Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

Incident Response and Handling Steps

Other
IM
Igor Moiseev
Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
Incident Response and Handling Steps by Mind Map: Incident Response and Handling Steps

1. 14. Systems Recovery

1.1. Restored to its normal operations

1.2. depends on the extent of the security breach

1.3. Two important steps

1.3.1. Determine the course of action

1.3.2. Monitor and validate the systems

2. 13. Eradication

2.1. It list countermeasures to thwart damage

2.1.1. Countermeasures

2.1.1.1. Using or Update antivirus software

2.1.1.2. Installing latest patches

2.1.1.3. Policy compliance checks

2.1.1.4. Independent security audits

2.1.1.5. Hardening to systems or networks

2.1.1.6. Vulnerability analysis

2.1.1.7. Changing all passwords

2.1.1.8. Restoring, reinstalling and rebuilding systems

2.1.1.9. 17. Review and Update the security policies, plan and procedures

2.1.1.9.1. Discuss with your team members about the incident response and handling steps

2.1.1.9.2. Review steps for prevent future incidents

2.1.1.10. Validating and tracking the all corrective actions

2.1.1.11. Restoring Backup

2.2. remove de root cause of the incident

3. 12. Notify External Agencies

3.1. inlcude

3.1.1. National and local law enforcement

3.2. external security agencies

3.3. Security experts and researchers

3.4. Virus experts Lab

4. 11. Evidence Protection

4.1. To take legal actions against the attackers

4.2. A well documented chain of custody

4.3. BackUps should be stored in secure location

4.3.1. WH Questions

4.3.1.1. ej.Who can access the backup

4.4. Verify integrity of the evidence

4.4.1. ej. HASH SHA256, MD5...

4.5. The original HDD can be used as forensic evidence

5. 8. Incident Investigation

5.1. Process for gathering and analysis of the evidence

5.1.1. WH Questions

5.2. Examine

5.2.1. The incident

5.2.2. Time of the incident

5.2.3. Perpetrator

5.2.4. Mitigation steps

5.2.5. Systems and networks

5.3. Two phases

5.3.1. 10. Forensic Analysis

5.3.1.1. Software Analisys, keywords searches, information deleted

5.3.1.2. Determine

5.3.1.2.1. Victims and attackers

5.3.1.2.2. Kind of incident happened

5.3.1.2.3. When and where occurred

5.3.1.2.4. How the events have occurred

5.3.1.3. Photograph the evidence

5.3.1.3.1. Ej. Asset identification, analysis location, arrival time...

5.3.2. 9. Data Collection

5.3.2.1. Gathering known facts and evidences

5.3.2.2. Basic areas of evidence

5.3.2.2.1. 1. Host-based

5.3.2.2.2. 2. Network-based

5.3.2.2.3. 3. Other evidence

6. 7. Incident Classification

6.1. Based on their severity and potential targets

6.2. Steps to clasification

6.2.1. 1. Categorization

6.2.2. 2. Priority Level

6.2.2.1. Levels

6.2.2.1.1. High

6.2.2.1.2. Medium

6.2.2.1.3. Low

6.2.3. 3. Resource Allocation

6.3. Factors

6.3.1. Nature of the incident

6.3.2. Criticality of the systems

6.3.3. Number of systems impacted

6.3.4. Legal and regulatory

7. 6. Formulating a Response Strategy

7.1. Depends on the incident situation

7.2. Goal

7.2.1. Examine the most appropiate response procedure

7.3. Factors

7.3.1. Political

7.3.2. Technical

7.3.3. Legal

7.3.4. Business

8. 15. Incident Documentation

8.1. Document all the activities

8.2. Provide

8.2.1. Description of the security breach

8.2.2. Details of action takes place

8.3. should

8.3.1. Organized in a sequencial order

8.3.2. Verified for completeness

8.3.3. Vetted and examined

8.3.4. Concise and clear

8.3.5. Standard Format

8.3.6. Error-Free

9. 16. Incident Damage and Cost Assessment

9.1. Damage includes

9.1.1. The loss of information

9.1.2. Legal costs form investigating

9.1.3. Labor cost to analyze breaches

9.1.4. System downtime cost

9.1.5. Installation cost

9.1.6. Cost for repairing and possibly updating damaged

9.1.7. Reputation or customer trust

10. 1. Identification

10.1. This phase is necessary for categorizing and responding

10.2. System and network audit logs

10.3. Differents ways

10.3.1. The alarms of IDS/IPS and Firewalls

10.3.2. Antimalware solution

10.3.3. Audit, System and Security Logs

10.3.4. Unexpected corruption or deletion of data

10.3.5. Unusual system crashes

10.3.6. Unusual or suspicious activities on the computers

10.3.7. Violates the organizations security policy

10.3.8. Receiving phishing mails or defacement

10.4. Involves

10.4.1. Validation an Incident

10.4.2. Indentifying

10.4.2.1. nature of the incident

10.4.2.2. protecting the evidence

10.4.3. Logging and making a report

10.5. Included

10.5.1. Audit log colletion, examination and analysis

10.5.1.1. ej. SIEM or Logger

10.5.2. Incident reporting and assessment

10.5.2.1. ej. Date and time, system information and configuration

10.5.3. Collect protect system information

10.5.3.1. ej. interviews, forensic analysis and reports, bakcups

10.5.4. Incident severity Levels

10.5.4.1. Incident Investigation Coordinator

10.5.5. Other systems analysis

10.5.5.1. Systems with similar

10.5.5.1.1. IP address

10.5.5.1.2. Network Segments

10.5.5.1.3. Network domain

10.5.5.1.4. Other critical systems

10.5.6. Assign members to incident task force

10.5.6.1. ej. Software engineers

10.5.6.2. division mangers

11. 2. Recording

11.1. Accurately storing the details of ocurrence

11.2. Included

12. 3. Initial response

12.1. First step

12.1.1. Discissing

12.1.1.1. System and network administrator

12.1.1.2. Business personnel

12.1.2. Examining

12.1.2.1. reports, logs, architecture, ACLs...

12.1.3. Should

12.1.3.1. Identify incident is true or false

12.1.3.2. Information gathering

12.1.3.3. Record your actions for documenting of the attack

12.2. Involves

12.2.1. Initial Investigation

12.2.2. Storing and details of the incident

12.2.3. Create incident reponse team

12.2.4. Assessing the impact

12.2.5. Notifying individuals

12.3. Purpose

12.3.1. Document steps to be followed in responding and incident

13. 4. Communicating the incident

13.1. Communicate suspect of any security breach

13.2. Discuss the breach with other members of the organization

13.3. Manintain appropriate controls and coordination

13.4. Discuss the incident with representative legal to file lawsuit

13.5. Lessons learnt and media to create awareness

14. 5. Containment

14.1. Techniques

14.1.1. Disabling of specific system services

14.1.2. Changing of passwords and disabling accounts

14.1.3. BackUp of the infected system

14.1.4. Temporary shutdown of the infected system

14.1.5. System Restoration

14.1.6. Maintaining a low profile

14.2. Points to minimizing the risk

14.2.1. Providing security and safety to human

14.2.2. Protecting confidential and sensitive data

14.2.3. Safeguarding business, scientific and managerial information

14.2.4. Portecting HW and SW against future attacks

14.3. goal or aim

14.3.1. Reduce the potential effect or damage of the incident