Security incident response processes
PreparationIn the preparation phase we are looking at processes that need to be in place before we can properly deal with a security incident. The first of these is the process of asset discovery. In an ideal world, our information technology service management (ITSM) system (which we will talk about later) has enumerated and recorded all the configuration items in the system and the discovery phase is merely extracting the relevant information from the configuration management database (CMDB). Often, however, it is useful to undertake our own discovery processes (which may be informed by the CMDB) to ensure that we have the necessary information in a form that is usable by the SOC. It also needs to be kept up to date and it is common to undertake detailed scans of the infrastructure at regular intervals to detect any changes. Also in the preparation phase is the creation of appropriate policies and procedures which will help guide our activities in the later stages.
Detection and evaluationIn the detection and evaluation phase, we’re looking at uncovering potential issues and deciding if they need to be dealt with. The first stage in this is the detection process. Here we’re looking at the detection of indicators of compromise (IOC).
Want to keep
Coventry University online course,
ResponseAfter the data analysis stage, we can enter the response phase. The first step here is containment, as we need to ensure that any intrusion is not left to spread unchecked through the IT system. The exception to this being if the compromise has been to part of a honeynet. As the honeynet is separate, and set up to test our system, we may wish to allow the compromise to spread to other parts of the honeynet (though obviously, not beyond). Containment is followed by the recovery of our system. This will commonly involve rebuilding the system and restoring the data from backups. In the case of complex or advanced persistent threat (APT) attacks on mission critical system, it may even be desirable to replace the hardware, though this is normally not necessary. When thinking about containment and recovery we need to weigh up two conflicting demands – do we recover quickly and potentially destroy evidence, or do we investigate and try to recover evidence at the expense of operational requirements? The choice made will depend on the nature of the service compromised and how likely a compromise is to spread, and it is here that a honeypot/honeynet can be very useful. Once recovery has been completed, the incident and the response(s) taken need to be fully reported. This will normally involve recording the information in an appropriate knowledgebase (and potentially the CMDB) and informing management of what occurred. Care must be taken that reports are used to help improve performance and not just archived and this is where the analysis of response stage comes in. Here, the SOC should consider what went wrong and how to prevent it and similar incidents from happening again. It may also be desirable at this stage to evaluate the processes being used and to see how SOC processes could be improved to ensure that future incidents of this type are prevented from even occurring. Some organisations apply a PDCA loop to help with this process.
Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.