IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [incident-response]

The art of responding to incidents in an organized and thoughtful manner.

Incident response, assumed to be information security incidents in this context, is an aspect of the Incident Management discipline. The development of an incident response procedure can take many forms, but always implies a pre-existing formal plan with the following goals:

  • Limit damages whether they be monetary, reputation, or otherwise
  • Reduce recovery time
  • Prevent reoccurrences

The final product of an execution of the response procedure should always result in a formal report detailing the event.

See the CIRT (Computer Incident Response Team) Handbook for more information.

212 questions
149
votes
9 answers

How do organizations check *what* has been hacked?

In the UK, the company TalkTalk was recently hacked. It was later discovered, after 'investigation' that the hack was not as serious as it could have been (and less than expected). I'm wondering: How do organizations (not necessarily TalkTalk --…
ᔕᖺᘎᕊ
  • 1,283
  • 2
  • 9
  • 8
8
votes
2 answers

Mature CIRTs gather intel on their attackers. What sources & methods are used for this?

I copied this question verbatim from a tweet by Dave Hull. CIRT = Computer Incident Response Team
Tate Hansen
  • 13,804
  • 3
  • 42
  • 84
6
votes
3 answers

Is this a good way to manage Incident-Response

I m trying to find a good way to deal with incidents. For now these are my thoughts: x Join Logs and analyse with splunk (and alert with rsyslog, splunk is too expensive), x Configuration-Management and automatic Re-Deployment (puppet,…
baj
  • 513
  • 5
  • 9
5
votes
2 answers

Sony Attacks, what would you do?

If you where called by Sony right now, had 100% control over security, what would you do in the first 24-hours?
blunders
  • 5,072
  • 4
  • 30
  • 45
5
votes
2 answers

Server Compromised. Steps to determine further damage on the network?

So one of your servers is compromised. You determine this because you notice a weird process running (as root, unfortunately). No helpful information about this process from Googling around. First things first, let's clean this known dirty server…
Anthony Kraft
  • 1,179
  • 1
  • 9
  • 18
4
votes
1 answer

What is the definition of "multi-failure" disaster recovery?

There are several compliance and certification criteria that mention "multi-failure" disaster recovery. What exactly is the definition of this? A google search did not turn up a clear answer for me.
Marplesoft
  • 185
  • 7
2
votes
2 answers

What's the next step if an organization doesn't respond to warnings of a potential data breach?

I've recently started getting a rash of junk mail to a particular email address. I give out unique addresses to all organizations I deal with, so I know exactly who has this address on file. The emails are not of a marketing nature (mostly…
glibdud
  • 243
  • 2
  • 6
2
votes
2 answers

The impact of 'hacking insurance' on the information security industry

I recently attended a general IT conference and saw some interesting vendors of various products and services. One of them was a company providing hacking insurance, and they said that there were two business models that they operate on: Liability…
Michael Lai
  • 281
  • 2
  • 6
2
votes
1 answer

Incident database?

Possible Duplicate: Resources for data on security incidents Do you know any websites where they put Information about Security Incidents that happened to organizations/people (e.g. breakins, data leaks, etc.) in a categorized/searchable…
Injeniero Barsa
  • 123
  • 4
2
votes
1 answer

Planning Incident Response / Business Continuity

An IT company has already most of the standard procedures / precautions in place to do day-to-day business in a secure way e.g. policies for users what to do and what not to do, technical solutions like antivirus / spam protection / log management /…
sam
  • 103
  • 11
2
votes
1 answer

Incident isolation and containment approach

In incident response, there are commonly two approaches to isolation and containment after a genuine incident is reported. Compromised systems are disabled or disconnected but operations carries on by reverting to a redundant system until the…
JinPangPang
  • 1,951
  • 2
  • 17
  • 27
1
vote
1 answer

How to investigate potential infected client workstation

In this case a central endpoint security or SIEM solution alerts on Indicators of Compromise on one client workstation in a Windows domain. Should there be an IT staff who has admin accounts (domain accounts) on these workstations? Admin logs with…
atn1ght
  • 13
  • 2
1
vote
1 answer

Do incident response plans include playbooks?

Do incident response plans include the playbooks or are the playbooks separate from the incident response plan?
yusuf
  • 11
  • 2
1
vote
1 answer

CEH Incident Response phases: Investigation vs Analysis

I am preparing for CEH from Oriyano book. He refers to NIST's incident response phases. These phases are: Response Triage Investigation Containment Analysis and tracking Recovery Repair Debriefing and feedback I can't understand the difference…
Alien Fan
  • 13
  • 2
0
votes
2 answers

What is a "proof of concept" file to report security issues?

Last month I reported a security issue to Adobe through an email encrypted with PGP. I recieved the comfirmation email, but no response past that. I checked the "Alert us" page and it said that you have to send a proof of concept file. In my email,…
guest883998398
  • 17
  • 1
1
2