Incident Response System - That Computer Engineer


Learn | Teach | Explore

Thursday, February 8, 2018

Incident Response System

What is an IT incident?

What if the server of your organization gets crashed? This is a problem but it may not be considered as an incident until it is not affecting the services of the organization. However, if such a crash occurs during the work hours of the organization, then it will be considered as an incident, as it will cause a loss for the company. A crash on non-working hours is a problem but not an incident. Still, this problem can become an incident if left unattended until next day. Thus, an IT incident may be defined as:

"An unplanned, unlawful, unauthorized or unacceptable interruption in the service of an organization that must be solved immediately." 

  • Unauthorized intrusions into computing system
  • Denial-of-service (DoS) attacks
  • Email spam
  • Theft of trade secrets

Hope you understood what an incident is. Let's move on to understand the incident response system.

Incident Response System

Whenever an incident has occurred, there is a need for proper addressing and managing the aftermath of a security breach or cyber attack. In our incident response methodology, we try to develop a methodology that promotes a coordinated and cohesive response to a certain IT incident.

7 Major components of an Incident Response System:

1. Pre-incident response
  • The users and IT staff should be prepared for any future unwanted incident.
  • One such team that deals with sudden incident is CSIRT team

2. Detection of incidents

  •  The step involves identification of a potential security incident

3. Initial Response

  • This step shows the initial actions that will be taken once a security incident has been detected.
  • Example:
    • Record basic details about the environment of incident
    • Assemble the incident response team
    •  Notify individuals who need to know about the incident.

4. Formulate response strategy

  • In this step, we need to determine the best response to a given incident detected. 
  • The action taken must be in confidence with the civil, criminal or administrative criteria.

5. Investigate the incident

  • The step involves two methods.
    • Data collection: In this step, all the relevant data is collected which can be used as an evidence.
        • Network Based evidence
          • IDS log
          • Router logs
          • Firewall logs
          • Network monitoring
          • Authentication server
        • Host Based evidence
          • Time/date stamp of every file on the victim system
          • Obtain time stamp of victim system
          • Open ports
          • Obtain volatile data
        • Other evidence
          • Oral testimony from the witness
    • Data analysis: In this step, all the data collected is analysed to check for the authenticity related to the incident.
        •     Review volatile data
        •     Review network connection
        •      Identify backdoor and sniffers
        •      Analyse relevant time/date stamp
          •     Identify file uploaded by attacker on the system
          •      Identify filed downloaded by attacker from the system
        •      Review log files
        •      Identify unauthorized user accounts

    • Here, we will perform a thorough collection of data.
  • We need to determine:
    • What happened?
    • When it happened?
    • Who did it?
    • How it happened?
  • All these steps will be understood so that such attacks will be prevented in future.

6. Reporting

  • We need to prepare an accurate report information for the investigation in such a way that it will be helpful for the decision maker to make clear decisions based on the report.

7. Resolution
  • Based on the reporting and previous experience, we will: 
    • Employ better security measures
    • Modify the procedures
    •  Record the information about the incidents.
    •  Develop long-term fixes for any problems identified.

1 comment: