Creating an Incident Response Classification Framework
Contact Us | |
Free Demo | |
Chat | |
Part 4 of our Field Guide to Incident Response series outlines a two-tiered framework for classifying security incidents to enable more efficient incident prioritization and response. This video clip is taken from our webinar, Incident Responder's Field Guide - Lessons from a Fortune 100 Incident Responder. Feel free to watch the full webinar here.
An Incident Classification Framework
Creating an incident classification framework is an important element in enabling the proper prioritization of incidents. It will also help you to develop meaningful metrics for future remediation. We recommend a two-tiered scheme that focuses on classifying the incident at the highest level (category, type, and severity) to prioritize incident management. Incident classification may change frequently during the incident management lifecycle as the team learns more about the incident from the analysis being performed.
Category:
- Unauthorized access of the network
- Malware
- Denial of Service
- Improper Usage by an IT administrator (accidentally or intentionally)
- Unsuccessful Access Attempt
Type:
- Targeted vs Opportunistic Threat
- Advanced Persistent Threat
- State Sponsored act of Espionage
- Hacktivism Threat
- Insider Threat
Severity
- Critical Impact- Threat to public safety or life
- High Impact- Threat to sensitive data
- Moderate Impact- Threat to Computer Systems
- Low Impact- Disruption of services
Incident Taxonomy
The second tier of this framework is incident taxonomy. Taxonomy focuses on detailing additional information about an incident that you need to identify root cause and trends. It can also provide you with information that is essential for incident response metrics. Classifying incidents for each of the following six criteria can give you detailed information on the incident that will be crucial in helping to find the best way to resolve the incident and prevent repeated incidents in the future. It is much easier to contain an incident when there is an understanding of that incident, and the correct protocol in handling it.
Direct Method
- End User
- 3rd Party Service Provider
- Law Enforcement such as the FBI
- Data Loss Prevention system, Firewall, Anti-Virus, Proxy, and Netflow
Attack Vector
- Viruses
- Email attachments
- Web pages
- Pop-up windows
- Instant messages
Impact
- Employee Dismissal
- HR/ Ethics Violation
- Loss of Productivity
- Unauthorized Privileges
- Brand Image
- Lawsuit
- Denial of Service
Intent
- Malicious
- Theft
- Accidental
- Physical Damage
- Fraud
- Espionage
Data Exposed
- Public
- Confidential
- Export Control
- Financial Reporting
- Unknown
Root Cause
- Unauthorized Action
- Vulnerability Management
- Theft
- Security Control Failure/Gap
- Disregard of Policy
- User Negligence
- Non-Compliance to Standards such as PII, PCI, HIPPA
- Service Provider Negligence
Read more in our Field Guide to Incident Response Series
- 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
- The Do’s and Don’ts of Incident Response
- Building Your Incident Response Team: Key Roles and Responsibilities
- Creating an Incident Response Classification Framework
- The Five Steps of Incident Response
- 3 Tips to Make Incident Response More Effective
- Using Existing Tools to Facilitate Incident Response
- Learning From a Security Incident: A Post-Mortem Checklist
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.