Fri Apr 8 06:47:17 PDT 2016
Management: Incident handling: How are incidents managed?
Option 1: Incidents are defined and anticipated and detection designed to identify and defeat them.
Option 2: Incidents are interdicted by timely intelligence and countermeasures.
Option 3: Incidents are reported to appropriate identified individuals or mechanisms in a timely fashion.
Option 4: Decisions are made in a timely fashion and in keeping with pre-defined criteria and requirements.
Option 5: Mitigation occurs before consequences reach management defined thresholds.
Option 6: Incident conclusion and clean-up occurs with minimum cost and inconvenience.
Option 7: Appropriate forensic data is collected and retained as part of the incident handling process.
Option 8: After incident analysis is undertaken and reports generated and responded to so as to improve incident handling over time.
Identify the number of detected events (of sorts) and responded to events (of sorts) in the past year.
Incidents are defined and anticipated and detection designed to identify and defeat them.
Incidents are often misinterpreted as independent events or
treated independently even though they are interlinked. The definition
of what constitutes an incident and the nature and types of incidents
must be defined if there is to be any hope of identifying them based
on sensor and analytical capabilities. Once incidents are defined, the
sets of sensors required to detect those incidents can be designed and
properly places so as to detect the incidents in time to react so as
to mitigate potentially serious negative consequences to within
management-specified acceptable loss thresholds.
Incidents are interdicted by timely intelligence and countermeasures.
An intelligence process should be in place to identify potential
sources of incidents prior to their occurrence (in most cases),
typically through an information sharing approach. For example, if an
enterprise depends on a particular protocol or mechanism for part of
its protective architecture, as events related to that protocol or
mechanism become known through intelligence gathering and sharing,
interdiction should be used in anticipation of future exploitation to
assure that similar sorts of events won't have serious negative
consequences on the enterprise. Countermeasures may range across the
spectrum of protective measures.
Incidents are reported to appropriate identified individuals or mechanisms in a timely fashion.
Assuming detection is in place, detections must be reported in a
meaningful way to decision mechanisms in order for decisions to be
made about how to respond to them. These mechanisms are normally
defined so as to apply the right resources to the incident so as to
resolve it in time to mitigate potentially serious negative
consequences. Without timely reporting, timely response cannot occur.
Reporting is often also required for management mandates, insurance
coverage, regulatory purposes, contractual mandates, and other reasons.
Decisions are made in a timely fashion and in keeping with pre-defined criteria and requirements.
Decision-making regarding incidents must be appropriate to the
incident and made in time to mitigate the potentially serious negative
consequences, or those consequences may occur. While some decisions may
be made off-the-cuff, most decisions about incidents should be well
thought out in advance and practiced so as to meet timeliness and
accuracy requirements. This applies to disaster scenarios, business
continuity scenarios, and day-to-day event sequences that occur within
Mitigation occurs before consequences reach management defined thresholds.
If mitigation does not occur in time, the negative consequences
may be realized. As a result, the objective of the incident handling
program is to mitigate before the potentially serious negative
consequences reach the management specified thresholds. If no such
thresholds are identified, the mitigation approach cannot be defined
so as to meet the needs.
Incident conclusion and clean-up occurs with minimum cost and inconvenience.
At the end of an incident, normal operations are typically the
desired state. This means that incident termination has to be
identified and declared and normal operations resumed. The person or
system that makes such a declaration must have defined criteria for
making the determination and the return to normalcy should normally
include the capacity to deal with future incidents.
Appropriate forensic data is collected and retained as part of the incident handling process.
For cases where it is meaningful or useful to gather forensic
evidence associated with an incident, the relevant evidence should be
identified, gathered, transported, stored, and handled in a manner
appropriate to retaining its forensic value for the purposes intended.
This only occurs in cases where properly planning is undertaken and
process is properly applied, even during the incident.
After incident analysis is undertaken and reports generated and responded to so as to improve incident handling over time.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
After incidents are concluded, it is helpful to do after action
reports and analysis to identify limitations or problems with the plan
as executed and work toward better approaches for the future. This helps
to reduce errors and omissions and optimizes the overall incident
handling capability over time.