Incident Response and Handling Steps

Get Started. It's Free
or sign up with your email address
Rocket clouds
Incident Response and Handling Steps by Mind Map: Incident Response and Handling Steps

1. 1. Identification

1.1. This phase is necessary for categorizing and responding

1.2. System and network audit logs

1.3. Differents ways

1.3.1. The alarms of IDS/IPS and Firewalls

1.3.2. Antimalware solution

1.3.3. Audit, System and Security Logs

1.3.4. Unexpected corruption or deletion of data

1.3.5. Unusual system crashes

1.3.6. Unusual or suspicious activities on the computers

1.3.7. Violates the organizations security policy

1.3.8. Receiving phishing mails or defacement

1.4. Involves

1.4.1. Validation an Incident

1.4.2. Indentifying

1.4.2.1. nature of the incident

1.4.2.2. protecting the evidence

1.4.3. Logging and making a report

1.5. Included

1.5.1. Audit log colletion, examination and analysis

1.5.1.1. ej. SIEM or Logger

1.5.2. Incident reporting and assessment

1.5.2.1. ej. Date and time, system information and configuration

1.5.3. Collect protect system information

1.5.3.1. ej. interviews, forensic analysis and reports, bakcups

1.5.4. Incident severity Levels

1.5.4.1. Incident Investigation Coordinator

1.5.5. Other systems analysis

1.5.5.1. Systems with similar

1.5.5.1.1. IP address

1.5.5.1.2. Network Segments

1.5.5.1.3. Network domain

1.5.5.1.4. Other critical systems

1.5.6. Assign members to incident task force

1.5.6.1. ej. Software engineers

1.5.6.2. division mangers

2. 2. Recording

2.1. Accurately storing the details of ocurrence

2.2. Included

3. 3. Initial response

3.1. First step

3.1.1. Discissing

3.1.1.1. System and network administrator

3.1.1.2. Business personnel

3.1.2. Examining

3.1.2.1. reports, logs, architecture, ACLs...

3.1.3. Should

3.1.3.1. Identify incident is true or false

3.1.3.2. Information gathering

3.1.3.3. Record your actions for documenting of the attack

3.2. Involves

3.2.1. Initial Investigation

3.2.2. Storing and details of the incident

3.2.3. Create incident reponse team

3.2.4. Assessing the impact

3.2.5. Notifying individuals

3.3. Purpose

3.3.1. Document steps to be followed in responding and incident

4. 4. Communicating the incident

4.1. Communicate suspect of any security breach

4.2. Discuss the breach with other members of the organization

4.3. Manintain appropriate controls and coordination

4.4. Discuss the incident with representative legal to file lawsuit

4.5. Lessons learnt and media to create awareness

5. 5. Containment

5.1. Techniques

5.1.1. Disabling of specific system services

5.1.2. Changing of passwords and disabling accounts

5.1.3. BackUp of the infected system

5.1.4. Temporary shutdown of the infected system

5.1.5. System Restoration

5.1.6. Maintaining a low profile

5.2. Points to minimizing the risk

5.2.1. Providing security and safety to human

5.2.2. Protecting confidential and sensitive data

5.2.3. Safeguarding business, scientific and managerial information

5.2.4. Portecting HW and SW against future attacks

5.3. goal or aim

5.3.1. Reduce the potential effect or damage of the incident

6. 6. Formulating a Response Strategy

6.1. Depends on the incident situation

6.2. Goal

6.2.1. Examine the most appropiate response procedure

6.3. Factors

6.3.1. Political

6.3.2. Technical

6.3.3. Legal

6.3.4. Business

7. 7. Incident Classification

7.1. Based on their severity and potential targets

7.2. Steps to clasification

7.2.1. 1. Categorization

7.2.2. 2. Priority Level

7.2.2.1. Levels

7.2.2.1.1. High

7.2.2.1.2. Medium

7.2.2.1.3. Low

7.2.3. 3. Resource Allocation

7.3. Factors

7.3.1. Nature of the incident

7.3.2. Criticality of the systems

7.3.3. Number of systems impacted

7.3.4. Legal and regulatory

8. 8. Incident Investigation

8.1. Process for gathering and analysis of the evidence

8.1.1. WH Questions

8.2. Examine

8.2.1. The incident

8.2.2. Time of the incident

8.2.3. Perpetrator

8.2.4. Mitigation steps

8.2.5. Systems and networks

8.3. Two phases

8.3.1. 10. Forensic Analysis

8.3.1.1. Software Analisys, keywords searches, information deleted

8.3.1.2. Determine

8.3.1.2.1. Victims and attackers

8.3.1.2.2. Kind of incident happened

8.3.1.2.3. When and where occurred

8.3.1.2.4. How the events have occurred

8.3.1.3. Photograph the evidence

8.3.1.3.1. Ej. Asset identification, analysis location, arrival time...

8.3.2. 9. Data Collection

8.3.2.1. Gathering known facts and evidences

8.3.2.2. Basic areas of evidence

8.3.2.2.1. 1. Host-based

8.3.2.2.2. 2. Network-based

8.3.2.2.3. 3. Other evidence

9. 11. Evidence Protection

9.1. To take legal actions against the attackers

9.2. A well documented chain of custody

9.3. BackUps should be stored in secure location

9.3.1. WH Questions

9.3.1.1. ej.Who can access the backup

9.4. Verify integrity of the evidence

9.4.1. ej. HASH SHA256, MD5...

9.5. The original HDD can be used as forensic evidence

10. 12. Notify External Agencies

10.1. inlcude

10.1.1. National and local law enforcement

10.2. external security agencies

10.3. Security experts and researchers

10.4. Virus experts Lab

11. 13. Eradication

11.1. It list countermeasures to thwart damage

11.1.1. Countermeasures

11.1.1.1. Using or Update antivirus software

11.1.1.2. Installing latest patches

11.1.1.3. Policy compliance checks

11.1.1.4. Independent security audits

11.1.1.5. Hardening to systems or networks

11.1.1.6. Vulnerability analysis

11.1.1.7. Changing all passwords

11.1.1.8. Restoring, reinstalling and rebuilding systems

11.1.1.9. 17. Review and Update the security policies, plan and procedures

11.1.1.9.1. Discuss with your team members about the incident response and handling steps

11.1.1.9.2. Review steps for prevent future incidents

11.1.1.10. Validating and tracking the all corrective actions

11.1.1.11. Restoring Backup

11.2. remove de root cause of the incident

12. 14. Systems Recovery

12.1. Restored to its normal operations

12.2. depends on the extent of the security breach

12.3. Two important steps

12.3.1. Determine the course of action

12.3.2. Monitor and validate the systems

13. 15. Incident Documentation

13.1. Document all the activities

13.2. Provide

13.2.1. Description of the security breach

13.2.2. Details of action takes place

13.3. should

13.3.1. Organized in a sequencial order

13.3.2. Verified for completeness

13.3.3. Vetted and examined

13.3.4. Concise and clear

13.3.5. Standard Format

13.3.6. Error-Free

14. 16. Incident Damage and Cost Assessment

14.1. Damage includes

14.1.1. The loss of information

14.1.2. Legal costs form investigating

14.1.3. Labor cost to analyze breaches

14.1.4. System downtime cost

14.1.5. Installation cost

14.1.6. Cost for repairing and possibly updating damaged

14.1.7. Reputation or customer trust