Hi CISO This is the Chapter 2 Information Security Incident Response.



Identifying and responding to data security incidents is at the center of security activities. The group appointed to security operations is relied upon to monitor the organization's advantages inside extension and respond to security events and incidents, including the identification and examination of what might be considered indicators of compromise (IOC).

In this chapter we are going to discover the following topics:

  • Incident response Timeline
  • Incident Detection
  • Incident Triage
  • Incident Categories
  • Incident Severity
  • Incident Resolution
  • Incident Closure
  • Post-Incident
  • Soc Generations
  • Conclusion

1.Incident response Timeline

Setting up a SOC to oversee incidents stretches out to cover people, processes, and obviously, technology.

The correct arrangements of steps to pursue and the gatherings to include rely upon the idea of the incident. A run of incident-handling taking care of process pursues the list of steps exhibited in the incident response (IR) timeline in the Figure. We should take a gander at detection, which is the second stop.


2.Incident Detection

Detection alludes to the stage in which an occurrence is watched and revealed by people or technology, and the process that handles the reporting angles.

For the process to be powerful, the accompanying must be documented and formalized:

-Identify the sources, for example, technology and people, that are in charge of detection and reporting incidents response team.

-Identify the channels through which incidents response team ought to be accounted for.

-Identify the means that ought to be taken to acknowledge and process incidents response team reports.

-Identify the prerequisites on people and technology for the process to work.

3.Incident Triage

Incident triage appears to the underlying moves made on a detected event that is utilized to decide the rest of the remaining as per the incident reaction plan. The triage phase comprises of three subphases: verification, initial classification, and assignment.

The triage phase is worried about answering different question, for example, the accompanying:

-Is the incident inside the extent of the program?

-Is it another incident, or is it identified with a past reported one?

-What classification should the incident be doled out to?

-What severity level ought to be allotted to the incident?

-Who ought to be appointed to investigate and analyze the incident?

-Is there a time period related with the incident?

4.Incident Categories

Category Number





This is used when conducting an approved exercise such as an authorized penetration test.


Unauthorized access

This represents when and individual gains logical or physical access without permission to a client network, system, application, data, or other resource.


Denial of Service(DoS)

This is used when an attack successfully prevents or impairs the normal authorized functionality of networks , systems, or applications by exhausting resources.


Malicious code

This identifies when there is a successful installation of malicious software, such as a virus, worm , trojan horse , or other code-based  malicious  entity, that infects an OS or application.


Scans/Probes/Attempted access

This includes any activity that seeks to access or identify a client computer, open ports, protocols, service, or any combination for a future attack.



This includes unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review

All security incidents ought to be belonged a category. The category number distinguishes the sort of the incident and its potential kind of impact.The table demonstrates an example rundown of categories that we use for categorizing incidents.

The incidents may have beyond what one category and that the classification can change as the incident advances or as the examination of the incident unfurls new discoveries.

5.Incident Severity

Severity levels depend on the normal or watched impact of an incident. This is utilized for the prioritization of the incident, considering the measure of assets that ought to be appointed, and decides the escalation procedure to pursue.


HighIncidents that have severe impact on operations
MediumIncidents that have a significant impact or the potential to have a severe impact, on operations
LowIncidents that have a minimal impact with the potential for significant or severe impact on operations

6.Incident Resolution

The lifecycle of an occurrence ought to in the long run lead to some type of resolution. This may incorporate information examination, resolution look into, a proposed or performed activity, and recuperation. The goal of this phase is to find the underlying driver of the incident, while chipping away at containing the incident at the earliest stage conceivable.


The investigation and analysis phase include the exercises attempted by SOC and by different groups with the end goal of:

Identifying exploited systems and accounts

Understanding the effect of the security incident

Identifying unapproved get to endeavors to private information

Understanding the chain of incident that have prompted the security incident

The containment stage includes the activities performed to rapidly stop a security incident from raising or spreading to different networks or systems

The procedure appeared in the Figure is an example containment process. We may, be that as it may, continue with containment previously or amid the incident examination.


The correct strides to pursue to contain a security incident shift contingent upon the idea of the incident and business criticality of the asset. Instances of containment activities incorporate the accompanying:

Disengaging a system from the network

Moving a tainted system to the isolate network

Halting a process or a service

Disabling an account

Including a firewall rule

Including an intrusion prevention system (IPS) signature/rule that would distinguish and hinder the assault's particular vector.

7.Incident Closure

Closing a security incident alludes to the destruction phase in which vulnerabilities that lead to the event or incident have been shut and all the occurrence follows have been washed down. The closure procedure likewise incorporates testing systems to guarantee that the annihilation steps and controls were compelling and that the vectors utilized by the attack don’t exist any longer or is insufficient. Predefined activities to consider incorporate applying any last data about the event, its last classification, any outside warnings, and documenting information about the incident.


This is the "lessons-learned" stage in which us look to enhance the IR processes and ponder other people, processes, and technology controls. Post-incident exercises will fluctuate contingent upon the seriousness of the security incident. Important learning picked up from security incident can be valuable to avert/moderate future incident as proactive administrations, for example, improving security highlights of capacities inside protections.

9.SOC Generations

Our comprehension of SOC segments and expected services has changed after some time. This is a reflection to the change in our view of the criticality of information assurance and security activities. This change comes in light of the regularly changing security threat landscape, notwithstanding our undeniably receiving formal information security standards, requiring the foundation and management of a formal security activities model and audit forms.



In outline, following an incident response course of events, the SOC group would deal with various basic assignments, from occurrence identification to closure. Each phase of an incident can have its very own process and include different gatherings inside the association. It is significant that the arrangement, plan, and fabricate stages for occurrence response be characterized, reported, and supported by the correct specialists inside the association. incident response is tied in with timing, and the most noticeably terrible time to make sense of duties and incident-handling care of process is during a functioning attack.


Gregory Jarpey and R. Scott McCoy (Auth.) - Security Operations Center Guidebook. A Practical Guide for a Successful SOC (2017, Butterworth-Heinemann)

Jeff Bollinger, Brandon Enright, Matthew Valites - Crafting the InfoSec Playbook_SecurityMonitoring and Incident Response Master Plan-O_Reilly Media (2015)

Joseph Muniz, Gary McIntyre, Nadhem AlFardan - Security Operations Center_ Building, Operating, and Maintaining your SOC-Cisco Press (2015)

P.S: It is a part of Security Operations Analysis - Crowdsourcing eBook on Peerlryst - Click Here

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform