Responding to information security incidents

Responding as a process of eliminating the causes and consequences of an event.

An information security incident response is a structured set of actions focused on detection of the details of an incident, minimization of the damage caused by a threat, and prevention of the information security incident recurrence.

In fact, there are several phases of an incident response in the field of information security, namely:

1. The analysis of network activity. Professionals of the information security incident response team assess network traffic and diagnose suspicious information systems.
2. The Forensic analysis. Experts perform a forensic rapid survey of all servers operating in the company (that were used by hackers) in order to research the causes of attacks, the movement of attackers through the computer systems and networks, along with identifying exploited vulnerabilities.
3. Diagnostics of the malware. The analyst performs a fundamental static and dynamic analysis of the malicious code models found during the scanning. All the above-mentioned actions allow experts to exclude its fixation in computer systems and avoid repeated penetration into the company’s IT infrastructure.

Mechanisms for responding to information security incidents applied by Roundsec.

It goes without saying that the identification of threats and responding to incidents in the sphere of information security are the main areas of activities of Roundsec. During the implementation of such mechanisms, evident vulnerabilities in the information system are identified, as well as all traces of hacker attacks and new unexpected intrusions are found.

Analyzing and responding to information security incidents, the Roundsec company team of experienced professionals carries out a whole set of processes consisting of certain successive stages:

• Preparation. In the first preparatory stage, specialists conduct thorough operational work to guarantee comprehensive protection of the organization’s information system. Members of the company are informed about the necessity to support security measures.
• Detection.  In the detection stage, experts check whether a certain event in the information system can be considered an incident. To perform these actions, experts use various analytical mechanisms, flows of information about external attacks, as well as other sources of information.
• Fixing the situation and conducting the  comprehensive study of the objects of information resources related to the incident.
• Coordination of the process on neutralization of the impact of computer intrusions, which led to the incident. Our employees install the security system in a way that prevents the infection from the further spread. The reconfiguration of the information system is started, targeting its further operation without negative consequences.
• Removal. The key idea of the “removal” process is to bring the infected information system back to its original form. The appropriately skilled staff delete both malicious software and other infected components of the system.
• Researching the primary causes of the incident and its undesirable impacts on the information system.
• Recovery. In this stage, the “cleaned” resources are gradually implanted into the main operating network. At the same time, our specialists continue to monitor their condition in order to be absolutely sure that threats are completely destroyed.
• Conclusions. Making recommendations. At the end of their work, the specialists of the Roundsec company analyze the actions which were conducted. Also at this stage, some specific adjustments are applied to the software structure. A list of recommendations is formed for the prevention and elimination of similar undesirable threats, in addition to a rapid response to information security incidents.

Undoubtedly, all the above-mentioned mechanisms will be shown in the regulations, which describe the stages of comprehensive actions for the certain incidents of the greatest importance, specific measures, and time limits for their introduction. At the same time, it is necessary to consider the responsibility for not applying certain security measures or using them insufficiently effectively or unproductively.

Experienced specialists of Roundsec company organize the isolation of incidents and the elimination of their consequences in accordance with the recommended methodological manuals, which include the process of preventing, detecting, and removing the consequences of computer hacker attacks.

Determining the primary causes of incidents

The identification of the primary causes of an incident in the IT sphere by qualified analysts of our company is performed in the several stages:

Initial assessment of a new incident. The tasks of this stage include:

• discovering conditions for an incident occurrence and determining undesirable consequences of an incident;
• timely and consistent determination of the circumstances of an incident that does not function within the framework of the standard rules of action for an incident of this type.

Deep integrated analysis of the incident. The main tasks of this incident analysis include:

• researching the primary causes of the incident;
• determination of objective consequences of the incident.

Use the feedback form on the site to order the service in Moscow or to find out the price, as well as to obtain more detailed information about the activities of Roundsec in the field of information security, in particular, on the performance of the work on the investigation of computer incidents and the process of responding to incidents.

Share on social media