Warning: Use of undefined constant add_shortcode - assumed 'add_shortcode' (this will throw an Error in a future version of PHP) in /nfs/c03/h04/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/stray-quotes/stray_quotes.php on line 615

Warning: Use of undefined constant MSW_WPFM_FILE - assumed 'MSW_WPFM_FILE' (this will throw an Error in a future version of PHP) in /nfs/c03/h04/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/wordpress-file-monitor/wordpress-file-monitor.php on line 39
Incident Response

Incident Response

Federal agencies are required by law to report incidents to the US Computer Readiness Team (CERT) office in DHS and must have a formal incident response capability.


  • Prepare – accumulate knowledge, resources, tools, team members and training needed to handle incident reponse. Provide feedback into other processes (patch management…) that may help prevent incidents.
  • Identify – establish processes to identify incidents (intrusion detection) and a mechanism for incident reporting (trouble ticket application)
  • Contain – categorize types of incidents and prioritize reactions to them. Establish procedures for different levels or reactions and for forensic evidence collection.
  • Eradicate – set up a triage process to determine what level of eradication is needed to ensure security.
  • Recover – ensure backup and recovery procedures are working.
  • Learn – document the entire incident and analyze it after recovering in an attempt to learn lessons and improve all related processes.

Organizational Capability

  • Need for IR – establish business needs, legal and regulatory requirements.
  • Policy and procedure:
    • Create an IR policy and get it approved.
    • Create an IR plan
    • Establish information sharing procedures
  • The response team:
    • Choose a team structure
    • Select and train staff
    • Consider dependencies across the organization

Incident Types

  • Inappropriate use
  • Unauthorized access
  • Malicious code
  • Denial of service
  • Combinations of types


  • IR is required by law (for federal agencies)
  • IR is required for security protection
  • PICERL methodology

800-61 “Computer Security Incident Handling Guide”

Comments are closed.