Incident Response !!!

dpathidpathi Member Posts: 23 ■□□□□□□□□□
Need help on the following:

What is the first step after detecting and verifying an incident?

Reporting the incident or Containment ?

SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain

it. In my opinion reporting to someone who could contain it is a best approach. Any ideas about this?

Comments

  • malindakmalindak Member Posts: 58 ■■□□□□□□□□
    dpathi wrote: »
    Need help on the following:

    What is the first step after detecting and verifying an incident?

    Reporting the incident or Containment ?

    SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain

    it. In my opinion reporting to someone who could contain it is a best approach. Any ideas about this?

    I think you need to do containment before the data get lost such as in volatile memory - just an opinion
  • trueshrewkmctrueshrewkmc Member Posts: 107
    Think of yourself as the person to whom the incident is being reported. And if an incident has been "detected" and verified," it *has* been reported already. Might be a SIEM tool "reporting" the incident, not a person.
  • dpathidpathi Member Posts: 23 ■□□□□□□□□□
    Yea..thats a gud way of looking at this. Thx
  • Rumblr33Rumblr33 Member Posts: 99 ■■□□□□□□□□
    Containment would be the next step after an incident is confirmed. Sounds like you're thinking of someone looking at a SIEM (Tier 1 Analyst). They may not be able to contain the incident but they would "report" their findings to the next tier for containment. This may be the workflow you have experienced and can contribute to your thinking.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Yeah, it depends on what "reporting" means here. If something bad is detected, it obviously has to be reported to the right people to get the containment process in action. Generally if a threat is identified, it naturally gets reported as part of the incident identification workflow.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • lucky0977lucky0977 Member Posts: 218 ■■■■□□□□□□
    According to the Sybex guide, these are the steps when conducting incident management:
    1 Detection (AV software, IDS/IPS, automated tools and users noticing irregular activity)
    2 Response (Dispatch incident response team to investigate, assess damage or collect evidence)
    3 Mitigation (Limit the effect and scope of an incident, which is pretty much containment)
    4 Reporting
    5 Recovery
    6 Remediation
    7 Lessons learned

    Also, one of the reasons for having a BCP/DRP is ensuring you have trained and qualified personnel to respond to and contain an incident. In CISSP world, they would be known as Computer Incident Response Teams (CSIRT).
    dpathi wrote: »
    What is the first step after detecting and verifying an incident?
    Reporting the incident or Containment ?
    SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain
    it. In my opinion reporting to someone who could contain it is a best approach.
    Bachelor of Science: Computer Science | Hawaii Pacific University
    CISSP | CISM | CISA | CASP | SSCP | Sec+ | Net+ | A+
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    How is "reporting" defined as in this case?
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • lucky0977lucky0977 Member Posts: 218 ■■■■□□□□□□
    Since the OP referenced the Sybex guide, we're to assume it's for the CISSP. In the real world the steps might seem unreasonable but ISC2 writes the exams so you have to answer it the way it exists in CISSP world. It's explained that not all incidents have to be reported, such as a malware found and contained to a single host. But others, that involve actual breaches or others that are required by regulatory compliance laws. That is why reporting is conducted afterwards. Some detection's could be false alarms and unworthy of reporting.
    Bachelor of Science: Computer Science | Hawaii Pacific University
    CISSP | CISM | CISA | CASP | SSCP | Sec+ | Net+ | A+
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Ah yes, that make sense now. As usual, context matters a lot.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.