Cisco Cisco Firepower Management Center 4000

the time zone

whether you had any contact with an attacker

the estimated cost of handling the incident

a description of the incident, including:

dates

methods of intrusion

the intruder tools involved

the software versions and patch levels

any intruder tool output

the details of vulnerabilities exploited

the source of the attack

any other relevant information

You can also use the comment section of an incident to record when you communicate issues and with 
whom. 

Your incident handling process should clearly indicate what steps are taken when a host or other network 
component is compromised. The range of containment and recovery options stretches from applying 
patches to vulnerable hosts to shutting down the target and removing it from the network. You should 
also consider the importance, depending upon the nature and severity of the attack, of preserving 
evidence in case you pursue criminal charges.

You can use the incident feature of FireSIGHT System to maintain a record of the actions you take during 
the containment and recovery phase of the incident.

Each security incident, whether or not it is a successful attack, is an opportunity to review your security 
policies. Do you need to update your firewall rules? Do you need a more structured approach to patch 
management? Are unauthorized wireless access points a new security issue? Each lesson learned should 
feed back into your security policies and help you prepare better for the next incident.

Protection

You can assign an incident type to each incident you create. The following types are supported by default 
in the FireSIGHT System:

Intrusion

Denial of Service

Unauthorized Admin Access

Web Site Defacement

Compromise of System Integrity

Hoax

Theft