What Is An Incident Response Plan?  

• The process to identify and deal with cybersecurity incidents has several stages, including preparation, detection and analysis, containment, eradication, full recovery, and post-incident analysis and learning.

• An incident response plan (IRP) is a set of documented procedures detailing the steps that should be taken in each phase of incident response. It should include guidelines for roles and responsibilities, communication plans, and standardized response protocols.

• The process involves:

  • Identifying if an incident is malicious.
  • Taking action to quickly contain it and minimize damage.
  • Eradicate the threat.
  • Learn from the incident to improve the process.

4-Step Framework:

1. Preparation and Prevention

• FOX Entertainment Technology Response Team Stakeholders:

  • Production & Post Technology (VP: Christian Kennel)

  • Engineering Team (Dir: Christian Case)

  • Product Team (Dir: Justin Briars)

  • Post Technology & Operations (Dir: Payton List)

• We have a schedule of 20hr coverage (6a-2a) with the ideal of always having at least one person on premises to do physical shut downs & restarts.

• If the incident involves remote access, a team member will be assigned to test remote access if needed.

• Depending on the nature of the incident, a representative from the ET team or from InfoSec will email, slack or call affected End Users.

• In the event of a cybersecurity incident, FOX Entertainment Technology Team will engage the FOX Information Security (InfoSec) team via Email and/or Slack.

• We will defer to their expertise and legal advice regarding next steps. 

• Most likely, InfoSec will engage and create a private Incident Response Slack Channel Ticket to track everything and we will communicate there. 

• They will most likely look at their many online resources for Common Vulnerabilities and Exposures (CVE) migration and patching:

CVE online resource examples:

• https://nvd.nist.gov/vuln/detail/CVE-2023-24941 
• https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/amp/ 
• https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/ 
• https://www.vmware.com/security/advisories/VMSA-2023-0009.html 
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958 
• https://security.paloaltonetworks.com/CVE-2022-0030 

• And use their Security Toolset to mitigate, scan and help recover from an attack.

• Tools currently used by the FOX InfoSec team:

  • DataDog
  • WIZ
  • Crowdstrike / Tanium
  • Joe Malware

2. Detection and Analysis

• Has an event occurred and how severe is its blast radius?

  • InfoSec Security toolsets will be used to determine this. 

• If Fox Entertainment resources or Users are affected, FOX Entertainment Technology Team will gather parties who should be informed and suggest next steps.  

• We will help document as much as possible helping InfoSec team:

  • List relevant people who should be aware and engaged.

  • Logs if possible

  • Timeline of potential malicious install or breach

  • Hostnames of affected Users / Systems.

  • Archived repositories affected software could exist in.

  • Possible hashes of software

  • Vendor contact information of software

3. Containment, Eradication, and Recovery

• Defer to InfoSec Team’s suggestion on forensic information they need.

• Possible secure InfoSec-generated Box uploads for malware scanning.

• Install dates of potential malware so they can scan for versions with Crowdstrike.

• Any potential hashes we received from Software vendors they can filter in their scan.

• Conversations with End Users reporting incidents.

• Defer to InfoSec Team’s expertise on neutralizing attack, eradication and recovery.

4. Post-Incident Activity

What can be learned and improved upon next time? 

• FOX Entertainment Technology Team will have a post-mortem to discuss the following, and update policies if need be. 

  • Chain of events that led to the security incident.

  • Any new attack methods, techniques, etc.? 

  • Strategies learned that can improve response for subsequent incidents? 

  • Anything lacking that was needed? 

  • Overall performance of response. 

  • Was the plan adequate for this type of incident? 

  • Document preventive techniques for future events.