From the course: Cybersecurity Foundations

Responding to an incident

From the course: Cybersecurity Foundations

Responding to an incident

- [Narrator] Early containment is necessary to stop an incident overwhelming resources, or increasing the level of damage it inflicts. Pre-authorization to take action enables containment and allows time to develop a tailored remediation strategy. Containment decisions, such as disconnecting a system, are much easier to make if a response plan template for this kind of incident has been predetermined. Separate containment strategies for each major incident type need to be prepared and pre-authorized. Most incidents will require an ongoing investigation to trace back to the source and the cause of the attack, and this will occur in parallel with containment and recovery activities. This is likely to be the primary role for cyber instant responders, with IT and networks taking the lead on containment and recovery. Access to a wide range of sensor information is important to getting the network visibility that's required to fit all the pieces together. If the incident is serious, then it's likely that a major incident management event will be called. This will typically be run by IT or network operations and will be under the control of the MIM manager. A MIM consists of a group of key stakeholders establishing regular meetings or conference calls to monitor the progress of incident resolution, make decisions collaboratively and coordinate messaging. Although the primary reason for gathering evidence during an incident is to resolve the incident, it may also be needed for legal proceedings. In such cases, it's important to clearly document how all evidence, including compromised systems, has been preserved, using an official chain of custody evidence tag. After an incident has been contained, eradication may be necessary to delete malware, disabled breached user accounts and identify and mitigate all vulnerabilities that were exploited. It's important to eradicate the issues, not only on the affected hosts, but on all hosts that could be affected through the same or a similar attack. For example, removing a default administrator account on one server, whilst leaving the same account open on another, is just asking for more trouble. The last and probably most important rule when responding to an incident, is to continue monitoring for other incidents. An attack may well be a diversion in order to gain more subtle access somewhere else on the network.

Contents