Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
707
Handling Incidents
Incident Handling Basics
Chapter 18
For example, CERT/CC collects standard information about security incidents on
its web site. CERT/CC looks for the kinds of information that you can easily
extract from the Sourcefire 3D System, such as:
•
information about the affected machines, including:
•
•
the host name and IP
•
the time zone
•
the purpose or function of the host
•
information about the sources of the attack, including:
•
•
the host name and IP
•
the time zone
•
whether you had any contact with an attacker
•
the estimated cost of handling the incident
•
a description of the incident, including:
•
•
dates
•
methods of intrusion
•
the intruder tools involved
•
the software versions and patch levels
•
any intruder tool output
•
the details of vulnerabilities exploited
•
the source of the attack
•
any other relevant information
You can also use the comment section of an incident to record when you
communicate issues and with whom.
Containment and Recovery
Your incident handling process should clearly indicate what steps are taken when
a host or other network component is compromised. The range of containment
and recovery options stretches from applying patches to vulnerable hosts to
shutting down the target and removing it from the network. You should also