5.4 Incident Response

Security Event vs Security Incident
1. Security Event
  1. Any event that could have potential InfoSec implications.
  2. Example:
    1. A spam email is a security event because it may contain links to malware.
  3. Organizations may witness thousands of identifiable security events daily.
2. Security Incident
  1. A security event that could potentially require an investigation from the organization's incident response team.
Incident Response
1. A set of procedures that an investigator follows when examining a computer security incident.
2. Incident Management
  1. The monitoring and detection of security events on a computer network and the execution of proper responses to those security events.
Incident Response Process
1. Preparation
  1. An organization with a well-planned incident response procedure, a strong security posture, and a knowledgeable chief information security officer (CISO) will be able to limit damage:
    1. Quickly discovering the breach
    2. Having an internal response team ready to take action
    3. Quickly obtaining forensics data
    4. Beginning an incident response plan
2. Identification
  1. The recognition of whether an event that occurs should be classified as an incident.
  2. Once identified, you might be required to make contact with other groups or escalate the problem if necessary.
3. Containment
  1. Isolating the problem
  2. This phase might also include evidence gathering, and further investigation
4. Eradication
  1. Removal of the attack or threat
5. Recovery
  1. Retrieve data, repair systems, re-enable servers and networks.
6. Lessons Learned
  1. Document the process and make any changes to procedures and processes that are necessary for the future.
  2. Damage and loss should be calculated and that information should be shared with the accounting department of the organization.
  3. The affected systems should be monitored for any repercussions.