How to Respond to an Attack

Response to an attack is typically initiated by a user, employee, contractor, or third-party user calling the IT help desk, network operations center, or security operations center. After an attacker exploits a vulnerability in an IT infrastructure or its assets, a security incident is created. This security incident may manifest itself into an immediate confidentiality, integrity, or availability issue that must be called in to the IT help desk. Upon receipt of the security incident call, the IT help desk must initially assess the criticality factor of the security incident. The criticality factor for the security incident will dictate the level of response that is needed to respond to this attack or security incident. Critical, Major, and Minor classifications will typically define the level of response that must be provided given the severity of the security incident.

Many organizations create and deploy a Computer or Security Incident Response Team (CIRT) or (SIRT). These teams are usually composed of a cross-section of human resources, legal, IT, and IT security personnel and are led by a team leader who has full authority and power to resolve the security incident quickly and without damage or altering of any forensic data or physical evidence that may be collected as part of the security incident investigation. SIRT teams are dispatched when security breaches or incidents occur in real-time, and live monitoring and auditing of the affected IT assets and devices is conducted. Depending on whether the attack and the attacker are internal or external to the organization, the SIRT team reacts and responds uniquely to the situation. This is especially important if it is suspected that the attacker is an internal employee and proper human resource procedures and guidelines must be followed, especially if the employee is to be fired on the spot.

In Chapter 10, “Post-Assessment Activities,” SIRT team goals and objectives, SIRT team functions, security workflow definitions, and security incident severity classifications are discussed in greater detail. Chapter 10 also discusses what an organization should do to put the proper response team in place to handle information security breaches and security incidents. Security incidents are the by-product of exploitations of vulnerabilities in software that are inherent in most IT infrastructures and their IT assets.