Incident
- An incident is any event that compromises, or has the potential to compromise, the confidentiality, integrity, or availability (CIA) of information or systems.
- Example:
- Malware infection
- Unauthorized access to sensitive data
- Denial-of-service attack
Security Event
- A security event has been confirmed as a violation of security policies, or acceptable use.
- Example:
- A ransomware attack encrypting company files.
- A data breach exposing customer PII
Incident Response (IR)
- A structured process to detect, analyze contain, eradicate, and recover from security incidents.
- Purpose:
- Minimize impact of incidents
- Restore normal operations quickly
- Gather evidence for investigation or compliance
Key Phase of Incident Response
- Preparation:
- Establish policies, procedures, tools, and communication plans.
- Example: Security awareness training, backup systems.
- Identification/Detection:
- Recognize potential incidents from logs, alerts, or report.
- Example: IDS alerts, unusual network traffic.
- Containment:
- Limit the spread of impact of the incident.
- Example: Isolating infected systems from the network.
- Eradication:
- Remove the root cause of the incident.
- Example: Deleting malware, closing exploited vulnerabilities.
- Recovery:
- Restore systems to normal operation and monitor for recurrence.
- Example: Restoring backups, verifying system integrity.
- Lesson Learned / Post-Incident Review:
- Analyze what happened and improve controls and processes.
- Example: Updating policies, patching vulnerabilities, employee training.
Top comments (0)