Incident Response Procedure

How Does the Procedure Proceed?

In a SOC (Security Operation Center) environment, the action taken against an incident is important. Everyone should not use their own method they came up with, but methods that have had their frameworks previously determined should be used so there is consistency and everything proceeds accurately during a time of crisis. In this section, we will talk about how we can keep the base of consistency in response to incidents. This section is important to understand the big picture.

Alert

After the logs collected through the EDR, IDS, IPS, WAF, and similar security tools that are found in the SOC, rule correlation sets are formed through the SIEM to determine suspicious activity. Thus, in the case of an unwanted situation, a new alert is created.

Analyze

In an ideal SOC environment, there are Tier 1 analysts present to conduct the preliminary analysis on alerts that come through the security tools. This analyst analyzes the incoming alert and determines whether it is a false positive or not. For example, an alert can be formed after sending a request to a malicious URL address; however, the URL address is not actually malicious. The Tier 1 analyst controls this procedure and eliminates incoming alerts.

Investigate

After it is determined that the incoming alert is not a false positive, the investigation procedure begins, and the source of the attack is investigated. In addition, the amount of progress the attacker has made since the beginning of the attack is investigated.

Assess Impact

The systems that have been affected by the attack are determined and the amount of damage present in the current situation is assessed and evaluated. For example, in a system that has been affected by ransomware may not have had all its data encrypted. Determinations similar to this have to be conducted to have an assessment of the current situation.

Contain

After determining the systems affected from the attack, it is crucial that the situation is handled with control and prevented from spreading. Thus, the affected devices must immediately be isolated from the network. Let’s continue with the ransomware example. A dangerous ransomware will want to spread itself to other devices. In order to prevent the interaction with the other devices, the device must be isolated from the network.

Respond

After all the mentioned steps above are completed, the response process is initiated. At this step, the root cause of the situation is determined, the present dangers are removed, the systems are brought back to a working state, and lessons are made from the situation that has occurred. The main topic of this training will be the details listed under this title. In future topics, we have showed you how to do this with details.