Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
706
Handling Incidents
Incident Handling Basics
Chapter 18
Part of the escalation process is tied to understanding how a detected event can
affect the security of your network assets. For example, an attack against hosts
running Microsoft SQL Server is not a high priority for organizations that use a
different database server. Similarly, the attack is less important to you if you use
SQL Server on your network, but you are confident that all the servers are
patched and are not vulnerable to the attack. However, if someone has recently
installed a copy of the vulnerable version of the software (perhaps for testing
purposes), you may have a greater problem than a cursory investigation would
suggest.
The Sourcefire 3D System is particularly well suited to supporting the
The Sourcefire 3D System is particularly well suited to supporting the
investigation and qualification process. You can create your own event
classifications, and then apply them in a way that best describes the
vulnerabilities on your network. When traffic on your network triggers an event,
that event is automatically prioritized and qualified for you with special indicators
showing which attacks are directed against hosts that are known to be vulnerable.
The incident tracking feature in the Sourcefire 3D System also includes a status
The incident tracking feature in the Sourcefire 3D System also includes a status
indicator that you can change to show which incidents have been escalated.
Communication
All incident handling processes should specify how an incident is communicated
between the incident handling team and both internal and external audiences. For
example, you should consider what kinds of incidents require management
intervention and at what level. Also, your process should outline how and when
you communicate with outside organizations. Will some incidents require that
you notify law enforcement agencies? If your hosts are participating in a
distributed denial of service (DDoS) against a remote site, will you inform them?
Do you want to share information with organizations such as the CERT
Coordination Center (CERT/CC) or FIRST?
Sourcefire 3D System has features that you can use to gather intrusion data in
Sourcefire 3D System has features that you can use to gather intrusion data in
standard formats such as HTML, PDF, and CSV (comma-separated values) so that
you can easily share intrusion data with others.