Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons


LoginGet Started
← Back to Lessons
Edit on Github

Cybersecurity incident detection and response

Incident Reporting Process

This article provides a comprehensive guide on how companies can structure an incident reporting process, implement strategies for timely decision-making, and prevent the spread of the incident. Additionally, it details how to handle post-incident activities and prepare a report that includes lessons learned. Finally, it identifies all the roles involved in incident management to ensure a coordinated and effective response.

Incident Reporting Process

This section presents a guide on how to establish an effective incident reporting process, including detection, notification initiation, and the appropriate communication channels to ensure incidents are managed efficiently and promptly.

Incident Detection

All employees must be trained to recognize potential security incidents and immediately report any suspicion of an incident to the information security team.

Indicators for Detecting a Security Incident

CategoryIndicator NameIndicator Description
TechnicalUnusual Network ActivityUnexpected increase in network traffic, connections to suspicious IPs, activity spikes during non-working hours.
IDS AlertsNotifications of unauthorized access attempts, port scans, detected malicious traffic patterns.
System LogsLogs of multiple failed login attempts, accesses from unusual geographic locations, unauthorized configuration changes.
Anomalous User BehaviorActivities that do not match normal usage patterns, such as access to sensitive data by employees without privileges.
Suspicious Files and ApplicationsPresence of unrecognized files, unauthorized modifications to existing files, or installation of applications without approval.
PhysicalUnauthorized AccessAttempts to physically access restricted areas, such as server rooms or sensitive equipment.
Unknown DevicesDetection of unrecognized devices connected to the network, such as USB drives, laptops, or mobile devices.
CompanyEmployee BehaviorReports from employees about suspicious behaviors or devices functioning unusually.
Performance IssuesUnexplained slow system performance or unexpected crashes of critical services.
Data DisappearanceLoss or corruption of data without an apparent explanation.
ExternalSecurity Provider AlertsNotifications from security service providers about emerging threats that could affect the organization.
News and ReportsMedia reports or public security alerts about new vulnerabilities or attacks that could be related to the company.

Notification Initiation

Provide a standardized initial notification form that includes details such as:

  • Date and time of discovery.
  • Description of the incident.
  • Affected systems.
  • Potentially compromised data.

Communication Channels

  • Email: A dedicated email address for security incidents.
  • Phone: Emergency hotline for critical incidents.
  • Incident Management System (ITSM): Use of an ITSM platform to record and manage incidents.

Initial Confirmation and Evaluation

There should be an Incident Response Team (IRT) responsible for assessing the validity and severity of the reported incident. They must also ensure that all incident details are properly recorded.

Initial Confirmation and Evaluation of the Incident

The initial confirmation and evaluation of an incident are crucial steps to determine the truthfulness and severity of a potential threat. This process ensures that the organization's resources are used effectively and that appropriate measures are taken immediately.

1. Incident Confirmation

Incident Response Team (IRT):

  • Receipt of the Report: The IRT receives the incident notification through designated channels (email, phone, ITSM system).
  • Initial Verification: The team reviews the information provided in the notification to verify its validity and relevance. This may include reviewing system logs, IDS alerts, and interviewing the person who reported the incident.
  • Source Analysis: Identify if the report source is reliable and if the data provided is consistent with the nature of the incident.

2. Initial Security Incident Assessment

Incident Severity: Determine the threat level posed by the incident. This includes evaluating the potential impact on critical systems, the confidentiality, integrity, and availability of data. Below is a list of possible severity levels:

  • Low: Minor incidents with limited impact, such as unsuccessful phishing attempts.
  • Medium: Incidents with moderate impact requiring attention, such as malware detected on a user's machine.
  • High: Severe incidents with the potential to cause significant damage, such as a data breach or ransomware attack.

Incident Scope: Identify which systems, networks, data, and users are affected. This may involve:

  • Reviewing access and network activity logs.
  • Inspecting compromised devices.
  • Evaluating the potential spread of the incident to other systems.

Prioritization: Based on the severity and scope of the incident, allocate the necessary resources to handle the situation effectively. Inform and coordinate with other relevant departments, such as IT, legal, and communications, to ensure a unified response.

An effective initial assessment allows the organization to make informed decisions quickly and minimize the incident's impact on operations.