Conduct Incident Management
In this section, we will discuss about the management of incidents that are potentially damaging to an organization. All incident management models have some common basic characteristics:
- They all require to identify the event
- They analyze event to determine the appropriate counteractions
- They correct the problems
- They attempt to prevent event from happening again
(ISC)² has divided incident (disaster) management into seven phases in the incident management process: detect, respond, mitigate, report, recover, remediate, and learn.
This phase is first, most important and usually most difficult phase. Detection is the phase in which events are analyzed in order to determine whether these events might comprise a security incident. Determining whether a security incident has occurred depends on how the organization defines a security incident.
Under the best of circumstances, detection may occur in real-time as soon as a security disaster occurs, such as malware that is discovered by anti-malware software on a computer.
In fact, More often a security incident may not be detected for quite some time (even weeks, months or years), such as in the case of a sophisticated “low and slow” cyberattack.
The incident response phase begins interacting with affected systems and attempts to keep further damage from occurring as an event of the disaster.
The first step is this to immediately Documentation of any action taken during the incident management process should begin.
Then, Should identify the appropriate alert level. In this step, you need to know the answers to some questions:
- Is this an isolated incident or a system-wide event?
- Has personal or sensitive data been compromised?
- What laws may have been violated?
The answers will help you determine who to notify and whether or not to activate the entire incident response team or only certain members.
Next step is it that notify the appropriate people about the incident. All contact information should be documented before an incident, and all notifications and contacts during an incident should be documented in the incident log.
In generally, there are some common response, include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the disaster.
Two important advice: Two important advice:
- Capture volatile data before pulling the power plug on a system.
- Keep compromised systems powered on to gather forensic data.
The purpose of this step is to contain the incident and minimize further loss or damage. However, first the cause of the incident must be determined.
This phase involves the process of understanding the cause of the disaster so that the system can be reliably cleaned and not being harmful to the system.
For example, if a computer has been compromised and is actively attempting to compromise other computers, that computer should be removed from the network to mitigate the damage.
This phase requires assessing the disaster and reporting the results to appropriate management personnel and authorities. The report should include determining the scope and cause of damage, as well as the responsible (or liable) party.
Recovering normal operations involves eradicating any components of the incident (for example, removing malware from a system or disabling e-mail service on a stolen mobile device). Then must carefully restore the system (or systems) and to operational status.
For example, for a compromised computer, you reinstall OS on it, or restore it from a backup, and so on.
Remediation is the process of taking additional steps to reduce the chances of the same or a similar attack being successful. So, this phase includes rebuilding systems, repairing vulnerabilities, improving safeguards, and restoring data and services.
Of course, in fact these steps begin during the mitigation phase, but remediation continues after that phase and becomes broader.
Now, in mitigation phase will change the compromised password and placing the system back online. Then remediation steps could include requiring two-factor authentication for all systems accessing sensitive data.
The goal of this phase is to provide a final report on the incident, which will be prepared by security members and delivered to management. This report should include detailing ways in which the compromised system could have been identified earlier, how the response could have been quicker or more effective, which organizational faults might have contributed to the incident, and what other elements might have reserved for improvement.
At this stage, it is necessary to determine exactly what wrong (or wrongs) caused the disaster, and even what went right.