Information Security: Incident Response Plan

1. Introduction

University of Nevada, Las Vegas (UNLV) Information Technology (IT) has developed this Incident Response Plan (IRP) in accordance with industry best practices and regulatory requirements. The primary objective is to safeguard the confidentiality, integrity, and availability (CIA) of sensitive data pertaining to students, alumni, faculty, and other stakeholders. The plan outlines the roles and responsibilities of all participants, categorizes incidents, describes interconnections with relevant policies and procedures, and establishes reporting protocols.

1.1 Purpose

This document aims to equip the UNLV with a comprehensive framework to address information security incidents effectively, including prompt identification, assessment of scope and risk, appropriate response actions, effective communication of outcomes, and measures to mitigate the likelihood of recurrence.

Regular testing and updates of this plan are crucial in preparing UNLV to respond to malicious threats and security incidents. Such measures contribute to the adept management, reduction, and prevention of risks associated with cybersecurity.

As UNLV continues to embrace new technologies, tools, software, and policies, reviewing and modifying this document is imperative. A minimum annual review, led by the UNLV IT and its expanding cybersecurity team, will ensure the plan remains current and responsive to emerging cybersecurity challenges. By adhering to these strategic measures, UNLV is well-positioned to maintain a robust and agile incident response capability, safeguarding the university community's sensitive information and upholding the highest data security standards.

1.2 Scope

This plan encompasses all information systems, networks, institutional data, and entities, including personnel and devices, that interact with or access these systems or data at UNLV. Its applicability spans the entire university environment to ensure comprehensive coverage and adherence to the defined guidelines and procedures.

Failure to comply with this or an institutional IRP may result in civil and/or criminal penalties imposed by either the federal or state government and/or supporting enforcement bodies and civil and/or criminal litigation brought about by affected parties. Additionally, failure to comply with this or an institutional IRP could constitute prohibited activity, subject to discipline.

2. Definitions

Business Email Compromise (BEC): BEC is a subset of phishing where criminals send an email message that appears to come from a known source, making a legitimate request. For example, we may receive an email invoice that seems to be from a vendor we regularly deal with; however, the account information is falsified.

Cyber Incident Response Team (CIRT): A team set up to assist in responding to cybersecurity-related incidents.

Event: Any observable occurrence in a network or system.

Incident: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Incident Response: The mitigation of violations of security policies and recommended practices.

Indicator: A sign that an incident may have occurred or may be currently occurring.

Phishing: A type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software.

Social Engineering: An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.

Threat/Threat Actor: The potential source of an adverse event.

Vulnerability: A weakness in a system, application, or network subject to exploitation or misuse.

3. Roles and Responsibilities

The following roles, individual responsibilities, and group responsibilities are recommended but may be refined depending on the nature of the incident, as all are unique and unpredictable. See Appendix C for responsibilities as a RACI matrix.

3.1. Incident Response Coordinator

The Incident Response Coordinator assumes a central and pivotal role in the university's security incident management. This dedicated individual is responsible for overseeing all security incidents, ensuring a swift and effective response to them. Their key duties include promptly collecting all pertinent data related to the incident, maintaining clear and open communication with all stakeholders involved, providing comprehensive reporting on all aspects of the incident, and meticulously documenting the entire incident lifecycle, including the investigation and post-incident activities.

The Incident Response Coordinator is vested with the authority to make critical decisions during the incident response process. This includes timely escalation of issues and prioritizing response actions to mitigate the impact and swiftly restore normalcy. Continuous professional development and knowledge sharing are strongly emphasized to equip the coordinator with the latest threat intelligence and cutting-edge incident response techniques. By upholding a high standard of expertise and vigilance, the Incident Response Coordinator plays a vital role in fortifying the university's resilience against emerging threats and ensuring a robust incident management framework.

3.2. Incident Response Handler

The Incident Response Handlers comprise proficient individuals drawn from the Information Security Office (ISO) team and other pertinent departments. Their pivotal role entails the skillful retrieval of essential data and evidence throughout the incident response process. All collected data and evidence will be meticulously safeguarded and delivered to the Incident Response Coordinator for comprehensive analysis and appropriate action.

To ensure uniformity and adherence to industry best practices, well-defined procedures will be established for handling diverse incident types. This framework guarantees consistency and efficacy in incident response activities.

Recognizing the ever-evolving nature of cybersecurity threats, the incident response team will actively engage in continuous training initiatives. This commitment to ongoing learning empowers the team members to develop and sustain the requisite expertise for efficiently handling security incidents. Through a culture of continuous improvement, the university strengthens its ability to respond proactively and effectively to emerging challenges in the cybersecurity landscape.

3.3. Law Enforcement

The university is committed to fostering strong collaboration with law enforcement agencies, encompassing University Police Services, Las Vegas Metropolitan Police Department, federal and state agencies, and U.S. government entities, as necessary during various levels of cybersecurity incidents. To ensure a structured and compliant approach, precise guidelines will be formulated to govern law enforcement's engagement in cybersecurity matters, adhering to all pertinent legal requirements and regulations.

The incident response team will work closely with law enforcement entities, facilitating seamless coordination and timely information exchange as needed. This proactive partnership will enhance the university's capacity to effectively address cybersecurity threats and incidents while upholding legal and regulatory standards. By working together, the university and law enforcement agencies aim to safeguard the institution and its stakeholders from potential cybersecurity risks.

3.4. Security Analysts

The security analysts will be primarily responsible for diligently monitoring security alerts and logs and proactively identifying potential security incidents. Their expertise will be pivotal in promptly escalating such incidents to the designated Incident Response Coordinator or Handler. Furthermore, the analysts will conduct thorough initial investigations, systematically gathering pertinent information to facilitate a swift and effective incident response process. Their competence in these critical tasks ensures the university's readiness to address security threats and maintain a robust cybersecurity posture.

3.5. IT Administrators

IT administrators play a pivotal role in incident response activities, contributing their invaluable technical expertise and support. Working closely with the incident response team, they play a key part in promptly containing and remediating incidents. Additionally, IT administrators conduct thorough system analysis to identify root causes and implement necessary security patches and updates, ensuring a fortified defense against potential threats. Their proficiency in these endeavors fortifies the organization's ability to navigate security challenges with efficiency and precision.

3.6. Legal Counsel

Incorporating legal counsel into the incident response team ensures a comprehensive and well-informed approach to handling security incidents. Legal counsel will offer invaluable guidance on various critical aspects, including legal implications, privacy regulations, and data breach notification requirements. Their expertise will encompass assessing the potential legal consequences of the incident and advising on appropriate actions and disclosure strategies. By involving legal counsel in the incident response process, the organization can navigate complex legal landscapes with prudence and compliance, safeguarding its reputation and mitigating potential legal risks.

3.7. Public Relations Representative

External communication management with the media, stakeholders, and affected parties should be entrusted to a designated public relations representative. Their role is crucial in safeguarding the university's image and reputation throughout the incident and its aftermath. By skillfully handling communication during these critical moments, the representative ensures that the university's messaging remains consistent, transparent, and aligned with its values and objectives. This proactive approach to external communication fortifies the university's credibility and fosters trust among its diverse stakeholders.

3.8. IT Support Staff

The IT support staff will play a pivotal role in providing technical expertise during the incident response process. Their responsibilities encompass isolating affected systems, conducting data recovery, and implementing robust security measures to mitigate the risk of future incidents.

3.9. Senior Management

Senior management should actively engage in the incident response process to provide overall support, allocate resources, and make critical decisions aligning with the organization's risk appetite and strategic objectives.

3.10 External Incident Response Consultants

In certain instances, engaging external incident response consultants may be necessary to leverage their specialized expertise and augment resources during complex or large-scale incidents.

4. Incident Categories

Incidents will be categorized and prioritized based on impact levels and risk as criteria. These incidents will be assigned to one of three categories, namely major, moderate, or minor.

4.1 Major Impact

If the answer is 'Yes' to any of the following questions regarding an incident, then it is a Major incident.

1. Data security. Is there a reasonable expectation that an unauthorized person acquired critical data as a result of this incident?

• Is the data protected by privacy rules or legislation involved?
  • For example:
    • Non-directory student data as defined by FERPA
    • Social Security Number
    • Bank account, credit card, or other private financial information
    • Nevada driver's license number
    • Any medical records or protected health information as defined in HIPAA
• Are other data security issues involved?
  • For example:
    • Passwords, risk assessments, or other security-related data
    • Data restricted by legal contracts, memoranda of understanding, or other agreements
    • Data, if available to unauthorized users, will cause harm to an individual, a group, UNLV, or NSHE institutions

2. Legal issues. Does this incident involve any legal violation?

• Threat to persons or property
• Theft greater than $10,000
• Child pornography
• Unauthorized P2P (Peer to Peer) distribution or collection of music, movies, or other content protected by copyright

3. Magnitude of service disruption. Does this incident impact UNLV's critical services?

4. Threat. Are the hosts involved in this incident actively attacking other hosts?

5. Scope. Is this incident widespread (over 10% of units or greater than 100 hosts UNLV-wide)?

6. Public interest. Is there active public interest in this incident?

4.2 Moderate Impact

If the answer is 'No' to all of the Major incident questions above, but 'Yes' to any of the following questions, then it is a Moderate incident.

1. Data security. Is there a reasonable expectation that sensitive data, as defined in the Definitions Table, was acquired by an unauthorized person as a result of this incident?

• For example:
  • Infrastructure diagrams, such as building and network
  • Strategy documents
  • Financial information
  • Purchasing information
  • Policies, standards, and procedures
  • Business recovery plans
  • System configurations
  • Emergency response plans
  • Emergency equipment inventories

2. Legal issue. Does this incident involve a legal violation?

• For example:
  • Theft less than $10,000
  • Harassment

3. Magnitude of service disruption. Is it likely that this incident will impact UNLV's mission-critical services?

4. Threat. Is an attack likely to occur from hosts involved in this incident?

5. Scope. Is this incident somewhat widespread (3-10% of units or 10-100 hosts UNLV-wide)?

6. Public interest. Is there likely to be public interest in this incident?

4.3 Minor Impact

If an event meets the definition of an incident, the answer is 'No' to all of the Major and Moderate questions above, then it is a Minor incident.

5. Communications

Cybersecurity incidents directly threaten the business continuity of the institutions or the system as a whole; therefore, all incident response efforts must adhere to strict communications protocols. Maintaining confidentiality is a critical component of incident response. Every employee, contractor, volunteer, and any other third-party with access to our computer network must maintain confidentiality both during and after an incident.

Under no circumstances should any staff member engage with the press or other external parties seeking comment or information. All requests for comments or information should be directed immediately to the Information Security Office at informationsecurityoffice@unlv.edu. Never post any incident-related information to social media, as this may lead to significant harm, potential misinformation, and the loss of the ability to protect our data.

5.1 Internal Communications

• A dedicated internal communication channel, such as a secure messaging platform, will be established for the incident response team to facilitate real-time collaboration and seamless information sharing during incidents.
• The incident response team will conduct regular meetings and briefings, providing a forum to discuss incident response strategies, ongoing investigations, and valuable insights gained from post-incident reviews.
• The Incident Response Coordinator will maintain transparent and open lines of communication with senior management and relevant departments, ensuring that all stakeholders are kept informed of the incident's status and the progress of response efforts. This proactive approach to communication fosters a cohesive response environment and reinforces a unified approach to incident management.

5.2 External Communications

• The university will maintain a comprehensive contact list comprising key partners, vendors, and pertinent agencies, encompassing law enforcement and regulatory bodies, to facilitate seamless information sharing and effective coordination during incidents involving external stakeholders.
• The designated spokesperson or public relations representative will oversee official communications with the media, stakeholders, and affected individuals. Their role is pivotal in ensuring that all communications convey a consistent and accurate message, promoting transparency and trust during critical situations.
• Clear guidelines will be disseminated to all staff members, outlining the protocols for reporting suspicious activities or potential incidents through designated channels. This ensures prompt and standardized reporting, thereby enhancing the university's ability to respond to emerging threats and security incidents promptly.

6. Incident Response Process

Various information security incidents exist, each varying in severity and impact. Acknowledging that not all incidents will necessitate attention to every step outlined below is essential. Nevertheless, preparedness is key, and recognizing that different phases are involved in incident response, each with distinct goals and objectives, is paramount. As defined in the Incident Handler's Handbook from the esteemed SANS Institute, the six phases offer a structured and methodical approach to incident handling. Embracing this systematic approach enhances the organization's ability to respond effectively to incidents while adhering to a well-defined incident response framework.

6.1. Preparation

During the preparation phase, the incident response team diligently ensures its readiness to respond effectively to any potential security incident. Key activities conducted in this phase encompass:

1. Incident Response Team (contact information available in Appendix A)
   • Chief Information Security Officer
   • Director of Business Continuity & Resiliency
   • Associate Vice Provost for IT
   • Director of Admin Services
   • Public Relations Offer, as needed
   • Chief Information Officer, as needed
   • President, as needed
   • Public Safety, as needed
   • Emergency Preparedness Coordinator, as needed
   • Privacy Officer, as needed
   • Legal Counsel, as needed
   • Director, External Affairs, as needed
   • Director, Human Resources, as needed
   • Law Enforcement, as needed
2. Creation and review of incident response policies and procedures to ensure they are up-to-date and align with industry best practices.
3. Installation and implementation of necessary incident response tools and technologies to facilitate incident detection, containment, and analysis.
4. Conducting regular tabletop exercises and simulated scenarios to train and prepare the incident response team for real-life incidents. Additionally, end users are aware of the steps to take if they suspect anomalous activity or are a victim of a cyberattack, such as phishing or ransomware.
5. Availability of data backups that have been tested for recovery/restoration
6. Conducting post-mortem reviews of previous incidents to validate controls' effectiveness and identify improvement areas.
7. Jump Bag (supplies to assist the team in the event of an incident)
   • Empty notebook, pens, highlighters, etc.
   • Laptop/tablet and power supply
   • Forensic tools (boot CDs, software, dongles, etc.)
   • Network cables
   • Thumb drives or other removable media
   • Contact information
   • Access badges for data center facilities

6.2. Identification

Identification of a suspected security incident may stem from various sources, including monitoring tools, vigilant IT personnel, end users, partners, or law enforcement agencies. In this context, the term "incident" refers to any adverse event that affects one or more information assets or poses a threat to do so. Illustrative examples encompass, but are not restricted to, the following scenarios:

• Network Intrusion/Unauthorized Access: Any physical or logical access to the network, systems, or data without permission of the network owner.
• Ransomware: A type of malicious software (malware) that criminals use to threaten to publish or block access to data or a computer system. Data or systems will usually be encrypted until the victim pays the attacker a ransom.
• Insider Threat: When someone with authorized access to an organization misuses that access to compromise company data or critical systems. Insiders do not have to be company employees; they can also be partners, third-party vendors, and contractors. Can be malicious or non-malicious.
• Brute Force Attacks: A hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. The hacker tries multiple usernames and passwords, often using a computer to test various combinations, until they find the correct login information.
• DDoS Attacks: A distributed denial-of-service (DDoS) attack occurs when criminals attempt to disrupt regular traffic on a network or to a server or system. Typically, this is done by overwhelming the target's infrastructure with a flood of internet traffic.
• Data Exfiltration: The unauthorized movement of your data to the outside of your organization as leverage for potential ransom payment. It can be conducted manually, for example, by printing information or copying data to a flash drive, or by covert use of network resources by external malicious actors who have gained access. Most modern ransomware strains will attempt to exfiltrate (steal) data before encrypting the owner's copy. This has become known as 'Double-Extortion Ransomware.'
• Malware: Short for 'malicious software,' malware is code developed by criminals and designed to gain unauthorized access to a network or cause severe damage to data or systems. Malware is typically delivered in the form of a link or file over email (phishing) and requires the user to click on the link or open the file to execute the malware.
• Credential Stuffing: The automated injection of stolen username and password pairs ("credentials") into website login forms to fraudulently gain access to user accounts. Since many users often reuse the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example), submitting those sets of stolen credentials into dozens of other sites can also allow an attacker to compromise those accounts. Credential Stuffing is a subset of the brute force attack category.
• Policy Violations: Any deviation from a published security policy, whether accidental or purposeful, that contradicts what the company deems acceptable use of information assets. Examples may include writing down passwords, or leaving an unattended cabinet unlocked, downloading copyrighted material, or visiting prohibited websites.
• Device Theft or Loss: Any loss or theft of computer equipment or mobile devices, deliberately or accidentally. These devices may allow unauthorized access to company data or resources.

Incidents can result from any of the following:

• Intentional and unintentional acts
• Actions of vendors or third parties
• External or internal acts
• Acts related to violence, warfare, or terrorism
• Criminal activity
• Credit card fraud

In case of a suspected incident, the UNLV Information Security Team will promptly initiate an initial assessment. As part of this assessment, the team will triage the event, which includes collecting and preserving crucial system files, logs, and system images, among other relevant artifacts. A delicate balance between restoring operations and preserving potential evidence is vital to the incident response process.

To ensure a comprehensive record of the incident, all pertinent information will be meticulously documented within the notification form. The incident response coordinator will be responsible for initiating the incident documentation process. However, as the incident escalates, the UNLV Chief Information Security Officer or their designated representative will ensure adherence to the appropriate procedural flow for handling the incident. By adhering to these systematic procedures, UNLV enhances its incident response capabilities, providing a well-documented and structured approach to incident management.

6.3. Containment

The following foundational procedures can address a wide range of incidents. Specific procedures will often be contingent upon the nature of the incident. Upon identifying an incident, the containment phase aims to limit the incident's scope and impact. Incident response handlers and system engineers will undertake the following actions:

1. Obtain and analyze as much system information as possible, including key files and, if necessary, a backup of the compromised machine for later forensic analysis.
2. Keep good records of observations and actions taken.
3. Create forensically sound images of systems and store them in a secure location.
4. Establish a chain of custody for evidence.
5. Unless necessary, do not power off the compromised machine(s) as valuable data or evidence may be lost. Depending on the situation, either disconnect the machine(s) from the network or move them to an isolated network to continue analyzing traffic and activity.
6. To avoid propagation of the incident, the following actions might need to be taken:
   • Download and apply security patches from vendors
   • Update antivirus signatures
   • Close firewall ports
   • Disable compromised accounts
   • Run scanners to determine if other vulnerable hosts exist
   • Change passwords as appropriate

6.4. Eradication

To eradicate the problem, specific procedures will frequently depend on the nature of the incident. During the eradication phase, the incident response team works to eliminate the root cause of the incident and remove any malware or unauthorized access. Actions taken during this phase include:

1. The administrator should use boot media (such as a CD or USB drive) to access data on compromised machines. (Rootkits installed on compromised machines might affect basic system-level utilities and discourage use of a compromised host)
2. The operating system(s) of the machine(s) need to be rebuilt if they have been compromised by using hardened machines on appropriate platforms.
3. Test any backups before restoring, and monitor for a new incident
4. Document everything

After an incident, efforts will focus on identifying, removing, and repairing the vulnerability that led to the incident, as well as thoroughly cleaning the system(s). To do this, the vulnerabilities need to be clearly identified so the incident is not repeated. The goal is to prepare for the resumption of normal operations with confidence that the initial problem has been resolved.

6.5. Recovery

The objective of the recovery phase is to safely return to production and ensure that the incident does not recur. The specific actions taken during this phase will depend on the nature of the incident and directives from leadership. Key considerations for the recovery phase encompass:

1. Retesting systems, preferably involving a diverse group of end users, to ensure functionality and usability.
2. Deliberating on the timing of the return to production to minimize any potential risks.
3. Validating the integrity and functionality of the restored systems to ensure they meet the required standards.
4. Engaging in discussions regarding customer notification and addressing their concerns related to the incident.
5. Addressing media handling issues to manage communications effectively.
6. Continuing vigilant monitoring for any potential security incidents post-recovery.

The decision to resume normal operations will be based on the recommendation provided by the UNLV Chief Information Security Officer or their delegate. Final authorization to resume normal operations will be granted by the UNLV President, UNLV Chief Information Officer, or their authorized delegate. By following these guidelines, we ensure a systematic and secure recovery process that minimizes the risk of future incidents.

6.6. Lessons Learned

This phase enables UNLV Information Technology to handle future security incidents better. A final report will be written describing the incident and how it was managed using the incident reporting form. The report will provide a comprehensive review of the entire incident, addressing the key questions of who, what, when, where, why, and how that may arise during the lessons learned meeting. Suggestions for handling future incidents and reworking this document should be included in this report. Any documentation that was not done during the incident will also be reported. The overall goal is to learn from the incident that occurred within an organization to improve the team's performance and provide reference materials in the event of a similar incident. The ISO will utilize the lessons learned to develop planning and prepare materials for the incident response process. The lessons learned phase should occur as soon as possible, or as legally required, within a specific time frame of the recovery phase, to retain as much information about the incident as possible.

Appendix A - Primary Contact Information

Appendix B - Secondary Contact Information

 
Appendix C - Responsibility (RACI) Matrix