Table of Contents
The typical threat assessment levels of most computer security incidents fall in the range of very low to moderate and the basic steps of identification, notification, communication, containment, eradication, and recovery are usually not overly complex. With such incidents, the Information Security Office is tasked with reporting the incident, reducing impact of the security incident (e.g., setting network quarantines), and ensuring the respective unit is able to remediate the problem.
This Incident Response Plan outlines The University of Texas at Austin’s response to an incident that has progressed to a severe or very severe level where speed, preparation, organization, and a clearly articulated plan are required in order to minimize or mitigate damage to and loss of university Information Resources and Information Technology assets. When these kinds of incidents occur the procedures outlined in this plan are activated, and the Computer Incident Response Coordinator assembles the Computer Incident Response Team (virtually or in person) and appoints the Communications Coordinator and a Lead Incident Handler from the Information Security Office. Other groups or individuals may be called in as needed.
This plan applies to all university Information Resources and any User or Computing Device that accesses those resources.
The Information Security Office is required by the Information Resources Use and Security Policy, UT System Policy 165, and Texas Administrative Code 202 to establish and follow Incident Management Procedures to ensure that all incidents are reported, documented, and resolved in a manner that restores operation quickly and, if required, maintains evidence for further disciplinary, legal, or law enforcement actions.
- An event is an exception to the normal operation of IT infrastructure, systems, or services. Not all events become incidents.
- An incident is an event that, as determined by ISO staff, violates the Information Resources Use and Security Policy, Minimum Security Standards for Systems, Acceptable Use Policy; other university policy, standard, or code of conduct; or threatens the confidentiality, integrity, or availability of Information Resources.
Incidents may be established by review of a variety of sources including, but not limited to ISO monitoring of systems and services; reports from faculty, staff, students, or outside organizations; and service degradations or outages.
Detected vulnerabilities may be classified as incidents in some rare situations, if the vulnerability is critical in nature such that exploitation would put Confidential Data on affected systems at risk of disclosure, the vulnerability is widely published with proof of concept code available, and a patch or update remedying the vulnerability is not yet released.
The ISO employs tools to scan university Information Resources, and depending on severity of found vulnerabilities may warn affected users, disconnect affected machines, or apply other mitigations. In the absence of indications of unauthorized disclosure of Controlled or Confidential Data, vulnerabilities will be communicated and the ISO will pursue available technology remedies to reduce that risk.
For consistency, the following terms are used in this policy as defined in the Information Resources Use and Security Policy and will not be defined again here:
Roles and Responsibilities
Information Security Office
- Computer Incident Response Coordinator (CIRC)
- The Chief Information Security Officer (CISO) or a person designated by the ISO shall serve as Computer Incident Response Coordinator, who makes decisions and coordinates the University’s response to a severe or very severe computer security incident. The CIRC consults with and provides continuing updates to the university executive leadership. If the CISO is unavailable and a substitute has not been designated, another member of the Information Security Office will serve in this capacity. The CIRC is responsible for assembling the Computer Incident Response Team, assigning tasks, and making critical decisions. The members of the Computer Incident Response Team will vary depending on the type and severity of the incident. The CIRC shall appoint the Communications Coordinator and a Lead Incident Handler. If necessary, the CIRC will help assemble departmental Remediation Teams and coordinate their efforts.
- Communications Coordinator (CC)
- The CIRC shall appoint a Communications Coordinator to lead and direct the incident communications. Depending on the nature and scope of the incident, the Chief Communications Officer may be contacted by the CC. The CC coordinates the communication of timely and accurate information during an emergency and directs media inquiries to the appropriate person(s). Depending on the nature of the emergency, electronic mail, Web pages, possibly, phones and faxes may be unavailable as a means of communication. The CC should be prepared to utilize many different avenues of communication to spread the word. Consistent with the provisions of this section, the CC shall have the authority to assemble a communications team, delegate tasks, and take other actions as required.
- Lead Incident Handler (LIH)
- The CIRC shall designate a member of the Information Security Office to lead the Computer Incident Response Team and provide technical expertise in identifying, diagnosing and creating a detailed technical plan of response to the incident. The LIH should have the technical skills to distinguish a real attack from a hoax, quickly assess the scope of the incident, and identify critical systems or services that may be at risk, and provide content for dissemination by the CC and leadership in training on-site Remediation Teams.
- Computer Incident Response Team (CIRT)
- For low to moderate threat situations, the Computer Incident Response Team may only consist Information Security Office staff. Otherwise, membership will vary depending on the nature and type of the incident.
Colleges, Schools, Units
- Remediation Team(s)
- On-site teams isolate, eradicate, and facilitate recovery from a computer security incident. Remediation Teams should have both the technical skills to carefully and methodically deal with attacked systems and the customer service skills to reassure users during a potentially stressful period. The members of these teams should have a calm and professional demeanor and the ability to work quickly but accurately.
The Chief Communications Officers will be informed of severe or very severe incidents and will assume responsibility for media contact.
A reasoned approach to computer security incidents gauges the level of response to the danger posed by the emergency. An incident that is not widespread and does not cause significant damage should not receive the same degree of response or the same commitment of human and computing resources as a very dangerous exploit or mass-mailing worm affecting many computers at UT Austin. Likewise, a vulnerability that gives the attacker complete control over computers should receive a high level of attention. The Computer Incident Response Team will assess the risk posed by each malicious program or computer emergency as soon as it is detected. The threat assessment will be updated as the situation warrants. Threat assessment is an inexact science. For each incident, the number of computers potentially affected, the number actually affected, and the potential damages are all unknown to a certain extent.
The Computer Incident Response Team, operating with imperfect knowledge, must make reasonable estimates of each of the factors and use those factors to formulate a necessarily inexact threat assessment. As more information becomes available and as the nature of the threat evolves, the assessment team will modify the threat assessment. While threats usually diminish as the incident is contained and eradicated, some exploits and destructive devices develop variations or new features, making them more of a threat. The Computer Incident Response Team will consider a number of factors in determining the threat posed by a computer security incident. The threat components are grouped into two categories: the probability that damage will occur, and the severity of the damage if it does occur.
Classification of Probability
Low: Insignificant number of infected computers, non-virulent (e.g. Trojan horse), easy detection, uncommon computing platform.
Medium: Significant number of affected computers and geographical distribution, moderately virulent (e.g., virus), moderate difficulty of detection.
High: Great number of affected computers and common platforms, wide geographical distribution, highly virulent propagation, difficult detection (e.g., NetBIOS vulnerability).
Classification of Damage
Low: No destructive payload or incidental damage, easy removal.
Medium: Non-destructive trigger, isolated file modification or repairable file damage, moderate difficulty of removal.
High: Destructive payload including extensive or non-repairable file destruction or modification, very high server or network traffic, non-repairable computer damage, large-scale security breach, difficult removal.
Threat Assessment Level Determination
|Probability of Occurrence|
Very Low: Characterized as not dangerous and not widespread. No response required except addressing the immediate problem by notifying those responsible for the equipment or resources involved, who then resolve the problem.
Low: Characterized as either moderately dangerous or moderately widespread, with low severity of damage or low probability of occurrence. Post alert on Security Alerts web page or send e-mail alert to the IT community within a day of detection. Apply network quarantines as necessary.
Moderate: Characterized as either dangerous or widespread or virulent. Post e-mail alert to IT community the same day as detection. Post alert on ITS web pages the same day as detection. Recommend update to appropriate virus definitions, security patch, Hotfix, service pack, etc. at weekly update, or otherwise, as soon as possible. Apply network quarantines as necessary.
Severe: Characterized as highly dangerous and either highly widespread or very virulent. Post Spotlight on Web Central within hours of detection. CIRC assembles team and plans response. Recommend immediate updates of virus definitions, security patch, Hotfix, service pack, etc. as appropriate. Ensure appropriate software updates are available. Apply network quarantines as necessary.
Very Severe: Characterized as highly dangerous, widespread, and virulent. Post Spotlight on Web Central within hours of detection. CIRC assembles team and plans response. Urge immediate updates of virus definitions, security patch, Hotfix, service pack, etc., disk or network security.
Threat EscalationNew threat escalation path diagram goes here.
Communication PathNew communication path diagram goes here.
Forensic analysis of compromised devices may be helpful as an incident develops in order to identify the cause and assess the impact of the incident. If this is determined to be necessary by the CIRT, Remediation Teams in affected departments will be asked to install one or more online forensics tools for use by the ISO. In some cases, it may be necessary for the ISO to have physical access to and control over an affected device, in which case the Remediation Teams should promptly make the requested physical hardware or virtual machine images available to the ISO for acquisition and analysis.
Incident Response Lifecycle
This is not a comprehensive list of all tasks that must/will be undertaken at each phase, but is instead a general outline of the purpose of every phase and some tasks that may be performed during each.
- Discover incident via security monitoring or notification by inside or outside party.
- Determine risk of continuing operations.
- Classify the nature and scope of the incident with an initial threat assessment level. This assessment may change as more information becomes available.
- Assemble the Computer Incident Response Team for Severe and Very Severe threats.
- Determine Technical Plan of Action.
- Identify and isolate affected hosts or systems via port filters, quarantines, etc.
- Communicate with University community, based on current threat assessment and technical plan, to help prevent the spread of the attack.
- Collect and preserve evidence if law enforcement is likely to become involved.
- Determine cause and scope of incident.
- Ensure system integrity; maintain user data.
- Instruct Remediation Teams to remove cause and revert any unauthorized changes; rebuild affected systems if necessary.
- Instruct Remediation Teams to install service packs, Hotfixes, or security patches as necessary and recommended by vendor.
- Confirm threat is contained.
- Perform security assessment of affected applications, systems, and networks.
- Improve defenses and security monitoring tools to prevent reoccurrence.
- Determine if Data Breach Notification Plan should be activated (i.e., if protected personally identifiable data has been exposed).
- Identify any procedural or policy implications arising from the incident.
- Gather metrics about the incident.
- Conduct post-mortem meeting and create follow-up report.
- Incorporate “lessons learned” into future response activities and training.
Incident Response Task Checklist
The following is a suggested outline of tasks, derived from the incident response lifecycle, to be completed by the Computer Incident Response Coordinator (CIRC), the Communications Coordinator (CC), the Lead Incident Handler (LIH), the Computer Incident Response Team (CIRT), and the Remediation Teams. This check list should be modified as the situation warrants.
|1.1 Determine risk of continuing operations. [Decision point: Shut down the system? Disconnect from the network? Continue operating to monitor subsequent activity?] The CIRC is authorized to ensure that this is addressed as soon as possible.|
|1.2 Assemble the Computer Incident Response Team (CIRT). The CIRC appoints a CC and LIH and coordinates the implementation of this plan. The CIRC may call upon on the CC to assist in contacting members of the team.|
|1.2.1 Organize and Alert Remediation Teams. The CIRC will perform this task, but may call upon the CC to assist in contacting members of the team.|
|1.2.2 Work with Chief Communication Officer to designate a Media Contact, as needed.|
|1.3 Determine the nature and scope of the incident with an appropriate initial threat assessment level and monitor throughout containment stages, making modifications as required. The CIRT is responsible for this task. The CIRC should remain in contact with the CIRT to stay appraised of the situation.|
Containment and Investigation
|2.1 Determine Technical Plan of Action. |
The CIRT formulates a detailed technical plan of action or evaluates and recommends adoption of such a plan developed by an outside source and submits it to the CIRC for approval.
|2.2 Determine available communication avenues, and whether alternative forms of communication are required.|
|2.3 Reserve the Training / Information Sharing Room. |
The CC will handle reserving a room for use by the CIRT.
|2.4 Occasionally, severe and very severe incidents will be discovered that have not received wide publicity. Should the circumstances be such that widespread publicity of a vulnerability could have an adverse affect – even attracting attention likely to make the university a target of a severe attack – the CIRC and CIRT will notify executive leadership. Information will be distributed on a need-to-know basis for a reasonable period until the threat is contained. Executive Officers and IT Governance Chairs will be informed of the event, given the reason for need of careful handling, and will receive updates as the situation progresses.|
|2.5 Except as otherwise provided in Sec. 2.4, communicate with University community in accordance with the Notification Scheme’s threat assessment model.|
|2.5.1 Post notices on the web (WebCentral/ ITS/ External Emergency Site). |
The LIH should provide content for these web pages.
The CC will handle getting it posted.
|2.5.2 Send notices to mailing lists. |
|2.5.3 Activate telephone calling lists and phone trees. |
The CC is responsible for contacting the persons listed in the roles listed below. They may enlist support from the UT Service Desk to expedite the work. The CIRC should set priorities, based upon the incident type, and confirm that the task is completed.
|2.5.4 Notices on UT voice mail system. |
If warranted, have a notice posted on the voice mail system. Contact the SmartVoice Administrator at 471-8820 for assistance. If they are out, press “0” for the operator. Messages on the voice mail system should be kept as brief as possible and prefaced with “This is an official announcement from Voice Mail Administration and ITS”.
|2.5.5 FAX transmissions. |
The CC is responsible for sending notices and updates to the offices referenced above in the event that web services are unavailable for an extended period of time. The LIH should determine the content and the CIRC should approve it prior to transmission.
|2.5.6 Posting signs. |
The CC is responsible for preparing warning signs to be posted around campus.
The LIH should provide content.
The UT Service Desk staff should be advised of any notices which will list them as points of contact.
The Remediation Team(s) will be directly responsible for posting this signage once it has been disseminated. The signs should be used:
|2.5.7 Notification in person or by alternative means. |
In the event that all networks and telephone services are unavailable or the responsible parties are unavailable by e-mail, phone, or FAX the CIRC will need to determine if the situation warrants notification of responsible parties by runners through either oral or written messages. Any other alternative means of communication, consider for example: engaging the emergency alert siren, lighting the UT Tower in a pre-established, distinctive pattern, using 2-way radios, sounding classroom/building bells, megaphones, etc.
|2.6 Conduct training sessions. |
The CIRC should ensure that the CIRT has everything needed to begin conducting training sessions on the identification, containment, and removal or eradication of the attack at the earliest opportunity in the training room reserved by the CC. Staff from the UT Service Desk should be included in the training sessions.
|2.7 Take the necessary steps to contain the incident and prevent further propagation. |
On the advice of the CIRT, the CIRC will need to determine if any other actions are required to prevent the situation from getting progressively worse. Whenever appropriate, the CIRC should try to maintain services in accordance with the established list of critical campus servers.
|2.8 The CIRC should determine if Data Breach Notification Plan should be activated (i.e., if protected personally identifiable data has been exposed).|
Remediation and Recovery
|3.1 Coordinate Response. |
The CIRC will assist to organize and contact the incident response teams, make certain that they have the resources needed (hardware, software, media, current patches or updates, etc).
The LIH should provide training, if necessary.
The CIRT should work with the Remediation Teams to assist department users who have been adversely affected by the incident.
|3.2 Ensure system integrity. Maintain user data. |
The CIRC should verify that the LIH is continuing to monitor vendor sites, posting material as it becomes available and updating UT Service Desk staff regularly.
|3.3 Determine root cause of incident.|
|3.4 Improve defenses: patch vulnerable applications, implement local firewalls/filters. Consider migrating machine’s function to a more secure operating system, if warranted.|
|3.5 Perform security assessments on systems/networks.|
|3.6 Remove the cause and correct any changes it has made and disable or secure any exploitable active services. The Remediation Teams should, based on the training provided by the CIRT work in cooperation with ITS, ITS contract sites, UT Executive offices, and other departments that have been adversely affected.|
|3.7 Restore operating system as necessary. |
If the incident has resulted in damage to the operating system, the Remediation Teams may be called upon to perform a fresh install of the OS. Before doing so, the Remediation Team members should:
|3.8 Install service packs, Hotfixes, or security patches as necessary and recommended by vendor. Emergency software updates will be available via UTnet quarantine networks as necessary.|
|3.9 Restore user data from backups as necessary. |
The Remediation Teams are responsible for this task.
|3.10 Bring systems back online. |
The Remediation Teams are responsible for this task.
|3.11 Change all passwords. |
All systems must have their administrative passwords changed.
|3.12 Monitor system performance and report activities. |
Submit a simple report of actions taken and time required to Information Security Office, firstname.lastname@example.org, so that pertinent incident information may be filed with the Department of Information Resources (DIR). The Remediation Teams are responsible for this task.
|4.1 Conduct a post-mortem meeting. |
The CIRT should meet to review its response to the emergency. Topics of discussion should include:
|4.2 Produce the follow-up report. |
The CIRT should prepare an executive summary of the findings of the post-mortem meeting. The report should include data on the impact of the emergency and recommendations for changes that would minimize or prevent future recurrences of similar problems. An overall incident cost analysis should be included, which would be calculated using the Information Security Office’s Incident Database.
The CIRC should gather all pertinent incident information so that the Information Security Office may file a formal report with the Department of Information Resources (DIR).
Related UT Austin Policies
The policies listed here inform the procedures and requirements described in this document. (This is not an all-inclusive list of policies and procedures that affect Information Resources.)
|Chief Information Security Officer||Approval||Cam Beasley||TBD|