Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • What defines an incident?
  • Sources of incident notification
  • Things to look out for
  • Allow room for identifying new incidents
  • Maintain scope and focus
  • How incidents are detected
  1. Stages of Incident Response

Incident identification

What defines an incident?

  • Event that requires a response

  • Should already be defined in policy

  • Usually adverse with negative impact

    • The real question is, how do we identify when they happen?

Sources of incident notification

End users

Most common source, but not always reliable. I.e., some events are just events and not incidents

Log sources

SIEM solutions, IDS, firewalls, HIPS. Volume can be overwhelming

  • Machine learning, deep learning and AI will help

Notification from outside entities, such as law enforcement

Things to look out for

Make sure the identification process is sufficient

  • Too loose and everything is an incident

  • Too tight and you miss critical events

Allow room for identifying new incidents

Just because it's not defined doesn't mean it's not an incident

Some of the more devastating incidents are "new" ones

Maintain scope and focus

Identifying the incident and move on to classification

  • Don't try to do containment at this stage!

How incidents are detected

  • Law enforcement

  • Internal detection/DLP

  • Third-party consultants/vendors

  • Exfiltrated data disclosed (internet or dark web)

    • Worst-case scenario?

PreviousIncident Response assets inventory and identificationNextIncident Response classification levels

Last updated 8 months ago