O'Reilly logo

Incident Response by Richard Forno, Kenneth R. van Wyk

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Incident Response Processes

In this section, we’re going to describe the general steps in the process of handling an incident. The process starts at the point when the incident is detected, whether by a human noticing and reporting an anomaly or by an automated detection system alerting the operator to a problem. For the purposes of this discussion, we don’t care how the incident is reported, only that it is. We should point out, though, that almost every incident we’ve worked on was detected and reported by a person. We’ll also emphasize that the word “reported” in the previous sentence is not to be taken lightly. It is rare indeed to find an employee who diligently reports system security anomalies. With that out of the way, let’s begin the fun stuff. The sirens are blaring, and your emergency team has been dispatched!

There are five distinct phases to the incident response process. In the next few pages, we briefly summarize them and provide readers with additional food for thought regarding how to approach incident response activities. The five steps are Incident Identification, Coordination, Mitigation, Investigation, and Education, as shown in Figure 6-1.

The five steps of incident response

Figure 6-1. The five steps of incident response

Identification

Document symptoms and observations, confirm that you indeed have an incident, and never assume!

Once an incident has been reported, the first step in handling it ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required