Incident Response !!!

Need help on the following:

What is the first step after detecting and verifying an incident?

Reporting the incident or Containment ?

SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain

it. In my opinion reporting to someone who could contain it is a best approach. Any ideas about this?

Find more posts tagged with

Comments

malindak

dpathi wrote: »

Need help on the following:

What is the first step after detecting and verifying an incident?

Reporting the incident or Containment ?

SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain

it. In my opinion reporting to someone who could contain it is a best approach. Any ideas about this?

I think you need to do containment before the data get lost such as in volatile memory - just an opinion

trueshrewkmc

Think of yourself as the person to whom the incident is being reported. And if an incident has been "detected" and verified," it *has* been reported already. Might be a SIEM tool "reporting" the incident, not a person.

dpathi

Yea..thats a gud way of looking at this. Thx

Rumblr33

Containment would be the next step after an incident is confirmed. Sounds like you're thinking of someone looking at a SIEM (Tier 1 Analyst). They may not be able to contain the incident but they would "report" their findings to the next tier for containment. This may be the workflow you have experienced and can contribute to your thinking.

docrice

Yeah, it depends on what "reporting" means here. If something bad is detected, it obviously has to be reported to the right people to get the containment process in action. Generally if a threat is identified, it naturally gets reported as part of the incident identification workflow.

lucky0977

According to the Sybex guide, these are the steps when conducting incident management:
1 Detection (AV software, IDS/IPS, automated tools and users noticing irregular activity)
2 Response (Dispatch incident response team to investigate, assess damage or collect evidence)
3 Mitigation (Limit the effect and scope of an incident, which is pretty much containment)
4 Reporting
5 Recovery
6 Remediation
7 Lessons learned

Also, one of the reasons for having a BCP/DRP is ensuring you have trained and qualified personnel to respond to and contain an incident. In CISSP world, they would be known as Computer Incident Response Teams (CSIRT).

dpathi wrote: »

What is the first step after detecting and verifying an incident?
Reporting the incident or Containment ?
SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain
it. In my opinion reporting to someone who could contain it is a best approach.

docrice

How is "reporting" defined as in this case?

lucky0977

Since the OP referenced the Sybex guide, we're to assume it's for the CISSP. In the real world the steps might seem unreasonable but ISC2 writes the exams so you have to answer it the way it exists in CISSP world. It's explained that not all incidents have to be reported, such as a malware found and contained to a single host. But others, that involve actual breaches or others that are required by regulatory compliance laws. That is why reporting is conducted afterwards. Some detection's could be false alarms and unworthy of reporting.

docrice

Ah yes, that make sense now. As usual, context matters a lot.