Chapter 6. Incident Response

As the name suggests, incident response is the set of processes and procedures that are initiated once a security incident has been declared. In modern-day computing, however, incidents may range from a single compromised endpoint to complete network compromises resulting in massive data breaches. In addition, data breaches and enterprise-wide attacks are becoming more and more common, and thus incident response has grown in meaning beyond merely these processes and procedures to encompass an entire discipline within information security.

In this chapter we will discuss the various processes involved in incident response, tools and technology options, and the most common forms of technical analysis that you are likely to need to perform during an incident.

Processes

Incident response processes are an integral component of being able to react quickly in the event of an incident, identify a nonincident, operate efficiently during an incident, and improve after an incident. Having processes in place before an incident begins will pay dividends in the long run.

Pre-Incident Processes

The processes associated with incident response are not merely concerned with what happens during an incident. If there are no processes in place to recognize that an incident is taking place, that the incident response process should be initiated, and that those responsible for incident response should be notified, there is little point in having processes to deal with ...