|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
Six-Step Incident Response Process
The NSWC Dahlgren Computer Security
Incident Handling Guidelines345 describe incident response as a six-step process:
- Preparation: Setting up systems
to detect threats and policies for dealing with them, including identifying
roles staff will play in incident response, and creating emergency contact
- Identification: Identifying
what the threat is, and/or the effects it is having on your systems/networks,
including keeping records of the time/systems involved/what was observed,
and making a full system backup as soon after the intrusion was observed,
as possible, to preserve as much information about the attack as you
- Containment: Limiting the effects
of an incident by confining the problem to as few systems as possible,
freezing the scene so that nothing further happens to the compromised
system(s) by disconnecting its network connections and possibly console
- Eradication: Getting rid of
whatever the attacker might have compromised by deleting files or doing
a complete system reinstall we cannot stress enough that you
should err on the side of deleting MORE rather than less in order to
restore a system to production, since the intruder may have left very-well-disguised
Trojan Horse binaries around the system, to be activated once the system
is reconnected to the Internet.
- Recovery: Getting back into
business, by putting the system back into normal operations, reconnecting
it to the network, restoring from backups if necessary, etc.
- Follow-up: If possible, tightening
security so that the intrusion cannot happen again, determining the
cost of the intrusion based on staff time/lost data/lost
user work time (dont skip this! It may help justify security
expenditures in the future), considering which, if any, additional tools
might have helped handle the incident better than it may have been handled,
reflecting on lessons learned from both the intrusion and
the organizations response to it and tweaking policies as required.
SANS offers an incident response
publication dealing with these 6 major phases, in detail346.
The very first thing to do is
to secure access to the involved devices, to protect against further
damage and to assist with preservation of evidence. The critical theme
is to not destroy evidence by changing anything! Legal cases have
been hampered, and even destroyed, by well-meaning system administrators
doing the wrong thing in the name of preservation
of evidence. Report any suspicious incidents to upper management.
Incident Response: Step-by-Step
The six steps to incident response are preparation, threat identification, containment, eradication, recovery, and follow-up.
When an incident is detected, the first thing to do is secure access to the involved devices through actions like unplugging them from the network, locking any involved terminals or systems, etc. Be careful not to destroy evidence by changing anything, in case the incident is eventually taken to the courtroom.
Also be sure to report any suspicious incidents to upper management. They need to know when intrusions have occurred, particularly if financial aspects of the business may be affected.
Incident Response Planning
Does your organization have a computer security incident response policy? If so, do you know what it is? If not, consider sketching one out and seeking approval for it so that you know in advance what to do, if you need to react on short notice someday. As noted above, a helpful guide to incident response, to help get you started in planning for it, can be found at SANS. Again, we cant stress enough that you should think about this in advance, in order to be best prepared to respond in ways that help get things back to business as usual as quickly as possible in a way that doesnt destroy important evidence, and which enables you to understand the threat you faced, so that you can better protect yourself against similar threats in the future.
345. NSWC Dahlgren Computer Security Incident Handling Guidelines, http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/incident.handle.html, February, 2002.
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.