Incident Response and Handling Steps

Get Started. It's Free
or sign up with your email address
Incident Response and Handling Steps by Mind Map: Incident Response and Handling Steps

1. 6. Formulating a Response Strategy

1.1. Depends on the incident situation

1.2. Goal

1.2.1. Examine the most appropiate response procedure

1.3. Factors

1.3.1. Political

1.3.2. Technical

1.3.3. Legal

1.3.4. Business

2. 7. Incident Classification

2.1. Based on their severity and potential targets

2.2. Steps to clasification

2.2.1. 1. Categorization

2.2.2. 2. Priority Level Levels High Medium Low

2.2.3. 3. Resource Allocation

2.3. Factors

2.3.1. Nature of the incident

2.3.2. Criticality of the systems

2.3.3. Number of systems impacted

2.3.4. Legal and regulatory

3. 8. Incident Investigation

3.1. Process for gathering and analysis of the evidence

3.1.1. WH Questions

3.2. Examine

3.2.1. The incident

3.2.2. Time of the incident

3.2.3. Perpetrator

3.2.4. Mitigation steps

3.2.5. Systems and networks

3.3. Two phases

3.3.1. 10. Forensic Analysis Software Analisys, keywords searches, information deleted Determine Victims and attackers Kind of incident happened When and where occurred How the events have occurred Photograph the evidence Ej. Asset identification, analysis location, arrival time...

3.3.2. 9. Data Collection Gathering known facts and evidences Basic areas of evidence 1. Host-based 2. Network-based 3. Other evidence

4. 11. Evidence Protection

4.1. To take legal actions against the attackers

4.2. A well documented chain of custody

4.3. BackUps should be stored in secure location

4.3.1. WH Questions ej.Who can access the backup

4.4. Verify integrity of the evidence

4.4.1. ej. HASH SHA256, MD5...

4.5. The original HDD can be used as forensic evidence

5. 12. Notify External Agencies

5.1. inlcude

5.1.1. National and local law enforcement

5.2. external security agencies

5.3. Security experts and researchers

5.4. Virus experts Lab

6. 13. Eradication

6.1. It list countermeasures to thwart damage

6.1.1. Countermeasures Using or Update antivirus software Installing latest patches Policy compliance checks Independent security audits Hardening to systems or networks Vulnerability analysis Changing all passwords Restoring, reinstalling and rebuilding systems 17. Review and Update the security policies, plan and procedures Discuss with your team members about the incident response and handling steps Review steps for prevent future incidents Validating and tracking the all corrective actions Restoring Backup

6.2. remove de root cause of the incident

7. 14. Systems Recovery

7.1. Restored to its normal operations

7.2. depends on the extent of the security breach

7.3. Two important steps

7.3.1. Determine the course of action

7.3.2. Monitor and validate the systems

8. 1. Identification

8.1. This phase is necessary for categorizing and responding

8.2. System and network audit logs

8.3. Differents ways

8.3.1. The alarms of IDS/IPS and Firewalls

8.3.2. Antimalware solution

8.3.3. Audit, System and Security Logs

8.3.4. Unexpected corruption or deletion of data

8.3.5. Unusual system crashes

8.3.6. Unusual or suspicious activities on the computers

8.3.7. Violates the organizations security policy

8.3.8. Receiving phishing mails or defacement

8.4. Involves

8.4.1. Validation an Incident

8.4.2. Indentifying nature of the incident protecting the evidence

8.4.3. Logging and making a report

8.5. Included

8.5.1. Audit log colletion, examination and analysis ej. SIEM or Logger

8.5.2. Incident reporting and assessment ej. Date and time, system information and configuration

8.5.3. Collect protect system information ej. interviews, forensic analysis and reports, bakcups

8.5.4. Incident severity Levels Incident Investigation Coordinator

8.5.5. Other systems analysis Systems with similar IP address Network Segments Network domain Other critical systems

8.5.6. Assign members to incident task force ej. Software engineers division mangers

9. 2. Recording

9.1. Accurately storing the details of ocurrence

9.2. Included

10. 3. Initial response

10.1. First step

10.1.1. Discissing System and network administrator Business personnel

10.1.2. Examining reports, logs, architecture, ACLs...

10.1.3. Should Identify incident is true or false Information gathering Record your actions for documenting of the attack

10.2. Involves

10.2.1. Initial Investigation

10.2.2. Storing and details of the incident

10.2.3. Create incident reponse team

10.2.4. Assessing the impact

10.2.5. Notifying individuals

10.3. Purpose

10.3.1. Document steps to be followed in responding and incident

11. 4. Communicating the incident

11.1. Communicate suspect of any security breach

11.2. Discuss the breach with other members of the organization

11.3. Manintain appropriate controls and coordination

11.4. Discuss the incident with representative legal to file lawsuit

11.5. Lessons learnt and media to create awareness

12. 5. Containment

12.1. Techniques

12.1.1. Disabling of specific system services

12.1.2. Changing of passwords and disabling accounts

12.1.3. BackUp of the infected system

12.1.4. Temporary shutdown of the infected system

12.1.5. System Restoration

12.1.6. Maintaining a low profile

12.2. Points to minimizing the risk

12.2.1. Providing security and safety to human

12.2.2. Protecting confidential and sensitive data

12.2.3. Safeguarding business, scientific and managerial information

12.2.4. Portecting HW and SW against future attacks

12.3. goal or aim

12.3.1. Reduce the potential effect or damage of the incident

13. 15. Incident Documentation

13.1. Document all the activities

13.2. Provide

13.2.1. Description of the security breach

13.2.2. Details of action takes place

13.3. should

13.3.1. Organized in a sequencial order

13.3.2. Verified for completeness

13.3.3. Vetted and examined

13.3.4. Concise and clear

13.3.5. Standard Format

13.3.6. Error-Free

14. 16. Incident Damage and Cost Assessment

14.1. Damage includes

14.1.1. The loss of information

14.1.2. Legal costs form investigating

14.1.3. Labor cost to analyze breaches

14.1.4. System downtime cost

14.1.5. Installation cost

14.1.6. Cost for repairing and possibly updating damaged

14.1.7. Reputation or customer trust