Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons


LoginGet Started
← Back to Lessons
Edit on Github

Confirmation and initial Assessment of a cybersecurity incident

Incident Notification Process

This article provides a comprehensive guide on how companies can structure an incident notification process, implement strategies for timely decision-making, and prevent the spread of the incident. Additionally, it details how to handle post-incident activities and prepare a report that includes lessons learned. Finally, it identifies all roles involved in incident management to ensure a coordinated and effective response.

Incident Notification Process

This section presents a guide on how to establish an effective incident notification process, including detection, initiation of the notification, and appropriate communication channels to ensure incidents are managed efficiently and promptly.

Incident Detection:

All employees should be trained to recognize potential security incidents and immediately report any suspected incidents to the information security team.

Indicators for Detecting a Security Incident

CategoryIndicator NameIndicator Description
TechnicalUnusual Network ActivityUnexpected increase in network traffic, connections to suspicious IPs, spikes in activity during non-working hours.
IDS AlertsNotifications of unauthorized access attempts, port scans, detected malicious traffic patterns.
System LogsRecords of multiple failed login attempts, accesses from unusual geographic locations, unauthorized configuration changes.
Anomalous User BehaviorActivities that do not match normal usage patterns, such as access to sensitive data by employees without privileges.
Suspicious Files and ApplicationsPresence of unrecognized files, unauthorized modifications to existing files, or installation of applications without approval.
PhysicalUnauthorized AccessAttempts to physically access restricted areas, such as server rooms or sensitive equipment.
Unknown DevicesDetection of unrecognized devices connected to the network, such as USB drives, laptops, or mobile devices.
CorporateEmployee BehaviorReports from employees about suspicious behaviors or devices operating unusually.
Performance IssuesUnexplained slow system performance or unexpected outages of critical services.
Data DisappearanceLoss or corruption of data without apparent explanation.
ExternalSecurity Provider AlertsNotifications from security service providers about emerging threats that could affect the organization.
News and ReportsMedia reports or public security alerts about new vulnerabilities or attacks that might be related to the company.

Notification Initiation:

Provide a standardized initial notification form that includes details such as:

  • Date and time of discovery.
  • Description of the incident.
  • Affected systems.
  • Potentially compromised data.

Communication Channels

  • Email: A dedicated email for security incidents.
  • Phone: Emergency hotline for critical incidents.
  • Incident Management System (ITSM): Use of an ITSM platform to log and manage incidents.

Initial Confirmation and Assessment

An Incident Response Team (IRT) should be responsible for evaluating the validity and severity of the reported incident. They must also ensure that all details of the incident are properly recorded.

Confirmation and Initial Assessment of the Incident

Confirmation and initial assessment of an incident are crucial steps to determine the veracity and severity of a potential threat. This process ensures that the organization's resources are used effectively and that appropriate measures are taken immediately.

1. Incident Confirmation

Incident Response Team (IRT):

  • Report Reception: The IRT receives the incident notification through designated channels (email, phone, ITSM system).
  • Initial Verification: The team reviews the information provided in the notification to verify its validity and relevance. This may include checking system logs, IDS alerts, and interviewing the person who reported the incident.
  • Source Analysis: Determine if the report source is reliable and if the provided data is consistent with the nature of the incident.

2. Initial Security Incident Assessment

Incident Severity: Determine the level of threat posed by the incident. This includes assessing the potential impact on critical systems, the confidentiality, integrity, and availability of data. Below is a list of possible severity levels:

  • Low: Minor incidents with limited impact, such as unsuccessful phishing attempts.
  • Medium: Incidents with moderate impact that require attention, such as malware detected on a user's machine.
  • High: Severe incidents with the potential to cause significant harm, such as a data breach or ransomware attack.

Incident Scope: Identify which systems, networks, data, and users are affected. This may involve: Reviewing access and network activity logs, Inspecting compromised devices, Evaluating the potential spread of the incident to other systems, etc.

Priority Setting: Based on the severity and scope of the incident, allocate the necessary resources to effectively manage the situation. Inform and coordinate with other relevant departments, such as IT, legal, and communications, to ensure a unified response.

An effective initial assessment allows the organization to make informed decisions quickly and minimize the incident's impact on operations.