Incident Response and Handling Steps

Get Started. It's Free
or sign up with your email address
Incident Response and Handling Steps by Mind Map: Incident Response and Handling Steps

1. 1. Identification

1.1. This phase is necessary for categorizing and responding

1.2. System and network audit logs

1.3. Differents ways

1.3.1. The alarms of IDS/IPS and Firewalls

1.3.2. Antimalware solution

1.3.3. Audit, System and Security Logs

1.3.4. Unexpected corruption or deletion of data

1.3.5. Unusual system crashes

1.3.6. Unusual or suspicious activities on the computers

1.3.7. Violates the organizations security policy

1.3.8. Receiving phishing mails or defacement

1.4. Involves

1.4.1. Validation an Incident

1.4.2. Indentifying nature of the incident protecting the evidence

1.4.3. Logging and making a report

1.5. Included

1.5.1. Audit log colletion, examination and analysis ej. SIEM or Logger

1.5.2. Incident reporting and assessment ej. Date and time, system information and configuration

1.5.3. Collect protect system information ej. interviews, forensic analysis and reports, bakcups

1.5.4. Incident severity Levels Incident Investigation Coordinator

1.5.5. Other systems analysis Systems with similar IP address Network Segments Network domain Other critical systems

1.5.6. Assign members to incident task force ej. Software engineers division mangers

2. 2. Recording

2.1. Accurately storing the details of ocurrence

2.2. Included

3. 3. Initial response

3.1. First step

3.1.1. Discissing System and network administrator Business personnel

3.1.2. Examining reports, logs, architecture, ACLs...

3.1.3. Should Identify incident is true or false Information gathering Record your actions for documenting of the attack

3.2. Involves

3.2.1. Initial Investigation

3.2.2. Storing and details of the incident

3.2.3. Create incident reponse team

3.2.4. Assessing the impact

3.2.5. Notifying individuals

3.3. Purpose

3.3.1. Document steps to be followed in responding and incident

4. 4. Communicating the incident

4.1. Communicate suspect of any security breach

4.2. Discuss the breach with other members of the organization

4.3. Manintain appropriate controls and coordination

4.4. Discuss the incident with representative legal to file lawsuit

4.5. Lessons learnt and media to create awareness

5. 5. Containment

5.1. Techniques

5.1.1. Disabling of specific system services

5.1.2. Changing of passwords and disabling accounts

5.1.3. BackUp of the infected system

5.1.4. Temporary shutdown of the infected system

5.1.5. System Restoration

5.1.6. Maintaining a low profile

5.2. Points to minimizing the risk

5.2.1. Providing security and safety to human

5.2.2. Protecting confidential and sensitive data

5.2.3. Safeguarding business, scientific and managerial information

5.2.4. Portecting HW and SW against future attacks

5.3. goal or aim

5.3.1. Reduce the potential effect or damage of the incident

6. 6. Formulating a Response Strategy

6.1. Depends on the incident situation

6.2. Goal

6.2.1. Examine the most appropiate response procedure

6.3. Factors

6.3.1. Political

6.3.2. Technical

6.3.3. Legal

6.3.4. Business

7. 7. Incident Classification

7.1. Based on their severity and potential targets

7.2. Steps to clasification

7.2.1. 1. Categorization

7.2.2. 2. Priority Level Levels High Medium Low

7.2.3. 3. Resource Allocation

7.3. Factors

7.3.1. Nature of the incident

7.3.2. Criticality of the systems

7.3.3. Number of systems impacted

7.3.4. Legal and regulatory

8. 8. Incident Investigation

8.1. Process for gathering and analysis of the evidence

8.1.1. WH Questions

8.2. Examine

8.2.1. The incident

8.2.2. Time of the incident

8.2.3. Perpetrator

8.2.4. Mitigation steps

8.2.5. Systems and networks

8.3. Two phases

8.3.1. 10. Forensic Analysis Software Analisys, keywords searches, information deleted Determine Victims and attackers Kind of incident happened When and where occurred How the events have occurred Photograph the evidence Ej. Asset identification, analysis location, arrival time...

8.3.2. 9. Data Collection Gathering known facts and evidences Basic areas of evidence 1. Host-based 2. Network-based 3. Other evidence

9. 11. Evidence Protection

9.1. To take legal actions against the attackers

9.2. A well documented chain of custody

9.3. BackUps should be stored in secure location

9.3.1. WH Questions ej.Who can access the backup

9.4. Verify integrity of the evidence

9.4.1. ej. HASH SHA256, MD5...

9.5. The original HDD can be used as forensic evidence

10. 12. Notify External Agencies

10.1. inlcude

10.1.1. National and local law enforcement

10.2. external security agencies

10.3. Security experts and researchers

10.4. Virus experts Lab

11. 13. Eradication

11.1. It list countermeasures to thwart damage

11.1.1. Countermeasures Using or Update antivirus software Installing latest patches Policy compliance checks Independent security audits Hardening to systems or networks Vulnerability analysis Changing all passwords Restoring, reinstalling and rebuilding systems 17. Review and Update the security policies, plan and procedures Discuss with your team members about the incident response and handling steps Review steps for prevent future incidents Validating and tracking the all corrective actions Restoring Backup

11.2. remove de root cause of the incident

12. 14. Systems Recovery

12.1. Restored to its normal operations

12.2. depends on the extent of the security breach

12.3. Two important steps

12.3.1. Determine the course of action

12.3.2. Monitor and validate the systems

13. 15. Incident Documentation

13.1. Document all the activities

13.2. Provide

13.2.1. Description of the security breach

13.2.2. Details of action takes place

13.3. should

13.3.1. Organized in a sequencial order

13.3.2. Verified for completeness

13.3.3. Vetted and examined

13.3.4. Concise and clear

13.3.5. Standard Format

13.3.6. Error-Free

14. 16. Incident Damage and Cost Assessment

14.1. Damage includes

14.1.1. The loss of information

14.1.2. Legal costs form investigating

14.1.3. Labor cost to analyze breaches

14.1.4. System downtime cost

14.1.5. Installation cost

14.1.6. Cost for repairing and possibly updating damaged

14.1.7. Reputation or customer trust