Skip to content

Page294

Detection

One of the most important steps in the incident management process is the detection phase. Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident. Without strong detective capabilities built into the information systems, the organization has little hope of being able to effectively respond to information security incidents in a timely fashion. Organizations should have a regimented and, preferably, automated fashion for pulling events from systems and bringing those events into the wider organizational context. Often when events on a particular system are analyzed independently and out of context, then an actual incident might easily be overlooked. However, with the benefit of seeing those same system logs in the context of the larger organization, patterns indicative of an incident might be noticed. An important aspect of this phase of incident management is that during the detection phase it is determined as to whether an incident is actually occurring or has occurred. It is a rather common occurrence for potential incidents to be deemed strange but innocuous after further review.

Response

The response phase (aka containment) of incident management is the point at which the incident management team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Responses might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident. This phase is also typically where a binary (bit by bit) forensic backup is made of systems involved in the incident. An important trend to understand is that most organizations will now capture volatile data before pulling the power plug on a system.

Always receive permission from management before beginning the response phase: offline systems can negatively impact business, and as a result business needs often conflict with the needs of information security. The ultimate decision needs to come from senior management.

Response is analogous to emergency medical technicians arriving on the scene of a car accident: they seek to stabilize an injured patient (stop their condition from worsening); they do not cure the patient. Imagine an incident where a worm has infected 12 systems: response includes containment, which means the worm stops spreading. No new systems are infected, but the existing infections will exist until they are eradicated in the next step.