Home

Awesome

A Magento-centric Incident Response Plan Template

Introduction

This document provides you a structured process and sample procedures to use when responding to intrusions on our Magento eCommerce stores. Many parts of it has been lifted liberally from the MSDN documentation on Incident Response and adapted to needs of eCommerce systems.

Prerequisites for using this document

INCIDENT RESPONSE TEAM

RoleNameEmailPhoneIMEscalation LadderNotes
Incident Leader
Management/Stakeholder
IT Contact
Communications
Legal Representative
National/Local Law Enforcement
Hosting SLA contact
Magento EE SLA contact
3rd Party SaaS SLA contact 

Definition of roles:

RoleRole Description
Incident LeadIn the event of an incident, you should designate one individual responsible for coordinating the response. The  Incident Lead has ownership of the particular incident or set of related security incidents. All communication about the event is coordinated through the Incident Lead, and when speaking with those outside the IRT, he or she represents the entire IRT. The Incident Lead might vary depending on the nature of the incident, so feel free to have multiple versions of this document for each logical technical unit of your eCommerce system.
IT ContactThis member is primarily responsible for coordinating communication between the Incident Lead and the rest of the IT group. The IT Contact might not have the particular technical expertise to respond to the particular incident; however, he or she will be primarily responsible for finding people in the IT group to handle particular security events. In smaller teams this may be the same person as the Incident Lead.
Legal RepresentativeThis member is a lawyer who is very familiar with established incident response policies. The Legal Representative determines how to proceed during an incident with minimal legal liability and maximum ability to prosecute offenders. Before an incident occurs, the Legal Representative should have input on monitoring and response policies to ensure that the organization is not being put at legal risk during a cleanup or containment operation. It is very important to consider the legal implications of shutting down a system and potentially violating service level agreements or membership agreements with your customers, or not shutting down a comprised system and being liable for damages caused by attacks launched from that system. Any communication to outside law enforcement or external investigative agencies should also be coordinated with the Legal Representative.
Communication/ Public Relations Officer Generally, this member is part of the public relations department and is responsible for protecting and promoting the image of the organization. This individual might not be the actual face to the media and customers, but he or she is responsible for crafting the message (the content and objective of the message is generally the responsibility of management). All media inquiries should be directed to Public Relations.
Management/StakeholdersDepending on the particular incident, you might involve only departmental managers, or you might involve managers across the entire organization. The appropriate management individual will vary according to the impact, location, severity, and type of incident. If you have a managerial point of contact, you can quickly identify the most appropriate individual for the specific circumstances. Management is responsible for approving and directing security policy. Management is also responsible for determining the total impact (both financial and otherwise) of the incident on the organization. Management directs the Communications Officer regarding which information should be disclosed to the media and determines the level of interaction between the Legal Representative and law enforcement agencies.
External resourses Include in the table above a list of all the contact information for all the services that are critical to your Magento eCommerce store. If you have an EE Licence, include all the information required to get into with Magento Support or ECG here. Add rows for your hosting provider support line, internal contacts and also even terms of service. The goal here is that anything internal or external that affects the operation of your Magento eCommerce store should have a contact here.

Responding to an Incident

The following table shows the responsibilities of these individuals during the incident response process.

ActivityIncident LeadIT ContactLegal RepresentativeCommunications OfficerManagement
Initial AssessmentOwnerAdvisesNoneNoneNone
Initial ResponseOwnerImplementsUpdatesUpdatesUpdates
Collects Forensic EvidenceImplementsAdvisesOwnerNoneNone
Implements Temporary FixOwnerImplementsUpdatesUpdatesAdvises
Sends CommunicationAdvisesAdvisesAdvisesImplementsOwner
Check with Local Law EnforcementUpdatesUpdatesImplementsUpdatesOwner
Implements Permanent FixOwnerImplementsUpdatesUpdatesUpdates
Determines Financial Impact on BusinessUpdatesUpdatesAdvisesUpdatesOwner
Review the response and update the planImplementsAdvisesAdvisesAdvisesAdvises

IMPLEMENTATION OF INCIDENT RESPONSE

These steps should be conducted during an incident response. They are not numbered since they're not exclusively sequential. Rather, they happen throughout the incident. For example, documentation starts at the very beginning and continues throughout the entire life cycle of the incident; communication also happens throughout the entire incident. An overzealous response could even cause more damage than the initial attack. By working these steps alongside each other, you will get the best compromise between swift and effective action.

Making an Initial Assessment

Note: You should avoid false positives whenever possible; however, it is always better to act on a false positive than fail to act on a genuine incident. Your initial assessment should, therefore, be as brief as possible, yet still eliminate obvious false positives.

Communicating the Incident

Be aware that damage can come in many forms, and that a headline in the popular sites exaggerating a security breach can be much more destructive than an actual intrusions. For this reason, and to prevent an attacker from being tipped off, only those playing a role in the incident response should be informed until the incident is properly controlled. Based on the unique situation, your team will later determine who needs to be informed of the incident. This could be anyone from specific individuals up to the entire company and external customers. Communication externally should be coordinated with the Legal Representative.

Containing the Damage and Minimizing the Risks

Identifying the Severity of the Compromise

Preserving forensic evidence

External notifications

Compiling and Organizing Incident Evidence


Preparation

After you have completed this document for your team, it is highly advised that you undergo drills to see how your team uses it and responds to issues. This way you can identify shortcomings or extra information you can add to it. It is very important that you thoroughly test your incident response process before an incident occurs. Without thorough testing, you cannot be confident that the measures that you have in place will be effective in responding to incidents.

Related Information

For more information about creating an incidence response plan, see the following: