Incident Response

This document describes the processes that support the following company policies:

Security Incident Response Team

TODO: We should document who is part of the security incident response team, but this playbook may not be the best channel for that.

Tooling

Communication Channels

Incident Log

The Incident Log contains a document per incident.

  • Naming convention: YYYY-MM-DD - Incident Name
  • Template

The security incident response team has access to the incident log.

Each log entry should contain the following information:

  • Date
  • List of people involved in the decision making process
  • An evaluation of the Incident Response Plan: wether all interested parties are in the right communication channels, etc
  • The forensics evidence gathered while executing the incident response plan
  • An evaluation of the impact and consequences of the incident
  • An analysis of the root causes as well as the lessons learned
  • The action items to remediate the problem in the short and longer term if needed.

A shortcut ticket assigned to the Security Incidents label should be created with a link to the relevant incident log entry.

Process

Communicate a Security Incident

  • Communicate a security incident by using the following channels:
    • The #security Slack channel
    • The security@narrative.io email list
    • The phone number of anyone in the security incident response team, or, as a fall back, anyone in the dev or executive team.
  • To the extent possible, make yourself available to provide additional information/identification when requested.

Initiate the Incident Response Process

  • The first person in the Security Incident Response Team aware of an incident should create a shortcut ticket assigned to the Security Incidents label
  • The rest of the process is lead by the on-call person
  • Create an entry in the Incident Log
  • Add a link to the relevant incident log entry to the Shortcut ticket
  • Perform appropriate video identification depending on the context. Access Change guidelines/procedures from the System Access Control playbook are particularly relevant here.
  • It is important to keep in mind that when video identification is not possible, only ever proceed with revoking credentials, not emitting new ones.

Incident Response Guidelines

Every incident is different and requires its own assessment and reaction function. However, here are a few guidelines that can help to react quickly and avoid missing important steps.

Compromised Credentials

Here are some important steps to consider when credentials have (potentially) been compromised:

  • Start from the list of systems that the person has access to.
  • Revoke access to the most critical systems first, and to the least critical last
  • Once access has been revoked, audit the systems to determine what has been accessed and the extent of the potential damage
  • Some systems do not provide meaningful auditing capabilities. We have to accept the risk of not auditing these.
  • Communicate internally and externally about the extent of the breach if it meaningfully impacts the business and its partners

Auditing compromised systems

  • Narrative app: no audit log available
  • Google Workspace
    • Provides a great way to audit logins
  • AWS Console Cloudtrail Event History can be used with a username lookup
  • Google Cloud
  • Github
    • Organization Log. The actor= filter can be used to restrict entries to a given user.
  • Cloudflare
  • Notion
    • The audit log is available in in Settings & Members
  • Slack
  • Shortcut
    • No audit log available
  • Stripe
  • NPM
    • No audit log available?
  • DataDog
  • Cron / Jenkins
    • No audit trail
  • Splunk On Call
    • No audit trail
  • Drata
    • No audit trail
  • Hubspot
  • LinkedIn Business
    • No audit trail
  • Facebook Business
  • Instagram
    • No audit trail
Table of Contents