a member of the incident response team. The team may include non-technical members involved with marketing or legal tasks.

4.1.2.1. Incident Coordinator

The incident coordinator is accountable for all technical issues related to the incident. If a compromise is involved, the incident coordinator is ultimately charged with discovering the nature of the incident; assessing the extent of any damage or risk to services, users, or data; concluding the incident as quickly and efficiently as possible; and creating and implementing a plan for mitigation and prevention of future damage or risk. This role is largely technical, but the incident coordinator must also work with team members to coordinate and delegate tasks. This coordination includes, but is not limited to, working with hosting providers, providing or summarzing information for reporting or dissemination, and ensuring that team members are following the incident respose plan.
The tasks below must be completed in an order determined by the incident coordinator. Tasks that require or depend on another task are to be explicitly so defined. As each task is completed it should be marked completed on the task list. Some tasks require written answers to questions. Coordinate the answers to these questions for factual correctness among chosen parties via a secure communications channel.

4.1.2.2. Task Coordinator

Each task is to be assigned to a task coordinator. Each task must be completed and the results (if any) should be given back to the incident coordinator. Do not work on tasks that have not been assigned to you. Multiple team members may be working on one task, though only one of them is to be designated the coordinator of that task. Many tasks can be accomplished in parallel, but some tasks must be processed sequentially. Tasks are to be labeled if they must be completed sequentially. Any assignment with a "sign off" field must be signed off by the task coordinator to ensure it has been completed and verified.
It is also the responsibility of the task coordinator to ensure that once a task is done, the task is marked as completed along with the identity of the team member who completed it. If a team member is unable to complete a task, it is the team member's responsibility to inform the incident coordinator. The team member should then attempt to find a replacement from the incident response team, and must notify the incident coordinator whether a replacement has been found. The incident coordinator is ultimately responsible for ensuring that all tasks are assigned properly.

4.1.3. Management

Generally the incident coordinator reports to or works with one or more further managers. Although managers may not be involved directly in specific tasks, it is important to keep them informed of the plan for investigation and recovery, and the overall progress. Managers are responsible for ensuring the technical members of the incident response team are able to work as unfettered as possible, and that the appropriate entities outside the team are kept informed properly. For instance, it should not be the responsibility of the technical team to also manage communication with end users.


[38] Maintaining strict task separation ensures that team members can work independently and not step on each others toes.
[39] Due to the sensitive nature of a security event, additional information should not be exposed to the attacker(s). This restriction has the unfortunate side effect of decreasing openness about the handling of the event. Timely communication to service users and efficient resolution of the problem can help decrease this effect.