Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

704

Handling Incidents

Incident Handling Basics

Chapter 18

Incident Handling Basics

: Protection

Each organization is likely to have its own process for discovering, defining, and 

responding to violations of its security policies. The sections that follow describe 

some of the basics of incident handling and how you can incorporate the 

Sourcefire 3D System in your incident response plan:

Definition of an Incident

: Protection

Generally, an incident is defined as one or more intrusion events that you suspect 

are involved in a possible violation of your security policies. Sourcefire also uses 

the term to describe the feature you use in the Sourcefire 3D System to track 

your response to an incident.
As explained in 

 on page 640, some intrusion 

events are more important than others to the availability, confidentiality, and 

integrity of your network assets. For example, the port scan detection features 

provided by the Sourcefire 3D System can keep you informed of port scanning 

activity on your network. Your security policy, however, may not specifically 

prohibit port scanning or see it as a high priority threat, so rather than take any 

direct action, you may instead want to keep logs of any port scanning for later 

forensic study.
On the other hand, if the system generates events that indicate hosts within your 

network have been compromised and are participating in distributed 

denial-of-service (DDoS) attacks, then this activity is likely a clear violation of your 

security policy, and you should create an incident in the Sourcefire 3D System to 

help you track your investigation of these events.

Common Incident Handling Processes

: Protection

Each organization is likely to define its own process for handling security 

incidents. Most methodologies include some or all of the following phases: