incident response handling
Role-based responsibility
-legal -HR -Marketing
Triage
A method of prioritizing treatment: data integrity downtime economic/ publicity scope detection time recovery time
Containment Phase
Hardest and most important decision that is made during an incident. Decision points for containment include: - What is scope of incident - What is the type of device? - What is the network reachability of the device that has been affected by the incident? - How quickly can the incident response team get containment in place? - How quickly is containment needed? -escalation or reporting
The Nist Computer Security Incident Handling Guide special publication identifies the following stages in an incident response lifecycle.
Incident response phases: -preparation -identification/detection analysis -containment, eradication, and recovery -post-incident activity
downtime
Refers to a period of time when a system is unavailable and the cost of downtime.
Incident Response Plan
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s).
post-incident activity
analyzing the incident and responses to identify whether procedures or systems could be improved. Ensure documentation. "lessons learned"
Cyber Incident Response Team(CIRT/CSIRT)
appropriate detection and analysis software, incident response personnel.
incident management or incident response procedures
are the actions and guidelines for dealing with security incidents. An incident is where security is breached or there is an attempted breach. "the act of violating an explicit or implied security policy"
economic/publicity
both data integrity and downtime affect marketing.
scope
broadly the number of systems affected.
identification/ detection and analysis
determine whether an incident has take place and scope of severity. Notify organization.
analysis and incident identification phase
incident classify and prioritize false positives
Eradication and recovery
investigation-cause containment-ensure that valuable systems or data are not at risk hot swap- a backup system prevention- countermeasures to end the incident (may delete evidence)
Containment, erdaication, and recovery
limiting the scope and impact of the incident. The cause can then be removed and the system brought back to a secure state.
preparation
making the system resilient to attack in the first place. Includes hardening, policies, and procedures.
first responder
member of CIRT taking charge of a reported incident.
recovery time
some incidents require lengthy remediation as the system changes required are complex to implement. This period should have heightened alertness for continued attacks.
detection time
the demonstrates that the systems used to search for intrusions must be thorough and the response to detections must be fast.
data integrity
the most important factor inprioritizing incidents will often be the value of data that is at risk
identification phase
the process of collating events and determining whether any of them should be managed as incidents .precursors-events that make an incident more likely to happen