IT.4201.1 - MCW-PRC - Cyber Incident Response Procedure

PURPOSE

This document establishes the procedure to follow when there is a cyber incident (see “Definitions”).

SCOPE

While first responders to cyber incidents may be general IT staff or other Mister Car Wash employees, the company’s Cyber Incident Response Team (CIRT) provides overall response guidance. The CIRT’s priority during an incident is to take control of the situation with the intent of mitigating potential damage to the company and its customers.

The CIRT is responsible for:

Managing the incident response process
Defending against attacks and minimizing damage in the event an attack succeeds
Implementing improvements that prevent attacks from reoccurring
Reporting incident outcomes to the General Counsel

The members of the CIRT are listed in CIRT Contact List (IT.4201.2-MCW-FRM).

DEFINITIONS

Event

An event is any observable activity within Mister information resources, including applications, systems (operating systems), networks, network devices, and workstations.

Incident

An incident is any undesirable event that could potentially compromise the availability, integrity, and confidentiality of Mister information resources.

Incidents are assigned one of three color codes:

Green – an incident is assigned code green if it:
- Originates from non-production Mister information systems.
- Impacts only Mister non-production systems; and
- Is prevented with existing defense controls or can be prevented by updating existing controls.
Yellow – an incident is assigned code yellow if it:
- Originates from or impacts Mister production systems; and
- Cannot be prevented with existing defense controls or by updating existing controls.
Red – an incident is assigned code red if it:
- Places production assets in immediate risk; or
- May spread to other Mister information systems, including production systems, before it is contained; and
- Involves any compromise to private customer information.

Production Systems

Production systems are all systems that are used to support Mister business requirements. Exceptions to production systems include:

User workstations, laptops, and mobile devices (except when such devices carry Mister-restricted information)
Test and staging systems, networks, and applications

PROCEDURE

Mister has developed its Cyber Incident Response Procedure according to National Cyber Security Division (NCSD) guidelines. The procedure is divided into three phases:

Phase I: Detection, Assessment, and Triage
Phase II: Containment, Evidence Collection, Analysis and Investigation, and Mitigation
Phase III: Remediation, Recovery, and Post-Mortem

The CIRT or other employees will generally respond to incidents by proceeding through these phases in order. However, some steps will not apply to certain circumstances, so responders must rely upon their discretion and experience when applying the procedure to actual incidents. The tasks listed in the subsections below are initiated when the incident is detected and declared.

Phase I: Detection, Assessment, and Triage

Phase I tasks are intended to control risk/damage and are critical to a successful incident response. Phase I tasks may be completed by IT technicians or by CIRT members.

Figure 1 summarizes the Phase I tasks. For more information about any task, see Table 1 following the chart.

Table 1: Phase I Tasks

Step Task Description 1 Detect and Document Event How an event is detected depends on its source (e.g., the IDS may trigger an event, the network monitor may indicate a spike in traffic, the firewall may be hit with a DDoS). 2 Notify Need-to-Know Personnel Notify the Mister Information Security Officer (ISO), Legal Representative to define and protect privilege and, on a need to know basis only, other personnel of the event. Incidents may have legal, human resources, and public relations implications and should not be disclosed to anyone without a specific need to know. Care should be taken not to communicate at any time using potentially compromised data or voice systems. Create secure communication channel in Slack. 3 Determine if Incident has Occurred Based on available data, establish whether an incident has occurred. One of three
conclusions will be reached:

An incident has occurred (green, yellow, or red); proceed with further action
Undetermined; proceed with further action (treat the undetermined incident as though it were code green, but reclassify if new information is discovered)
An incident did not occur; terminate action

If the determination is made that an incident occurred, use the Cyber Incident Reporting Form (IT.4201.3-MCW-FRM) to begin documenting information. 4 Protect Evidence Evidence is not yet collected, but care is taken to preserve potential evidence by guarding against:

Destruction of evidence through established processes like re-use of backup media, system use, or hard disk wiping.
Destruction or tainting of evidence through incident handling actions (logging into affected systems, etc.).

If deliberate destruction is considered likely (i.e., by a suspect or attacker), more aggressive actions may be required to preserve evidence (e.g., removing systems from the network, placing evidence in safe storage). 5 Solve and Submit Report In the event of a code green incident, technical staff will correct issue. Once the problem is corrected, a report on what caused the issue must be prepared and submitted. 6 Determine Incident Status During a code yellow incident, the ISO assumes leadership of the response. Efforts are made to determine the current status of the incident. (Is the attack/incident active or has it ceased? If it has ceased, is it likely to resume?) 7 Assess Incident Localization Personnel determine which and how many systems and what data are potentially affected, including whether compromised systems are the end target or are included in a distributed attack on other systems. This task may be conducted earlier in Phase I as time, skill, and resources permit. 8 Contact and Assemble CIRT During a code red incident, the initial CIRT must be contacted. The CIRT Coordinator is responsible for notifying initial CIRT members using all primary and alternate contact methods until successful.
The initial CIRT Team shall be composed of at least: 1 Coordinator, 1 C-level executive, 1 IT Representative, and 1 Legal Representative.
The CIRT Coordinator is also required to procure emergency supplies and communicate with stakeholders as needed. 9 Damage Assessment/Control When the initial CIRT is first assembled, all members must be briefed on the situation, symptoms, and external notices of events. The following actions are taken:

Communicate internally and externally as appropriate (including to the cyber-breach insurance carrier and senior management)
Execute containment activities, scope business impact
Identify response goals (if possible)
Identify and evaluate options to meet response goals (if possible)

The cyber-breach insurance carrier will have an integral role to play in identifying, evaluating, and executing response options. 10 Notify Internal Parties that may be Affected Any internal employee that the incident could affect, or needs to take action, is given a brief notification 11 Notify External Parties (If Needed) If the incident is found to reach beyond Mister-managed systems (i.e., those systems not solely managed by Mister staff), the CIRT Coordinator should contact all impacted parties (as possible) to coordinate incident response efforts. In many cases, non-localized incidents may require the coordinated efforts of staff from other organizations to resolve. Law enforcement as appropriate.

Phase II: Containment, Evidence Collection, Analysis and Investigation, and Mitigation

Except in the case of code green incidents, which will generally be resolved in Phase I, incident control, investigation, and resolution proceeds in Phase II. CIRT members and their designees will be responsible for completing Phase II tasks.

Table 2 below summarizes the tasks completed in Phase II.

Step Task Description 12 Plan Containment Activities At this stage, a CIRT member or the entire team creates a formal plan to manage the remaining incident response processes. Incidents should be formally designated by code with appropriate containment strategies identified and documented. Priority should be by business impact.

If Playbook Exists for Incident Type, move to playbook here.
Continue to Step 18 after playbook completion. 13 Begin Documenting Response and Recovery Efforts With the CIRT active and making decisions on the direction and focus of response activities, the CIRT Coordinator begins documenting and assigning incident response activities. 14 Contain Since triage actions are often executed in a crisis environment, it is critical to confirm that containment measures and related activities will quarantine affected systems and that operations will not be adversely affected. The CIRT will assign personnel to carry out validated containment measures. 15 Eradicate If possible, the affected systems should be purged and placed back into their normal operating environment. 16 Recover If an incident results in the destruction or corruption of data, special recovery steps are necessary. Even if temporary recoveries are executed during the incident response, a reliable recovery must be performed. 17 Follow Up Once the incident has been contained and critical services/data have been restored/recovered, the CIRT Coordinator (or his or her designee) should conduct meetings with technical staff, external entities, and other participants to understand incident cause(s), the strength of existing controls that defend against such incidents, and any other lessons learned throughout the incident response process.
Depending on the severity and scope of the incident, the CIRT Coordinator may wish to conduct a quick debriefing with the CIRT to verify that all matters have been addressed and all systems are back to normal with preventative measures in place. 18 Document and File Once a relatively stable state is established, the scope, risk assessment, and response goals are re-analyzed and re-validated in a Cyber Incident Recovery Report (IT.4201.4-MCW-FRM). The following questions should be addressed:

How did the incident happen?
When (as best as can be determined) did the incident begin and end?
What is the verified scope or depth of the incident?
Was there any activity after the initial incident?
Who or what was the source of the attack?
How was the incident contained?
What are the immediate and future recommendations for response?

Depending on the severity and scope of the incident, the CIRT Coordinator may deem it necessary to summarize the incident in a report to company management. The report should include:

A description of the circumstances that led to the incident
The current status of the incident, including ongoing response efforts (when appropriate)
Any short-term incident remediation measures employed and their impact on the business
Any long-term incident remediation measures employed and their impact on the business

19 Determine if Law Enforcement Contact and Public Notification are Warranted If the company determines that criminal prosecution is warranted, the appropriate law enforcement agency will be contacted. This consideration, as well as any other formal communications, must be closely managed by Mister’s Legal Department.
The FBI is contacted only for incidents with a loss value of more than $10,000, which includes the value of information, cost of company incident response, damage to systems, and so on. The U.S. Secret Service must be notified of any compromise to cardholder data.
If customer privacy is compromised or suspected of being compromised, public notice must be provided in the states where the compromise occurred or is suspected to have occurred. Consult appropriate state privacy notice laws. Some states require public notification in as little as 30 days. 20 File FBI and/or Secret Service Report If the CIRT and Mister management determine that criminal investigation, prosecution, or public notice is appropriate, the CIRT Coordinator will prepare and submit a report to the local branch of the FBI, U.S. Secret Service, and/or state-level law enforcement. 21 Notify Card Issuers and Customers If the incident impacts systems where customers’ Personally Identifiable Information (PII) is processed, the CIRT as advised by outside legal counsel, must approve a communications plan to notify customers that have been impacted by the breach. PII includes, but is not limited to:

Full name, personal address, and personal telephone number
Social security number, driver’s license number, account number, and credit or debit card number
User login, personal identification number, password, or any other non-public information that would permit access to the customer’s account or account details

Customer notice may be delayed if a law enforcement agency provides Mister with a written request for delay explaining that notification will interfere with a criminal investigation. However, customers should be informed as soon as notification no longer presents a threat to an investigation. State laws specify what information is required in customer notification, which can include the following:

A recommendation that customers immediately report any suspicious activity to the institution
A description of fraud alerts and an explanation of how to place a fraud alert in the customer’s consumer reports so that the customer’s creditors are on notice that the customer may be a victim of fraud
A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and request that information relating to fraudulent transactions be deleted
An explanation of how the customer may obtain a free credit report
Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft

The notice should encourage the customer to report any incidents of identity theft to the FTC. It should also provide the FTC’s website address and toll-free telephone number that the customer may use to obtain identity theft guidance and report suspected incidents of identity theft.
If cardholder data is compromised, card issuers must be notified. Additionally, Mister must follow the card issuers’ guidelines on what to do in the event cardholder data is compromised.

Phase III: Remediation, Recovery, and Post-Mortem

Phase III tasks help return the company to normal operating status. They also allow for improvements to be made to security and incident response procedures to minimize the company’s risk going forward.

Table 3 below summarizes the tasks completed in Phase III.

Step Task Description 22 Analyze and Report The Cyber Incident Recovery Report (IT.4201.4-MCW-FRM) is updated with the following information:

A statement of the circumstances surrounding the incident
A summary of the incident response activities and timeline
Conclusions and supporting evidence
Recommendations for short- and long-term mitigation

23 Archive Evidence All evidence is securely archived and stored. In most cases, at least the original evidence, one backup copy, and reports and supporting documentation are maintained until the incident is resolved. Special circumstances may dictate that some investigation material be destroyed. If this is necessary, secure disposal processes must be followed. 24 Remediate Short- and long-term remediation activities are implemented based on a risk-justified approach. Remediation activities may include, but are not limited to, policy updates, modifications to business partner processes, and upgrades to technical infrastructure. 25 Analyze incident Handling Following the incident response or during implementation of remediation activities, an analysis is conducted to identify the strong and weak aspects of the response plan. Any insights discovered during this activity should be used to improve the overall quality and efficiency of this procedure and its accompanying documentation.
Staff should be trained to implement modified procedures as “lessons learned” justify.

HISTORY

Revised Date Revised By Revisions 2019-12 Alexander Grube Document Created 2020-04 Alexander Grube Document revised in accordance with notes from tabletop exercise 2020-09 Alexander Grube Document revised to update notification process and include playbook call-outs 2025-08 Andrew Poskey Moved to Fresh and updated formatting for publishing