| |
| |
Home
>
Labs
>
Information Security
>
Incident Handling |
|
|
|
| |
 |
Incident Handling |
 |
|
|
Incident Handling
SpecialAI follows computer security and incident response team (CSIRT) protocols for incident handling. As such, our incident handling process is comprised of the following four stages:
Reporting and Detection
Whether through automated monitoring channels or human observation, the reporting and detection stage provides well defined protocols for swiftly reporting an incident in a standardized and well documented manner.
Triage
The triage stage provides a single point of contact and the focal point for accepting, collecting, sorting, ordering, and passing on incoming information about an incident. An initial priority, and an associated tracking number, are assigned to any apparent new event. As part of the triage stage, additional actions (such as archiving, translation, or media conversions) can be undertaken to make it easier for subsequent incident handling activities.
Analysis
There are many levels of incident analysis and many sub-services. Essentially, incident analysis is an examination of all available information and supporting evidence or artifacts related to an incident or event. The purpose of the analysis is to identify the scope of the incident, the extent of damage caused by the incident, the nature of the incident, and available response strategies or workarounds. Vulnerability and artifact analysis are used to understand and provide the most complete and up-to-date analysis of what has happened on a specific system. The incident response team correlates activity across incidents to determine any interrelations, trends, patterns, or intruder signatures. Two sub-services that may be done as part of incident analysis, are:
- Forensic evidence collection: the collection, preservation, documentation, and analysis of evidence from a compromised computer system to determine changes to the system and to assist in the reconstruction of events leading to the compromise. This gathering of information and evidence must be done in a way that documents a provable chain of custody that is admissible in a court of law under the rules of evidence. Tasks involved in forensic evidence collection include (but are not limited to) making a bit-image copy of the affected system's hard drive; checking for changes to the system such as new programs, files, services, and users; looking at running processes and open ports; and checking for Trojan horse programs and toolkits.
- Tracking or tracing: the tracing of the origins of an intruder or identifying systems to which the intruder had access. This activity might involve tracking or tracing how the intruder entered the affected systems and related networks, which systems were used to gain that access, where the attack originated, and what other systems and networks were used as part of the attack. It might also involve trying to determine the identity of the intruder. This work might be done alone but usually involves working with law enforcement personnel, Internet service providers, or other involved organizations.
Incident Response
The incident response team provides direct, on-site assistance to help clients recover from an incident. The team physically analyzes the affected systems and conducts the repair and recovery of the systems. This service involves all actions taken to coordinate, resolve and support recovery of a client from a security incident
|
| |
|
|
|
|
|
|
|
