3.3 Incident Management
Content
Note: The content in the following subsections is aligned with the following guides [14,15,16].
3.3.1 Preparation, Detection & Analysis
- Prepare the relevent contact details and define the relevant policies & processes to handle potential incident.
- Collect all relevant security logs & event from your entire asset inventory, and identify incident signals.
- Identify the relvant details to help with the analysis (ordinary vs unusual behavior/traffic).
- Prioritize the incident with highest severity and notify the relevant stackholders. This is often automated.
3.3.2 Containment, Eradication & Recovery
- Isolate the resource suspected to be compromised to prevent further contamination / lateral movement.
- Protect and validate the logs and any relevant evidence.
- Start the remediation/mitigation and ensure only trusted resources are used during the entire process.
3.3.3 Post-incident activity
- Draft the post mortem report and request a review from relevant stackholders.
- Discuss possible changes to reduce the likeliyhood of similar incidents in the future.