Incident Response/Handling

  • Incident handling is an action plan for dealing with the misuse of computer systems or network:
    • Intrusion
    • Malicious Code
    • Cyber theft
    • Denial of Service
  • Have written procedures and policy in place so you know what to do when incident occurs
  • Incident is an adverse event in an information system or network (unauthorized use of account/system privilege)
  • An event is an observable occurrence in a system or network (system boot, traffic, etc.)
  • NIST Computer Security Incident Handling Guide- SP 800-62
    • Preparation
    • Detection and Analysis
    • Containment/Eradication/ Recovery
    • Post incident Activity

Popular Incident Response (IR) Phases

  • Preparation
    • Develop IR Plan, Policy and Procedures
    • Train staff on their incident response responsibilities
    • Test your IR Plan
  • Identification
    • Monitor abnormal events/Identify incidents thoroughly; going through the IR process 
  • Containment
    • Prevent the attacker to getting any deeper/disconnect or isolate system
    • Categorize (Internal hacking, external hacking, malware, etc.) and identify the sensitivity of the event (Critical or sensitive)
    • Inform management/Notify appropriate officials-business unit/security officer
  • Eradication
    • Determine cause and symptoms of the incident
    • Get rid of the malicious code, unauthorized account, or bad employee that caused the incident
    • Apply patches and fixes to vulnerabilities found
  • Recovery
    • Test and validate the impacted system
    • Put the system back into production and monitor for re-comprise

Lessons Learned

Create report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again. Meet with management to go over the report and get buy-in for the changes needed to prevent similar incidents in the future.

error: Content is protected !!