Chapter 3. Basics of Incident Response

It is a fairly open secret that almost all systems can be hacked, somehow. It is a less spoken secret that such hacking has actually gone quite mainstream.

Dan Kaminsky

Intelligence is only one half of the intelligence-driven incident-response puzzle. While computer incident response isn’t nearly as old as the art of espionage, in the last 40 years it has rapidly evolved into a major industry. Incident response is the process of responding to a detected intrusion, whether against a single system or an entire network. It includes identifying the information necessary to fully understand the incident, developing and executing the plans to remove the intruders, and recording information for follow-up actions (such as legal actions, regulatory reporting, or intelligence operations).

Intrusion detection and incident response share many characteristics. Both are abstract. Both are complicated topics. As a result, people have sought to simplify them by abstracting them into cycles or models. These models make understanding the complex interplay between defender and adversary possible and form the basis for planning a response to these incidents. Just like the process models described in Chapter 2—the OODA loop and the intelligence cycle—they are rarely perfect and can’t always be followed explicitly. However, they provide a framework for understanding the adversaries’ intrusion and the defenders’ response processes while also allowing multiple ...