Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

707

Handling Incidents

Incident Handling Basics

Chapter 18

For example, CERT/CC collects standard information about security incidents on 

its web site. CERT/CC looks for the kinds of information that you can easily 

extract from the Sourcefire 3D System, such as:

information about the affected machines, including:
•

the host name and IP

the time zone

the purpose or function of the host

information about the sources of the attack, including:
•

the host name and IP

the time zone

whether you had any contact with an attacker

the estimated cost of handling the incident

a description of the incident, including:
•

dates

methods of intrusion

the intruder tools involved

the software versions and patch levels

any intruder tool output

the details of vulnerabilities exploited

the source of the attack

any other relevant information

You can also use the comment section of an incident to record when you 

communicate issues and with whom. 

Containment and Recovery

Your incident handling process should clearly indicate what steps are taken when 

a host or other network component is compromised. The range of containment 

and recovery options stretches from applying patches to vulnerable hosts to 

shutting down the target and removing it from the network. You should also