7.6 Conduct incident management

7.6 Conduct incident management

• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons learned

How do we respond to the incidents?  We can follow the guidelines in NIST 800-61 or ISO 27035.  The general procedure is as follows

• Detection – how do we discover the incident?
  
  
  • Intrusion detection system might alert us
    
    
  • Our antivirus software might alert us
    
    
  • Our scan tools might alert us
    
    
  • An end user or administrator might notice something unusual
    
    
  • More advanced AI can detect incidents based on multiple factors
    
    
  • There can also be false alarms.  We must be careful to separate them.  That means we should train people to understand the difference between a real incident and a false alarm.
    
    
• Response – how do we respond to the incident?
  
  
  • We might have a dedicated team that responds to incidents.  The team might only respond to major situations.
    
    
  • The team investigates the incident and helps with recovery.
    
    
  • The faster we respond to an incident, the less damage it is likely to cause.
    
    
• Mitigation – how do we reduce the size of the incident?
  
  
  • This is part of the response phase
    
    
  • We know that the incident happens, but we need to try and keep it from spreading
    
    
  • For malware, we would probably try to isolate the computers that it has infected so that it does not spread throughout the network
    
    
• Reporting – who do we report the issue to?
  
  
  • We may need to report the incident to the senior management, board of directors, investors
    
    
  • We may need to report the incident to customers or vendors
    
    
  • We may need to report the incident to government agencies
    
    
  • Who we report to and how quickly depends on the severity of the incident and on what is affected
    
    
  • We should notify law enforcement if the incident was criminal in nature
    
    
  • If personal information is compromised or if it could have been compromised, we need to report the compromise to the affected customers
    
    
• Recovery
  
  
  • We return the system to its normal state
    
    
  • That means rebooting the system or rebuilding the system or reimaging the system
    
    
  • We might replace the system if the hardware is compromised
    
    
  • If our business knows what it is doing, we would have documented the entire system
    
    
• Remediation
  
  
  • How do we keep this from happening again?
    
    
  • We need to complete a root cause analysis to figure out what happened
    
    
  • We would check each item in the system to determine how the attack happened
    
    
  • Then we come up with a plan so that it doesn’t happen again
    
    
• Lessons Learned
  
  
  • We check the incident and the response
    
    
  • We think about ways that we can use to improve our response in the future
    
    
  • We should write a report