Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
704
Handling Incidents
Incident Handling Basics
Chapter 18
Incident Handling Basics
L
ICENSE
: Protection
Each organization is likely to have its own process for discovering, defining, and
responding to violations of its security policies. The sections that follow describe
some of the basics of incident handling and how you can incorporate the
Sourcefire 3D System in your incident response plan:
•
•
•
Definition of an Incident
L
ICENSE
: Protection
Generally, an incident is defined as one or more intrusion events that you suspect
are involved in a possible violation of your security policies. Sourcefire also uses
the term to describe the feature you use in the Sourcefire 3D System to track
your response to an incident.
As explained in
As explained in
on page 640, some intrusion
events are more important than others to the availability, confidentiality, and
integrity of your network assets. For example, the port scan detection features
provided by the Sourcefire 3D System can keep you informed of port scanning
activity on your network. Your security policy, however, may not specifically
prohibit port scanning or see it as a high priority threat, so rather than take any
direct action, you may instead want to keep logs of any port scanning for later
forensic study.
On the other hand, if the system generates events that indicate hosts within your
On the other hand, if the system generates events that indicate hosts within your
network have been compromised and are participating in distributed
denial-of-service (DDoS) attacks, then this activity is likely a clear violation of your
security policy, and you should create an incident in the Sourcefire 3D System to
help you track your investigation of these events.
Common Incident Handling Processes
L
ICENSE
: Protection
Each organization is likely to define its own process for handling security
incidents. Most methodologies include some or all of the following phases:
•
•
•
•
•
•