A Computer Incident Response Team plan is a contingency plan because it enables an organization to handle incidents that might occur in the future. Most organizations, big or small, are now using computers to run their businesses. This makes them susceptible to cyber-attacks, hence the need for a CIRT plan (Kleij et al., 2017). The KION group is no exception because it has observed slow server file responses, a problem that could be at the root of its server, hosted at the organization’s headquarters. According to Kleij et al. (2017), cyber-attacks have been on the rise; therefore, CIRT plans should be updated frequently. Also, organizations should have a standby CIRT team that is adequately trained.
A CIRT plan guides the Computer Incident Rescue Team on how to conduct a rescue activity. It also prepares an organization for response activities (Voe & Rahman, 2015). This is important to ensure that all possible incidents are mitigated and well-prepared for. Consequently, if an incident occurs, it is efficiently handled with minimal damage (Voe & Rahman, 2015). Therefore, all organizations should have a CIRT plan to be executed by an in-house CIRT team or an outsourced CIRT team.
Elements of a CIRT include preparation, containment, eradication, and recovery (Voe & Rahman, 2015). The preparation element involves the detection and analysis of an incident. During the trial, the CIRT team becomes alert and ready to address the incident. This enhances the detection of an incidence by having it thoroughly analyzed. The analysis would include identifying what tools or authorities would be involved. For example, an incident could require the involvement of senior management or law enforcers, depending on its nature.
The containment element involves having the incident controlled. This ensures that the incident’s impact is kept minimal as a mitigation measure (Voe & Rahman, 2015). For example, if the incident is on network security, the network would be disconnected immediately. This would allow the CIRT team to stop further attacks. A hacker with access to a computer on the web would not access another computer when the network is down.
The eradication element ensures that all malicious activities performed during an incident are obliterated (Voe & Rahman, 2015). For example, if malicious software was installed, it should be uninstalled. In cases where data was manipulated, the data would be removed, and backup restoration performed. All cleanup measures would be done, including formatting of hard drives where needed.
The recovery element includes ensuring everything that was affected by the incident is restored (Voe & Rahman, 2015). For example, the data and the network are made available for use again after security is enhanced. Meaning compromised data would have been trashed and a clean backup restored. The network would have been patched, and enhanced network security configurations would have been installed.
CIRT Plan and Risk Management
Risk management seeks to eliminate risk elements, and in cases where elimination is not possible, mitigation is done (Taherdoost, 2021). This is similar to the CIRT plan because the plan aims to ensure that incidences do not occur, and if they do, they are mitigated (Kleij et al., 2017). Therefore, a CIRT plan and risk management serve similar goals. In risk management, documentation of possible risks is maintained, and it includes how and who would be contacted to eliminate or mitigate the risk (Taherdoost, 2021). Such documentation also exists in a CIRT plan. A CIRT team is always on standby (Kleij et al., 2017). Risk management is done to ensure that an organization overcomes natural and artificial disasters so that business continuity is maintained (Taherdoost, 2021). This is similar to CIRT plans because different organizations maintain a CIRT plan to ensure that even after a severe incident, an organization can eradicate the negative impact, recover, and continue to trade (Kleij et al., 2017). Both risk management plans and CIRT plans are included in organizations’ policies to ensure that everyone in an organization knows what is expected of them. For example, organization policies would include statements asking employees not to share their passwords, ensuring that they log out from the system when they are no longer using it, and not clicking on links sent to them by emails they do not recognize.
Five Ws in a CIRT
In a CIRT plan, five Ws include who, what, where, when, and why. The incident identified at the KION group is that of slow response on server files. With such an incident, the five Ws would be used to analyze the situation further further. The first W would identify the persons involved in handling the incident. For example, a system administrator, network administrator, and system users at various locations within the KION group would form the CIRT team. Initially, it would not be necessary to involve all system users because an incident should not be announced to everyone in the early stages (Voe & Rahman, 2015). The second W would describe the nature of the incident or the problem experienced (Voe & Rahman, 2015). In the KION group’s case, what would explain the slow response in server files? The third W, where, would identify the location of the incident. The server root at the KION group is located at its headquarters. Therefore, the server files incident would be evaluated at the center.
Consequently, a solution should also be implemented at the office. The fourth W, when, would specify the time that the incident occurred. For example, when did the server files response at the KION group become slow, or when was the first encounter of slow reactions? The fifth W, why, would document the cause of the slow response. For example, the CIRT team would identify if there are viruses in the root server, a corrupted hard drive, or a compromised network. This would enable the CIRT team to mitigate and eradicate the incident’s impact.
Leveraging BCP and DRP for KION Group
Both business continuity and disaster recovery plans are made to ensure that an organization rises again after experiencing disasters. Therefore, the two documents can be used to enhance the CIRT plan in an organization. In the disaster recovery plan, a response plan for some incidents would be documented (IBM, 2022). For example, the KION group includes a response plan on how to handle a ransomware incident. This would educate all shareholders on how to identify a ransomware incident and how to respond to it. For example, an employee could notice that some files are no longer accessible, but he has been accessing them to execute his duties. This would prompt him to communicate with IT staff and identify what the issue would be. Early identification of an attack, such as denial of service, would enable the CIRT team to mitigate the impact of the attack. A business continuity plan would have a section that lists the CIRT team and how to contact them when an incident is identified (IBM, 2022). Such information would empower employees as well as other stakeholders.
Updating CIRT for KION Group
According to Kleij et al. (2017), cyber threats keep transforming as cyber attackers try to find new ways of exploiting cyberspace. This means that a CIRT plan created today would be outdated in three or six months. Therefore, organizations would benefit from reviewing and updating their CIRT plan-based security reports like those provided by IBM (IBM, 2022). For example, in a situation where the server files response is slow, an attack on denial of service is likely. It could also be that the data in the server has been compromised virtually if it is hosted on a hypervisor. Just like patching is required frequently, a CIRT plan update is needed, too (IBM, 2022). A CIRT plan should be updated by finding and implementing new system security measures. The CIRT team should be trained and updated as well whenever an update is made on the CIRT plan.
Five Best Practices in Creating a CIRT Plan
A CIRT plan should be written in easy-to-understand terms, which means that common terminologies should be used instead of technical ones (Cichonski et al., 2012). This would make a CIRT plan easily readable by both technical and non-technical CIRT team members. The second best practice is a simple-to-implement CIRT plan (Cichonski et al., 2012). This would be achieved by clearly stating the steps to be followed during an incident response. Therefore, it would be easy to identify the next step, tasks, and CIRT team members involved. For example, a CIRT plan should indicate items that should be given high priority. This would include things such as which data or subnetwork should be highly protected. It would also have who should be called in if a CIRT team member is unreachable. The third best practice is to ensure that a CIRT plan does not contradict an organization’s policy (Cichonski et al., 2012). This would bring confusion among the CIRT team because they would not be sure what to do during an incident response. The fourth best practice would be creating a CIRT plan that can be tested before implementation (Cichonski et al., 2012), which means a CIRT plan can be simulated. The fifth best practice would be a CIRT plan that can be updated even after implementation. This is because cybersecurity criminals keep reinventing attacks, and a CIRT plan can become inefficient.
Based on research, all organizations need to have a CIRT plan, whether in-house or outsourced. The plan should be clearly documented, making it easy to understand, implement, and update. When there is a slow response on server files, it could mean that a cyber-security attack incident has started. The elements of a CIRT plan, preparation, containment, eradication, and recovery, would be used to handle the incident at KION group headquarters, where the root server could be compromised. Best practices for making a CIRT plan are essential in creating a robust CIRT plan.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide (800-61). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
IBM. (2022). X-Force Threat Intelligence Index 2022. https://www.ibm.com/security/data-breach/threat-intelligence/
Kleij, R. V., Kleinhuis, G., & Young, H. (2017). Computer Security Incident Response Team Effectiveness: A Needs Assessment. Frontiers in Psychology, 8, 1-8. https://www.researchgate.net/publication/321754991_Computer_Security_Incident_Response_Team_Effectiveness_A_Needs_Assessment
Taherdoost, H. (2021). A Review on Risk Management in Information Systems: Risk Policy, Control and Fraud Detection. Electronics, 10(24), 1-23. https://doi.org/10.3390/electronics10243065
Voe, C. D., & Rahman, S. M. (2015). INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM-SIZED HOSPITAL. International Journal of Network Security & Its Applications, 5(2), 1-20. https://www.researchgate.net/publication/285649087_Incident_Response_Plan_for_a_Small_to_Medium_Sized_Hospital
We’ll write everything from scratch
KION Group is a global material-handling Equipment Company based in Germany. Forklift trucks and warehouse automation equipment are the company’s main products. KION Group needs to prepare for the prevailing computer incidents of today and tomorrow. An organization can assist in developing a computer incident response team (CIRT) plan for a number of computer-based safety incidents.
This assignment will discuss a CIRT plan, which is often used as a contingency plan for the KION Group. A system administrator noticed yesterday that several of the file servers at HQ were responding very slowly. The KION Group headquarters (HQ) handles all incidents so that the plan will have its roots at HQ.
Like the latest IBM Threat Intelligence Index, read a recent article to gather information on current threats. Remember to leverage the BCP and DRP you generated for the organization last week.
Write a 5–6 page paper in which you:
Describe the purpose and primary elements of a CIRT plan.
Discuss the relationship between a CIRT plan and risk management.
Discuss the five Ws (who, what, where, when, and why) found in a CIRT plan in regard to the incident given in the above scenario.
Explain how KION Group can leverage its BCP and DRP to develop and support its CIRT plan.
Please explain how you think threats will evolve to impact KION Group in the future and how the CIRT plan should be updated to combat them.
Discuss at least five best practices to follow when creating a CIRT plan.
Use at least two quality resources in this assignment. Note: Wikipedia and similar websites do not qualify as quality resources. The Strayer University Library is a good source of help.