Imprimir
domingo, 19 de mayo de 2024, 22:45
Sitio: The CSI Linux Academy
Curso: The CSI Linux Academy (CSI Linux Academy)
Glosario: The CSI Linux Knowledge Base
I

Incident severity levels

Incident severity levels categorize the severity or impact of security incidents based on predefined criteria such as the extent of damage, the potential harm to systems or data, and the disruption to business operations. These levels typically range from low to high severity and are useful for prioritizing incident response efforts, allocating resources, and communicating the urgency of addressing the incident. Common severity levels include informational, low, medium, high, and critical, with corresponding escalation procedures and response actions.

Levels are determined and defined by each business and/or industry, but common severity levels include:

  • Critical: Complete loss of mission-critical service, no workaround available
  • High: Significant loss of service, no workaround, but operations can continue in a restricted manner
  • Medium: Minor loss of service, inconvenient but does not impede operations
  • Low: General inquiries or suggestions, no service impact

Critical Incidents

  • Definition: These incidents result in a complete loss of mission-critical services, where no workaround is available. The impact is severe, potentially leading to significant financial losses, reputational damage, or operational halts.
  • Response: Immediate response is required. Incident response teams must work around the clock to restore services. Escalation procedures involve the highest levels of management, including C-suite executives.
  • Example: A ransomware attack that encrypts all business-critical data, rendering systems inoperable.

High Incidents

  • Definition: These involve significant loss of service, with no available workaround. Although operations can continue in a restricted manner, the impact is substantial.
  • Response: Prompt response is necessary. Incident response teams must address the issue swiftly to restore full functionality. Escalation to senior management is common.
  • Example: A Distributed Denial of Service (DDoS) attack that severely disrupts customer-facing services but does not completely halt operations.

Medium Incidents

  • Definition: These incidents cause minor loss of service. They are inconvenient but do not impede overall operations. The impact is moderate.
  • Response: The response is prioritized but not as urgent as critical or high incidents. Standard incident management processes are followed.
  • Example: A malware infection on a non-critical system that can be isolated and removed without affecting broader business functions.

Low Incidents

  • Definition: These are general inquiries or suggestions that do not impact service. They are often routine issues or minor annoyances.
  • Response: These incidents are addressed as part of regular maintenance and support activities. They do not require immediate attention.
  • Example: A user reporting a minor bug in a software application that does not affect its primary functions.

Importance of Incident Severity Levels

  • Prioritization: Incident severity levels help organizations prioritize their response efforts. Critical and high-severity incidents receive immediate attention, ensuring that resources are allocated where they are needed most.
  • Resource Allocation: By categorizing incidents, organizations can allocate their technical and human resources more efficiently. This ensures that the most severe incidents are handled by the most experienced personnel.
  • Communication: Severity levels provide a common language for communicating the urgency and impact of incidents across the organization. This clarity helps in coordinating response efforts and escalating issues appropriately.
  • Escalation Procedures: Defined severity levels come with corresponding escalation procedures, ensuring that incidents are addressed at the right management level and with appropriate urgency.
  • Response Actions: Each severity level has predefined response actions, enabling a standardized approach to incident management. This consistency ensures that incidents are handled systematically and effectively.

References

  • NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide. This guide by the National Institute of Standards and Technology (NIST) provides detailed procedures for incident handling and categorization of severity levels.
  • ISO/IEC 27035:2016 - Information Security Incident Management. This international standard outlines best practices for incident management, including the classification of incidents based on severity.
  • SANS Institute - Incident Handler's Handbook. This handbook offers practical insights into incident handling, including severity level categorization and response actions.
  • CERT/CC - Carnegie Mellon University. The CERT Coordination Center provides guidelines on incident management, including severity levels and escalation procedures.

 

IOC

An indicator of compromise (IOC) is a piece of evidence that suggests that an information system or network has been compromised or is at risk of being compromised. This could include suspicious activity or behavior, changes in system configurations, or other anomalies that suggest the presence of malicious activity.

There are many different types of IOCs that can be used to detect and identify potential threats to a system or network. Some examples include:

  1. Malware: Malware, or malicious software, is a type of IOC that is used to infect a system or network with malicious code. This could include viruses, worms, trojans, or other types of malware that are designed to compromise the security of a system or network.

  2. Network traffic: Network traffic is another type of IOC that can be used to identify potential threats. This could include unusual traffic patterns, such as large amounts of data being transferred between two systems, or strange connections to external servers.

  3. System logs: System logs are a valuable resource for identifying IOCs because they record all activity on a system or network. This could include logins, file access, and other system events that could be indicative of malicious activity.

  4. File changes: Changes to system or network files can also be an IOC. For example, if a system administrator notices that a critical system file has been modified without their knowledge, this could be an indication of a compromise.

  5. User behavior: User behavior is another type of IOC that can be used to identify potential threats. This could include unusual logins, access to sensitive data, or other unusual activities that might suggest malicious intent.

Overall, IOCs are an important tool for detecting and responding to potential security threats. By monitoring for these indicators, organizations can take proactive steps to protect their systems and networks from compromise.