Incident Identification
The SOP focuses on the specific steps and questions an analyst should consider during the incident identification phase. This procedure provides guidance for analysts on how to analyze alerts, ask relevant questions, perform risk assessments, and categorize incidents.
Objective: This SOP outlines the steps for analysts to effectively identify and categorize incidents through alert correlation.
1. Alert Analysis:
- Analysis Questions:
- What triggered the alert?
- Are there multiple alerts related to the same incident?
- Does the alert indicate potential malicious activity?
2. Context Gathering:
- Analysis Questions:
- What is the source IP address, and is it associated with any previous incidents?
- What is the destination IP address and its role within the organization?
- Are there any historical patterns of similar activity?
3. Risk Assessment:
- Analysis Questions:
- What is the potential impact of the incident on the organization’s assets?
- Is there sensitive data at risk of exposure?
- How likely is the incident to escalate or spread?
4. Incident Categorization:
- Analysis Questions:
- Does the incident involve unauthorized access to information?
- Is there evidence of compromise through malware or exploitation of vulnerabilities?
- Can the incident be categorized as a denial of service, fraud, information gathering, or abusive content?
Incident alert is escalated based on risk and categorization; stakeholders are notified. Incident analysis continues.
5. Analysis of Patterns:
- Analysis Questions:
- Are there recurring patterns in the alerts that suggest a coordinated attack?
- Have similar incidents occurred in the past, indicating a persistent threat actor?
- Is there a correlation between the alerts and known threat intelligence?
6. Time-based Analysis:
- Analysis Questions:
- When did the alert occur, and is there a specific time pattern?
- Is the incident ongoing, or was it a one-time event?
- Have there been any changes in the alert patterns over time?
7. Documentation:
- Analysis Questions:
- What evidence supports the analysis and categorization of the incident?
- Are there any gaps in the available information that need further investigation?
- How confident are you in the accuracy of your analysis?
8. Reporting:
- Analysis Questions:
- Who should be notified about the incident based on its severity and impact?
- What level of detail should be included in the incident report?
- Is there a need for immediate escalation to higher levels of incident response?
Previous & Next
