Incident response strategy

... a little bit out of order with the first post, but this is what I will be referring to constantly. Here briefly introducing ways that CSIRT can react after the incident occurs. This is  fundamental and shortened model but will be developed over time and well described.

Choosing right strategy isn’t always easy. It depends how sufficient information do we have, what are the circumstances of incident, and  factors such as level of importance/risk connected with suspicious machine or other business aspects.

Incidents vary widely. Here you can find  first approach to list possible incident response strategies.

Incident Type	Examples	What to do?
Authentication Failures	-system recognizing consecutive failures made by functional/standard account -account locked-out -lack of access		SIEM logs correlation, creating report, supporting appropriate RA’s with data and logs. Escalating problem to another team – policy violations.
Authorization Failures	-using own machine for not-business purposes -unacceptable use of IT resources -policy violation(any) -authority failures		Collecting evidence, contacting with user’s/owner’s manager to confirm whether the case is known, contacting user, launching CSIR, observing.
Malware	-machine infected by virus -suspicious host behavior		Observation is required, launch memory-imaging, live response could be the quickest method, AV, vulnerability scanning, files removal, cleaning.
Out of service status	-host is not longer alive -host is not registered -host is not known		Escalating to other RA’s, sharing information with operational services, tracking.
Computer Intrusion	-workstation has been compromised -leak of information -buffer overflow attacks -IT sabotage		Immediate data collection – getting to know what/who/why, Isolating machine, finding root-cause and information that had been lost, fixing, patching, recovering system.
Losing data integrity	-Issue on application or database level		Supporting operational services with all evidence, escalating
DoS attack	-DoS, DDoS		Immediate contact with support, confirm that this is not  false-positive

 What is obvious is that response strategy for each event will differ. There are numerous  methods of policy violation and possible ways to track intruder. We will be building concept of strategy response as a model, as a qucik reference and standard fundamental knowledge in this field.

The level of maturity of this model will be increasing over time. All methodology of incident response will be presented, step after step.