This chapter focused on the center of the incident response puzzle, the policies and procedures. The operational aspects of computer incident response were discussed in detail, with particular attention being given to the response life cycle. The phases addressed in detail regarding the life cycle of incident response may be summarized as follows: preparation, incident identification, notification, incident analysis, remediation, and lessons learned.
Often the lessons learned will feed directly into improvements that can be made to strengthen the security of the infrastructure, thus beginning the life cycle again. This outline may be used as a starting point for documenting the procedures that an incident response team should follow. It is reiterated here to reinforce the importance of these steps to the incident response puzzle.
This chapter also presented an overview of reporting criteria, addressing topics such as the report form, the importance of feedback, and the use of a trouble ticket system. The importance of a database for storing the incident data was discussed, pointing out the importance of this tool for incident correlation and statistic generation and tracking. Methods for keeping current with the latest vulnerabilities and trends once the team is formed were presented, as well as rules of thumb for writing and distributing advisories. Not every incident response team should write advisories. Several good sources of advisories are available that can just as easily be leveraged. Too many advisories can lead to the same problem experienced by many with respect to too many vulnerabilities: In time, people will tend to ignore the warnings if they are too frequent in distribution.
Combined, these topics outline many of the daily considerations that must be taken into account by the team in operation. They complete the overall picture of the incident response team puzzle. The remainder of the book provides more details on issues presented in this and earlier chapters. Although the elements described in Chapter 8 will assist with the task of writing policies and procedures for the response team, it is strongly recommended that you visit the remaining chapters before those procedures are documented or finalized. Additional details in the following chapters may provide further, more granular hints on developing your procedures.