Invisible Technologies (Security) Incident Response Plan

This document offers guidance for employees or incident responders who believe they have discovered or are responding to a security incident.

Escalation

Email [email protected] or message the #security channel on Slack. • Include as many specifics and details as you can. Severity

Untitled

Internal Issues

When the malicious actor is an employee, contractor, vendor, or partner, please contact the Security team directly. Do not discuss the issue with other employees.

Compromised Communications

If there are IT communication risks (i.e. company phones, laptops, email accounts, etc. are compromised) the Security team will announce an out-of-band communication tool within the office or across the company.

Response Steps

For critical issues, the Response team will follow an iterative response process designed to investigate, contain the exploitation, remediate the vulnerability, and write post mortem and lessons learned documents.

The Security team should determine if a lawyer should be involved with attorney-client privilege.
A “War Room” will be designated.
The following meeting will take place at regular intervals, starting with twice per day, until the incident is resolved.

Response Meeting – Agenda

Update the Breach Timeline with all known data related to the incident. The timeline should detail what you’re sure the attacker did at what times.
Review new Indicators of Compromise with the entire group. Indicators of Compromise are anything you know belongs to the attacker: an IP address that sent data, a compromised account, a malicious file used to spearphish, etc.
Add new data (knowns and unknowns) to the Investigative Q&A, which is a list of questions to which, if you had answers, you’d understand everything the attacker did.
Update the list of Emergency Mitigations: passwords to be reset, laptops to be wiped, IPs to be banned, etc.
Long Term Mitigations (including Root Cause Analysis): record everything you’ll start doing so this crisis doesn’t happen again.
Everything Else: communications, legal issues, blog posts, status pages, etc.

Response Team Members