Performance of incident response team during a forensic investigation is very important. But during a forensic investigation the majority of participants is over task assignment and data gathering for optimum analysis while incident may become worse due to containment and isolation delay. This proposal will introduce a four dimension calculation technique to easily assess the proper stage of the incident according to incident context for proper authority escalation and decision making.
The importance and necessity of establishing forensic investigation for cyber security is clear. According to NIST 800-86, forensic process is consisting of collection, examination, analysis and reporting. However this process may often require a considerable amount of time. Time consuming operations can impose an adverse effect over quality or accuracy of result if the whole process was not well designed. Although managing the time in forensic investigation is crucial. In many cases the consequences may become worse in case of poor response planning. Therefore a response staging system for escalating the responsibility or reporting for proper decision making could be valuable.
According to ISO 27035, proper response organization shall be established for adequate preparedness for optimum performance. Here we try to integrate process of forensic investigation with incident response planning to produce an integrated staging result which reflect time driven performance. The point is, responsibility will be escalated based on different factors and measures to proper authority for a certain level of decision making or adequate instruction or attention.
Part 1, Service Scoring
Organizations have different business processes to achieve their corporate outcome. Each business process may utilize certain resources, tools and techniques for goal realization, including IT tools, processes and systems.
The importance and impact of IT services against business processes can be evaluated is a simple cross functional table, but comparing different IT services with equal weighting is not fair enough. The same for business processes, each business process has its own importance in corporate level, this is why processes shall be weighted in a fair manner in compare to each other.
For instance, here we defined 3 levels for each service and process. This means that IT service 2 is more important to business in compare to other services. Similarly business process 4 is the most critical process to the organization. These weight and figures should have adequate support and reasoning by subject-matter-experts inside the organization before proceeding to next stage.
Then we have categorized each Service-Process (SP) group in three major levels:
Dependent: with score of 5, which means that process will fail without specific service.
Relative: with score of 2 which means that process will be degraded in case of service failure.
Not Applicable: with score of 0 which means that service and process are independent.
After all, will run the impact assessment by evaluating each process against services as shown in table 1.
Weight Weight 1 2 1
IT Service 1 IT Service 2 IT Service 3
1 Business Process 1 Dependent Relative Not Applicable
2 Business Process 2 Relative Dependent Not Applicable
1 Business Process 3 Dependent Dependent Dependent
3 Business Process 4 Dependent Not Applicable Dependent
Service Score: 5+4+5+15=29 4+20+10 = 34 5+15 = 20
At the end of this stage each service score can be quantified by SP×W(s)×W(p) .
The result reveal a fair scale for deciding how much attention should be over each service.
Part 2, Incident Scoring
For a accurate and fair incident prioritization, different aspects of each incident shall be identified and calculated. When a security incident is identified and forensic investigation is in progress, all of the attention an focus is to perform the specific jobs well, that is crucial time a good management over handling incident and timely decision making can reduce or limit the consequences or future possible impacts.
At this model we will use the service score which mentioned in above section in conjunction with other factors such as:
Spreading and Distribution Scope
Nature and Category of incident
Response Duration and Performance
To calculate the incident score, this score will be used to be scaled for identifying response stage which will be utilized for deciding responsibility escalation to appropriate authority.
Service Category: each service can be categorized to different groups as per calculated score. The introduced service score calculation sample stated above can generate scores in rane of 0 to 180, as per definition we will use below scales for this instance:
Critical (3): Services higher than 50.
Important (2): Services in range of 16 to 49.
Normal (1): Services lower than 15.
Incident Spreading: this factor can be designed and decided based on organization context, but for this purpose we proceed based on number of people affected by the incident spreading:
High (3): More than 70% of employees.
Medium (2): more than 20% of employees.
Low (1): Less than 20% of employees.
Incident Category: the nature of incident can impose some sort of limitations or applicable controls, for instance in case of natural disasters the options for a timely respond are very limited. The scoring technique is based on possibility of systematic controls over the nature of incident for prevention, in case of no possible control the highest value shall be observed. We utilized some samples from ISO 27035 categories to be mentioned below:
Category 3 such as Natural Disasters from any kind or Technical system failures
Category 2 such as Malicious Code attacks or Virus infection.
Category 1 such as Sabotage or Unintentional Human Error.
Performance Score: This one is dedicated to response performance and how fast the incident can be under control, as per defined in below groups:
Out of Control (3): Took more than a week to response, limit and close the incident.
Good (2): Took more than 3 days to response, limit and close the incident.
Excellent (1): Took less than 3 days to response, limit and close the incident.
Incident Score: the final incident score is based on 4D calculation of given information. The point is incident score stay relative to response performance. If an incident cannot be resolved in certain time frame, the score automatically increase. This increase later will be counted on staging and escalating decision.
Incident Score=Incident ×Service ×Spreading × Performance
Response Stage: the final part is determining stage of incident based on calculated incident score. Each stage requires different authorities, communication and engagement, therefore shifting from one stage to another means escalating the response coordination authority. As an instance we designed the staging criteria as below:
Stage 3 – score 40 and higher: Mission critical incidents which requires special attention. These level of staging requires organization, state or city council participation with possibility of notifying appropriate CERT centers, when elevated.
Stage 2 – score 15 and higher: Important incident which requires notification to appropriate authorities such as senior managers like operations managers or managing director.
Stage 1 – score 14 and lower: Incidents that should be resolved internally within certain time frame and if closed successfully reported a normal incidents to respective stakeholders.
According to definitions, below 4D matrix can be the final output:
Incident 1 Incident 2 Incident 3
Performance 3 9 18 27 18 36 54 27 54 81 Service 3
Performance 2 6 12 18 12 24 36 18 36 54
Performance 1 3 6 9 6 12 18 9 18 27
Performance 3 6 12 18 12 24 36 18 36 54 Service 2
Performance 2 4 8 12 8 16 24 12 24 36
Performance 1 2 4 6 4 8 12 6 12 18
Performance 3 3 6 9 6 12 18 9 18 27 Service 1
Performance 2 2 4 6 4 8 12 6 12 18
Performance 1 1 2 3 2 4 6 3 6 9
Spread 1 Spread 2 Spread 3 Spread 1 Spread 2 Spread 3 Spread 1 Spread 2 Spread 3
By using this model, incident management team can leverage a clear guideline for escalation criteria of the emergency situation. By on-time escalation proper decisions for public notification or calling for appropriate crisis management can be feasible. Onetime decision making help reducing possible loss, protect reputation or information assets.
You must sign in to rate content.