Rationale for Using an Incident Response Methodology

Is it important to use an incident response methodology? Both of this book's authors, longtime veterans of the incident response arena, are confident that the answer is a resounding "yes." Reasons are discussed in the following sections.

Structure and Organization

It would be nice if security-related incidents generally occurred in a slow and orderly fashion. In this hypothetical scenario, staff charged with the responsibility of dealing with such incidents would have the luxury of being able to "dabble" with the incidents, turning their attention to events at hand as their whims dictated. Anyone who has been involved with security-related incidents, however, knows that in real world, dealing with incidents in this manner would be ludicrous. In reality, pandemonium can and does occur very quickly when security- related incidents happen. Worse yet, in real-life settings, incidents tend to occur in anything but a serial fashion. Simultaneous incidents are more the rule than anything else, especially in larger organizations with massive computing infrastructures . Using a methodology for responding to incidents helps impose structure and organization in situations that can otherwise get out of control very quickly.

Efficiency

Security-related incidents are often costly in terms of financial costs as well as the toll on human beings and organizations. The longer incidents last, the higher the probability that the cost and disruption they cause will escalate. Using a sound methodology entails using processes and procedures that have proven value and worth in resolving incidents with greater efficiency.

Facilitating the Process of Responding to Incidents

Following a methodology for responding to incidents facilitates the process of responding to incidents. By this we mean that a suitable methodology breaks incidents into distinct stages and defines suitable procedures and methods for dealing with each stage. Additionally, a suitable methodology helps those who are responding to incidents recognize when one particular phase of an incident has ended, necessitating a shift in response strategy to deal with the next phase. (For example, at first, an incident response team might try to identify the source of an attack and the identity of an attacker. Over time, however, they might discover that while they are conducting tracing activity, the attacker is damaging other systems. A shift in response strategy would be necessary.) Finally, a good methodology actually incorporates mechanisms for improving the process of responding to incidents. The discussion in the "Follow-Up" section later in this chapter explains this notion in greater detail.

Unexpected Benefits: Dealing with the Unexpected

Another significant benefit of using a methodology for responding to incidents is that it tends to help those who use it to better understand the process of dealing with incidents. A good methodology incorporates a thorough understanding of the process of dealing effectively with incidents. As staff members follow this methodology, they develop a mental framework for effective incident response that can be extrapolated into novel situations for which no procedures exist at the time they are needed. Following an incident response methodology can thus help those who respond to incidents to deal with the unexpected.

Legal Considerations

One of the recurrent themes in Chapter 7,"Legal Issues," is that whatever happens when people and automated processes respond to incidents has strong legal repercussions . In many countries (and especially in the United States), someone can file a lawsuit for almost any reason. If an incident gets out of control, becoming increasingly costly and complicated, someone might have strong grounds for a lawsuit, especially if the escalation of the incident can be linked in a court of law to incompetent decisions and actions made in responding to the incident. We have already seen, however, that following a sound incident response methodology lessens the likelihood that incompetent and inefficient actions will occur if a proven framework and methodology guide the process of responding to an incident. In many respects, adopting and following a widely accepted incident response methodology constitutes the practice of "due care" ‚ adopting a reasonable and responsible set of measures to guard against harm. Legal considerations thus constitute still another reason for following an accepted incident response methodology.