Responding to Incidents

Incident Response Workflow - L1

The Cyber Incident & Breach Management use case is built to enable the following incident response workflows.

Download the source file of the diagram here: Cyber Incident & Breach Response L1 Workflow Diagram

Incident Response Workflow - L2

Download the source file of the diagram here: Cyber Incident & Breach Response L2 Workflow Diagram

Note: The Issue Management workflow is only available if you have licensed Issues Management.

Note: Only notifications that are a key part of the workflows are included in the diagrams. For a complete list of notifications, see the Data Dictionary.

Security Alerts versus Security Incidents

A security alert is a correlated event with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data, or a combination of 1 or more of these events.

A security incident is a group of security alerts involving specific attackers, attacks, objectives, sites, and timing that results in a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Cyber Incident & Breach Response can collect alerts from SIEM tools and aggregate alerts into incidents, can collect incidents from NetWitness, or allows you to create an incident manually. Alert data is stored in the Security Alerts application, and the aggregated incidents are created in the Security Incidents application

 

One security incident can be made up of multiple security alerts, however a security alert can only be tied to 1 security incident. All alerts must be tied to an incident.

Aggregating Multiple Alerts into a Single Incident

NetWitness Respond collects alerts from multiple sources and allows you to configure rules to aggregate alerts into incidents, so that the incident handlers can investigate and remediate multiple alerts in the context of a single incident.

If you are using a third-party SIEM tool as an alert source, the UCF allows you to define the aggregation criteria by which alerts are grouped into incidents.

In both cases, alerts continue to be added to an incident according to the aggregation criteria until the incident is assigned.

Respond to Incidents

1. Create an incident & assign stakeholders using either of the following methods:

   • Automatically, using the Unified Collector Framework (UCF) or NW IM Integration Service to aggregate alerts from a SIEM tool into incidents
   • Manually, in the Archer Security Incidents application, or by data feed.
2. Start the incident review by reviewing all the information that has been provided up to this point, and determine the appropriate Incident Coordinator and additional team members.
3. Review the information in the incident record, including all the alerts and alert details that correspond to the incident, and any automatically generated incident response procedures and tasks. Additionally, stakeholders can manually add additional procedures or tasks as necessary, link the record to related incidents, and override the Incident Priority.
4. Assign the incident record to the Escalation Owner.
5. Review the escalated incident.
   1. Review the assigned escalated incident and determine if the escalation is valid. Depending on the validity of the escalation, either proceed to review the incident, request additional information, or reassign stakeholders.

   2. During the review of the escalated incident, complete an incident investigation analysis, a forensic analysis, and also review any automatically generated Incident Response Procedures and Tasks based on the Threat Category. If necessary, the L2 Handler can also add additional Incident Response Procedures and Tasks and documents incident investigation details in journal entries.

   3. Once you have confirmed a security compromise, you must document the impact of the incident. You can document the business, corporate policy, confidentiality, integrity, and availability impact of the incident. If a data loss has been identified, you can also report a data breach.

6. For each issue that needs remediation, create a new Findings record within the Remediation tab of the Security Incident record. Describe the action to complete, the criticality for the finding, a target queue, and a remediation task type.

7. Document the incident analysis. Provide the incident results, the actors, and techniques that contributed to the incident, the incident target details, and add the security controls associated with discovering the incident.