Event: An observable change in state
Alert: Triggers warnings if certain event happens
Incident: Multiple adverse events happening on our systems or network
Problem: Incident with an unknown cause
Inconvenience: Non-disruptive failures
Emergency: Urgent. A crisis
Disaster: Entire facility is unusable for 24 hours or longer
Catastrophe: Our facility is destroyed
Preparation
Involves strengthening systems and networks to resist attacks
This phase is about getting ready for future incidents
Detection
Events are analyzed to determine if they might be a security incident Stakeholders are informed, containment begins and initial response actions are taken
Containment (Response)
Limit the incidents impact by securing data and protecting business operations
Eradication (Mitigation)
We understand the cause of the incident
We clean the system and fix the vulnerabilities that there discovered
Reporting
We report throughout the Incident Response procedure beginning with Detection
Includes the technical and non-technical reports
Recovery
Restores systems and services to their secure state after an incident
e.g. Restoring Backups, Installing Patches, Implementing Security Configuration
Remediation
Starts during the Mitigation phase
In remediation we fix the flaws that caused on incident on all the other systems
Post-Incident Activity
Happens after containment, eradication and full system recovery
Root-Cause Analysis
Identifies the incidents source and how to prevent it in the future
Steps Involved:
- Define the scope of the incident
- Determine the causal relationships
- Identify an effective solution
- Implement and track the solution
Lesson Learned
Document experiences during incidents in a formalized way
After-action Report
Collects formalized information about what occurred