Many organizations create incident response policies to help personnel identify and respond to incidents. If you’re planning to take the Security+ exam, you should have a basic understanding of incident response procedures.
For example, can you answer this sample practice test question?
Q. You work as a help-desk professional in a large organization. You have begun to receive an extraordinary number of calls from employees related to malware. Using common incident response procedures, what should be your FIRST response?
A. Preparation
B. Identification
C. Escalation
D. Mitigation
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Incident Response Procedures
Incident response includes multiple steps, beginning with creating the incident response policy. Many organizations create incident response policies to help personnel identify and respond to incidents.
As an overview, typical incident response procedures and concepts are:
- Preparation. This stage occurs before an incident and provides guidance to personnel on how to respond to an incident. It includes establishing incident response procedures and periodically reviewing and updating them. It also includes establishing procedures to prevent incidents. For example, preparation includes implementing security controls to prevent malware infections.
- First responder. First responders are the first security-trained individuals who arrive on the scene. The term comes from the medical community, where the first medically trained person to arrive on the scene of an emergency or accident is a first responder. A first responder could be someone from the incident response team or someone with adequate training to know what the first response steps should be. The incident response policy documents initial steps or at least the goals of first responders. In some situations, first responders might have a mini-toolkit to perform basic tests, along with a list of personnel to contact after verifying an incident occurred.
- Incident identification. All events aren’t security incidents so when a potential incident is reported, personnel take the time to verify it is an actual incident. For example, intrusion detection systems (IDSs) might falsely report an intrusion, but administrators would investigate it and verify it is a false positive. A false positive isn’t an actual incident. If the incident is verified, personnel might try to isolate the system based on established procedures.
- Incident isolation. After identifying an incident, security personnel attempt to isolate or contain it. This might include quarantining a device or removing it from the network. This can be as simple as unplugging the system’s network interface card to ensure it can’t communicate on the network. Similarly, you can isolate a network from the Internet by modifying access control lists on a router or a network firewall. This is similar to how you’d respond to water spilling from an overflowing sink. You wouldn’t start cleaning up the water until you first turn off the faucet. The goal of isolation is to prevent the problem from spreading to other areas or other computers in your network, or to simply stop the attack.
- Damage and loss control. When isolating an incident and throughout the entire incident response procedure, personnel attempt to limit damages and losses. Methods vary depending on the incident. As one example, the organization might identify a public relations specialist to communicate with the media, and limit potential damage from bad publicity.
- Escalation and notification. After identifying the incident and isolating the system, personnel escalate the incident by notifying appropriate personnel. For example, a first responder might notify an incident response team if the organization has one. If a team isn’t established, the first responder may instead identify security or forensic experts about the incident, based on established policies. The incident response policy will typically list other personnel to inform such as security managers within the organization. Forensic experts may begin a forensic evaluation depending on the scope of the incident.
- Reporting. In some situations, security personnel may need to notify executives within the company of the incident. Obviously, they wouldn’t notify executives of every single incident. However, they would notify executives about serious incidents that have the potential to affect critical operations. Additionally, some incidents require an organization to notify personnel outside the organization, such as customers.
- Data breach. If the incident involves a data breach, personnel need to identify the extent of the loss, and determine if outside entities are affected. For example, if attackers successfully attacked a system and collected customer data such as credit information, the organization has a responsibility to notify customers of the data breach as soon as possible.
- Recovery/reconstitution procedures. After the forensic evidence collection process, administrators will recover or restore the system to bring it back into service. Recovery or reconstitution of a system may require a simple reboot or it may require a complete rebuild of the system, depending on the incident. If the system needs to be rebuilt, it’s important to ensure that all updates and patches are also applied. Change management logs are invaluable during this process.
- Lessons learned. After personnel manage an incident, security personnel perform a lessons learned review. It’s very possible the incident provides some valuable lessons and the organization may modify procedures or add additional controls to prevent a reoccurrence of the incident. A review might indicate a need to provide additional training to users, or indicate a need to update the incident response policy. The goal is to prevent a future reoccurrence of the incident.
- Mitigation steps. After security personnel complete the review of lessons learned, they typically provide recommendations to mitigate similar risks in the future. For example, if an attack was successful because router operating systems were out of date, security personnel may update patch management policies to ensure administrators keep routers up to date.
Remember this
After identifying an incident, personnel attempt to contain or isolate the problem. This is often as simple as disconnecting a computer from a network. Reviewing lessons learned allows personnel to analyze the incident and the response with a goal of preventing a future occurrence.
Q. You work as a help-desk professional in a large organization. You have begun to receive an extraordinary number of calls from employees related to malware. Using common incident response procedures, what should be your FIRST response?
A. Preparation
B. Identification
C. Escalation
D. Mitigation
Answer is B. At this stage, the first response is incident identification.
The preparation phase is performed before an incident, and includes steps to prevent incidents.
After identifying this as a valid incident (malware infection), the next step is escalation and notification and then mitigation steps.