7.6 Conduct incident management
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned
How do we respond to the incidents? We can follow the guidelines in NIST 800-61 or ISO 27035. The general procedure is as follows
- Detection – how do we discover the incident?
- Intrusion detection system might alert us
- Our antivirus software might alert us
- Our scan tools might alert us
- An end user or administrator might notice something unusual
- More advanced AI can detect incidents based on multiple factors
- There can also be false alarms. We must be careful to separate them. That means we should train people to understand the difference between a real incident and a false alarm.
- Intrusion detection system might alert us
- Response – how do we respond to the incident?
- We might have a dedicated team that responds to incidents. The team might only respond to major situations.
- The team investigates the incident and helps with recovery.
- The faster we respond to an incident, the less damage it is likely to cause.
- We might have a dedicated team that responds to incidents. The team might only respond to major situations.
- Mitigation – how do we reduce the size of the incident?
- This is part of the response phase
- We know that the incident happens, but we need to try and keep it from spreading
- For malware, we would probably try to isolate the computers that it has infected so that it does not spread throughout the network
- This is part of the response phase
- Reporting – who do we report the issue to?
- We may need to report the incident to the senior management, board of directors, investors
- We may need to report the incident to customers or vendors
- We may need to report the incident to government agencies
- Who we report to and how quickly depends on the severity of the incident and on what is affected
- We should notify law enforcement if the incident was criminal in nature
- If personal information is compromised or if it could have been compromised, we need to report the compromise to the affected customers
- We may need to report the incident to the senior management, board of directors, investors
- Recovery
- We return the system to its normal state
- That means rebooting the system or rebuilding the system or reimaging the system
- We might replace the system if the hardware is compromised
- If our business knows what it is doing, we would have documented the entire system
- We return the system to its normal state
- Remediation
- How do we keep this from happening again?
- We need to complete a root cause analysis to figure out what happened
- We would check each item in the system to determine how the attack happened
- Then we come up with a plan so that it doesn’t happen again
- How do we keep this from happening again?
- Lessons Learned
- We check the incident and the response
- We think about ways that we can use to improve our response in the future
- We should write a report
- We check the incident and the response