Incident Response !!!

dpathi · November 2016

Need help on the following:

What is the first step after detecting and verifying an incident?

Reporting the incident or Containment ?

SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain

it. In my opinion reporting to someone who could contain it is a best approach. Any ideas about this?

malindak · November 2016

dpathi wrote: »

Need help on the following:

What is the first step after detecting and verifying an incident?

Reporting the incident or Containment ?

SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain

it. In my opinion reporting to someone who could contain it is a best approach. Any ideas about this?

I think you need to do containment before the data get lost such as in volatile memory - just an opinion

trueshrewkmc · November 2016

Think of yourself as the person to whom the incident is being reported. And if an incident has been "detected" and verified," it *has* been reported already. Might be a SIEM tool "reporting" the incident, not a person.

dpathi · November 2016

Yea..thats a gud way of looking at this. Thx

Rumblr33 · November 2016

Containment would be the next step after an incident is confirmed. Sounds like you're thinking of someone looking at a SIEM (Tier 1 Analyst). They may not be able to contain the incident but they would "report" their findings to the next tier for containment. This may be the workflow you have experienced and can contribute to your thinking.

docrice · November 2016

Yeah, it depends on what "reporting" means here. If something bad is detected, it obviously has to be reported to the right people to get the containment process in action. Generally if a threat is identified, it naturally gets reported as part of the incident identification workflow.

lucky0977 · November 2016

According to the Sybex guide, these are the steps when conducting incident management:
1 Detection (AV software, IDS/IPS, automated tools and users noticing irregular activity)
2 Response (Dispatch incident response team to investigate, assess damage or collect evidence)
3 Mitigation (Limit the effect and scope of an incident, which is pretty much containment)
4 Reporting
5 Recovery
6 Remediation
7 Lessons learned

Also, one of the reasons for having a BCP/DRP is ensuring you have trained and qualified personnel to respond to and contain an incident. In CISSP world, they would be known as Computer Incident Response Teams (CSIRT).

dpathi wrote: »

What is the first step after detecting and verifying an incident?
Reporting the incident or Containment ?
SYBEX Official study guide says its containment, but not everyone who detects an incident would have the know how to contain
it. In my opinion reporting to someone who could contain it is a best approach.

docrice · November 2016

How is "reporting" defined as in this case?

lucky0977 · November 2016

Since the OP referenced the Sybex guide, we're to assume it's for the CISSP. In the real world the steps might seem unreasonable but ISC2 writes the exams so you have to answer it the way it exists in CISSP world. It's explained that not all incidents have to be reported, such as a malware found and contained to a single host. But others, that involve actual breaches or others that are required by regulatory compliance laws. That is why reporting is conducted afterwards. Some detection's could be false alarms and unworthy of reporting.

docrice · November 2016

Ah yes, that make sense now. As usual, context matters a lot.

Incident Response !!!

Comments