Incident Handling

What to do when you discover a security breach or an intrusion in your infrastructure? How to react properly and take the appropriate actions to block the attacker and ensure that he won’t come back? That is the role of the Incident Handler.

The process of incident handling is based on six critical steps:

  • The preparation
  • The identification
  • The containment
  • The eradication
  • The recovery
  • Lessons learned

The preparation phase is very important to being able to be able to investigate incidents in good conditions. This phase relies on multiple consideration: technical, business and legal. To investigate an incident, you must have collected data but those data must be collected following rules. Example: Are you authorized to sniff your users’ traffic or to monitor your company email traffic? From a technical point of view, tools must be deployed to collect events (see log management) and retention policies must be defined. Is a team in place ready to investigate, it is properly sized? Is enough time reserverd for these tasks?

The identification phase is the critical phase. To detect an “incident”, it must be properly defined inside the company and when an incident has taken place? An example of incident definition is

Any security or policy event that affects the normal operation of our computing systems

During the containment phase, it is important to limit the risks but also to allow the company to run at the same time. Do we have to notify the management or the business owner? Containment is not just about turning a machine off.

The eradication or cleanup can take many forms. From simply running a simple antivuris scanner up to reinstalling a system from a backup.

The recovery phase means its time to put things back into production.

Finally, the last phase is used to put together all the information you have acquired and figure out if your security posture needs to be modified to help prevent
future attacks.  Some of the questions you will want to ask:

  • How can the security of the systems be improved?
  • Are new tools available?
  • Do you have the personnel and training necessary?
  • Can your incident response capability be improved?
  • Do you need to get training for team members?
  • Do you have the right or enough people on the team?
  • Is the team working well together?