Cisco Cisco FirePOWER Appliance 8250
19-4
FireSIGHT System User Guide
Chapter 19 Handling Incidents
Incident Handling Basics
•
the time zone
•
whether you had any contact with an attacker
•
the estimated cost of handling the incident
•
a description of the incident, including:
•
dates
•
methods of intrusion
•
the intruder tools involved
•
the software versions and patch levels
•
any intruder tool output
•
the details of vulnerabilities exploited
•
the source of the attack
•
any other relevant information
You can also use the comment section of an incident to record when you communicate issues and with
whom.
whom.
Containment and Recovery
Your incident handling process should clearly indicate what steps are taken when a host or other network
component is compromised. The range of containment and recovery options stretches from applying
patches to vulnerable hosts to shutting down the target and removing it from the network. You should
also consider the importance, depending upon the nature and severity of the attack, of preserving
evidence in case you pursue criminal charges.
component is compromised. The range of containment and recovery options stretches from applying
patches to vulnerable hosts to shutting down the target and removing it from the network. You should
also consider the importance, depending upon the nature and severity of the attack, of preserving
evidence in case you pursue criminal charges.
You can use the incident feature of FireSIGHT System to maintain a record of the actions you take during
the containment and recovery phase of the incident.
the containment and recovery phase of the incident.
Lessons Learned
Each security incident, whether or not it is a successful attack, is an opportunity to review your security
policies. Do you need to update your firewall rules? Do you need a more structured approach to patch
management? Are unauthorized wireless access points a new security issue? Each lesson learned should
feed back into your security policies and help you prepare better for the next incident.
policies. Do you need to update your firewall rules? Do you need a more structured approach to patch
management? Are unauthorized wireless access points a new security issue? Each lesson learned should
feed back into your security policies and help you prepare better for the next incident.
Incident Types in the FireSIGHT System
License:
Protection
You can assign an incident type to each incident you create. The following types are supported by default
in the FireSIGHT System:
in the FireSIGHT System:
•
Intrusion
•
Denial of Service
•
Unauthorized Admin Access
•
Web Site Defacement
•
Compromise of System Integrity
•
Hoax
•
Theft