Cybersecurity Incident Response and CSIRT Implementation

Classified in Other subjects

Written on in with a size of 2.97 KB

Incident Candidate Classifications

Possible Incident Candidates

There are four types of possible incident candidates:

  • Presence of unfamiliar files
  • Presence or execution of unknown programs or processes
  • Unusual consumption of computing resources
  • Unusual system crashes

Probable Incident Candidates

There are four types of probable incident candidates:

  • Activities at unexpected times
  • Presence of unexpected new accounts
  • Reported attacks
  • Notification from an IDPS

Definite Incident Candidates

There are five types of definite incident candidates:

  • Use of dormant accounts
  • Changes to logs
  • Presence of hacker tools
  • Notifications by partner or peer
  • Notification by hacker

Indicators of Active Events

Indicators of events under way include:

  • Loss of availability
  • Loss of integrity
  • Loss of confidentiality
  • Violation of policy
  • Violation of law

Monitoring Network and System Behavior

Watch the network and system for unexpected behavior:

  • Notify users that network and activity monitoring is being performed.
  • Review and investigate notifications from network and system-specific alert mechanisms.
  • Review and investigate network and system error reports.
  • Review network and system performance statistics and investigate anomalies.
  • Identify any unexpected, unusual, or suspicious network traffic or user behavior.

The Protect and Forget Approach

  1. Determine if the event is a real incident.
  2. If it is a true incident, terminate the current intrusion.
  3. Discover how access was obtained and how many systems were compromised.
  4. Restore the compromised systems to their pre-incident configuration.
  5. Secure the method of unauthorized access by the intruder on all systems.
  6. Document the steps taken to deal with the incident.
  7. Develop lessons learned.
  8. Have upper management briefly evaluate what happened.

Development of the CSIRT

  1. Obtain management support and buy-in.
  2. Determine the CSIRT strategic plan.
  3. Gather relevant information.
  4. Design the CSIRT’s vision.
  5. Communicate the CSIRT’s vision and operational plan.
  6. Begin CSIRT implementation.
  7. Announce the operational CSIRT.
  8. Evaluate the CSIRT’s effectiveness.

Beginning CSIRT Implementation

  1. Recruit and train initial CSIRT staff.
  2. Purchase equipment and prepare the required network infrastructure.
  3. Define and prepare the necessary CSIRT policies and procedures.
  4. Coordinate with additional IT and InfoSec department members to ensure effective communications during an incident.
  5. Define and acquire an incident-tracking system.
  6. Prepare incident-reporting guidelines and forms.
Karma: 6%
Visits: 0

Related entries:

Tags:
Threat Detection Data Breach Intrusion Detection Cybersecurity CSIRT Security Operations System Monitoring Security Policy Information Security Cyber Defense Incident Response Network Security Risk Mitigation Incident Management