Respond security incident

Respond security incident

The following chapter provides incident response procedure. Incident response procedure describes a set of steps to be performed by the incident response team (IRT) when an information security incident happens within an organization. Incident response aims at revealing the intruder, mitigating the damage, recovering and preventing further penetration.

Typically, incident response procedure includes the following stages:

  1. Preparation.

    See the recommendations below.

  2. Detection.

    A user or installed security service such as IDS, firewalls, or sandbox generates an alert.

  3. Containment.

    1. Damage minimization, prevention of wiping compromised systems to take forensic images and other digital evidence.

    2. Isolation of the compromised VMs or project by temporarily switching them from the Internet to the Security Domain for further investigation.

  4. Investigation.

    1. IT service collects incident-related data, such as network traffic, files, and logs, and deliver it to IRT.

    2. Analysis. IRT begins threat analysis using data gathered by the IT service to report recommendations on mitigating the security issue, remediation, and future prevention.

    3. IRT writes the recommendations to IT service. For example:

      • How to remove malicious code and signs of its presence on the infected hosts and/or VMs.

      • What password should be changed if any.

      • What keys should be regenerated if any.

      • What certificates should be revoked if any.

  5. Remediation.

    1. IT service removes infection and change passwords, generate new keys.

    2. IT service recovers hosts, VMs, or network devices from backups reverting changes made by malware.

    3. IT service scans the recovered VMs, hosts, and networks with IDS updated and restarted with new rules and a vulnerability scanner to discover possible breaches.

    4. IT service gets the affected VMs and project back to operation.

  6. Prevention.

    IRT writes recommendations to IT service describing incident prevention steps. For example:

    1. Revise enabled protocols.

    2. Install security updates to address vulnerabilities.

    3. Update IDS, firewalls, and sandbox with new rules based on mined IoCs.

  7. Lessons learned.

    1. Write an incident report.

    2. Analyse IRT performance.

    3. Write missing documentation.

    4. Organize lessons learned meeting within two weeks after the incident covering the following topics:

      • Who and when detected the problem.

      • The scope of the incident.

      • How it was contained.

      • Data collected during the investigation.

      • Work performed during analysis.

      • Remediation steps.

      • Areas that need improvement.

Recommendations for the preparation stage:

  • Create a plan or strategy to handle incidents.

  • Create IRT, which may include IT and security specialists, as well as an attorney, PR, and HR specialists.

  • For access control, add a system administrator to IRT to adjust permissions for IRT accounts during incident handling.

  • Prepare software and hardware tools for incident handling. As an option, you can create a Security Domain in your cloud that may contain network sniffers, malware scanners, debuggers, and a sandbox. Once an incident happens, you can switch the affected project (tenant) from the Internet to the Security Domain so the network traffic will go through network scanners and the suspicious files extracted from the traffic can be analyzed in a sandbox.


    Consider the reference model provided by ESTI (ETSI GS NFV-SEC 004) for lawful interception of a communication content (streaming traffic) and related information (event logs) that you can use for monitoring, auditing, forensic, and incident response purposes.

  • Allocate storage for forensic dumps of compromised VMs and hosts.

  • Prioritize incidents based on organizational impact, which will determine resources allocated for IRT.

  • Create a communication plan to know who to contact during an incident and why. Create a contact list of IRT members.

  • Document an incident. IRT should use Incident Handlers Journal to record any actions performed during incidents handling. Later you can use this documentation as evidence to bring the attacker to justice.

  • Train your IRT and organize drills.