Cyber Incident Response

Incident definitions and severity criteria

Common terms

Event

An "event" is any observable occurrence in a system and/or network

  • Entries in system boot logs (event log/syslog)

  • High number of irregularities from end users

  • Ransomware messages on systems

Incident

An adverse event in an information system and/or network, or the threat of the occurrence of such an event. Incident implies harm or the attempt to harm

  • Malicious code attacks

  • Probes and network mapping

  • Unauthorized access

  • Unauthorized utilization of services

Core terms

Confidentiality

The property where information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information

Availability

The property of being accessible and usable upon demand by an authorized entity. Ensuring timely and reliable access to and use of information - or, in other words, being able to get what you want when you want it

Integrity

The property of an entity which has not been modified in an authorized manenr. Guarding against improper information modification or destruction; to ensure that information stays the way it was intended to be

Chain of evidence

A process and record that show who obtained the evidence, where and when the evidence was obtained, who secured the evidence, and who had control or possession of the evidence

Chain of custody

A process which shows the current and all past retention of a piece of evidence and all activities which relate to that piece of evidence during the course of investigative action

Responder

The initial person or team that is first on scene and conducts the starting response actions for the event or incident

Malware

Malicious software designed to damage or disable computers with the intent to steal information or gain control of the device

Rootkit

A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker's activities on the host and permit the attacker to maintain root-level access to the host through covert means

Threat actor

Malicious operator that performs attacks against organizations to make threats turn into incidents

Incident severity ratings and criteria

  • Level 1 - Unauthorized access

  • Level 2 - Denial of service

  • Level 3 - Malicious code

  • Level 4 - Improper usage

  • Level 5 - Scans/probes/attempted access

  • Level 6 - Investigation incident

Level 1 - Unauthorized access

The most serious level. A threat actor has successfully penetrated the environment

Usually warrants the most amount of response

Potential to be the most damaging to the organization

Level 2 - Denial of Service

A very serious level. A threat actor has successfully interrupted the availability

Could be a serious and impactful as Level 1, depending on the organization type

Level 3 - Malicious code/malware

Probably the most common

Commonly a payload of phishing attacks

  • Could easily turn into a Level 1 if malware leads to a threat actor infiltrating

Level 4 - Improper usage

Common and low-impact

Usually an incident that involves mostrly internal staff and administration

Could still be significant if improper usage is found to be law-breaking

  • For example, gambling or human exploiting images

Level 5 - Scans/probes/attempted access

Extremely common

Low-impact unless scans are causing denial of service

Can be a leading indicator of a more serious event

Level 6 - Investigation incident

Least serious

May not go any further than initial investigation

  • Example might be an employee reporting weird behaviour that turns out to be hardware failure

PreviousQuizNextIdentifying threats and vulnerabilities

Last updated