- Digital Forensics and Incident Response
- Gerard Johansen
- 696字
- 2025-04-04 18:48:15
Incident classification
Not all incidents are equal in their severity and threat to the organization. For example, a virus that infects several computers in a support area of the organization will dictate a different level of response than an active compromise of a critical server. As a result, it is important to define within the incident response plan an incident classification schema. The following is a sample classification schema:
- High-level incident: A high-level incident is an incident that is expected to cause significant damage, corruption, or loss of critical and/or strategic company or customer information. A high-level incident may involve widespread or extended loss of system or network resources. The event can have potential damage and liability to the organization and to the corporate public image. Examples of high-level incidents include, but are not limited to, the following:
- Network intrusion
- Physical compromise of information systems
- Compromise of critical information
- Loss of computer system or removable media containing un-encrypted confidential information
- Widespread and growing malware infection (more than 25% of hosts)
- Targeted attacks against the IT infrastructure
- Phishing attacks using the organization's domain and branding
- Moderate-level incident: A moderate-level incident is an incident that may cause damage, corruption, or loss of replaceable information without compromise (there has been no misuse of sensitive customer information). A moderate-level event may involve significant disruption to a system or network resource. It also may have an impact to the mission of a business unit within the corporation:
- Anticipated or ongoing Denial of Service attack
- Loss of computer system or removable media containing un-encrypted confidential information
- Misuse or abuse of authorized access
- Automated intrusion
- Confined malware infection
- Unusual system performance or behavior
- Installation of malicious software
- Suspicious changes or computer activity
Playbooks can be configured in a number of ways. For example, a written document can be added to the Incident Response Plan for specific types of incidents. Other times, organizations can use a flow diagram utilizing software such as iStudio or Visio. Depending on how the organization chooses to document the playbook, they should create 10-20 that address the range of potential incidents.
- Low-level incident: A low-level incident is an incident that causes inconvenience and/or unintentional damage or loss of recoverable information. The incident will have little impact to the corporation:
- Policy or procedural violations detected through compliance reviews or log reviews
- Lost or stolen laptop or other mobile equipment containing encrypted confidential information
- Installation of unauthorized software
- Malware infection of a single PC
- Incident tracking: Tracking incidents are a critical responsibility of the CSIRT. During an incident, all actions taken by the CSIRT and other personnel during an incident should be noted. These actions should be recorded under a unique incident identifier.
For organizations that have limited resources and experience a limited number of incidents per year, most IT ticketing systems are sufficient for tracking incidents. The drawback to this method is that these systems generally lack an incident response focus and do not have additional features that are designed to support incident response activities. Larger organizations that have a higher frequency of incidents may be best served by implementing a purpose-designed incident response tracking system. These systems allow for integration of evidence collection and incident playbooks.
- Training: The incident response plan should also indicate the frequency of training for CSIRT personnel. At a minimum, the entire CSIRT should be put through a tabletop exercise at least annually. In the event that an incident post-mortem analysis indicates a gap in training, that should also be addressed within a reasonable time after conclusion of the incident.
- Maintenance: Organizations of every size continually change. This can include changes to infrastructure, threats, and personnel. The incident response plan should address the frequency of reviews and updates to the incident response plan. For example, if the organization acquires another organization, the CSIRT may have to adjust service offerings or incorporate specific individuals and their roles. At a minimum, the incident response plan should be updated at least annually. Individual team members should also supplement their skills through individual training and certifications through such organizations as SANS or on specific digital forensic tools. Organizations can incorporate lessons learned from any exercises conducted into this update.