Incident Severity & Extent Questions

1. Assessing Incident Severity and Extent

Purpose: To evaluate the severity and scope of a security incident by answering key questions. This assessment helps prioritize response efforts and allocate resources effectively.

  • Why: Understanding the impact, requirements, and potential reach of an exploit ensures that incidents are handled appropriately, minimizing damage and reducing recovery time.

2. Key Questions to Answer

Below are the critical questions to consider when assessing the severity and extent of a security incident, along with technical examples for each:

What is the Exploitation Impact?

  • Why: The exploitation impact determines how much damage the incident could cause to the organization.

    • Examples:

      • High Impact: Data exfiltration, ransomware encryption, or compromise of business-critical systems.

        Get-WinEvent -LogName "Security" | Where-Object { $_.Id -eq 4663 } # Detect file access events

      • Low Impact: Unauthorized access to non-sensitive systems or minor service disruptions.

What are the Exploitation Requirements?

  • Why: Understanding the prerequisites for exploitation helps assess the likelihood of success and identify mitigation strategies.

    • Examples:

      • Does the exploit require administrative privileges?

        sudo -l # Check if elevated privileges are required

      • Does it depend on specific software versions or configurations?

        dpkg -l | grep vulnerable_software

Can Any Business-Critical Systems Be Affected by the Incident?

  • Why: Identifying whether critical systems are at risk helps prioritize response efforts.

    • Examples:

      • Use asset management tools to identify critical systems:

        SELECT hostname, ip_address, system_role FROM assets WHERE system_role = 'critical';

      • Cross-reference impacted systems with critical infrastructure:

        Get-ADComputer -Filter { Name -like "*SQLServer*" } | Select Name, Enabled

Are There Any Suggested Remediation Steps?

  • Why: Knowing the recommended remediation steps ensures a swift and effective response.

    • Examples:

      • Apply patches or updates to mitigate vulnerabilities:

        sudo apt-get update && sudo apt-get upgrade

      • Isolate compromised systems from the network:

        Disable-NetAdapter -Name "Ethernet" -Confirm:$false

How Many Systems Have Been Impacted?

  • Why: The number of affected systems influences the scale of the response and resource allocation.

    • Examples:

      • Query logs or SIEM tools to count impacted systems:

        index=security_logs event_type="compromise" | stats count by src_ip

      • Use EDR tools to identify infected endpoints:

        Get-MDATPDeviceAlerts -Severity High

Is the Exploit Being Used in the Wild?

  • Why: If the exploit is actively used in attacks, it indicates a higher level of urgency and potential sophistication.

    • Examples:

      • Check threat intelligence feeds for active campaigns:

        curl -X GET "https://www.virustotal.com/api/v3/files/<FILE_HASH>" -H "x-apikey: YOUR_API_KEY"

      • Monitor public advisories (e.g., CISA, MITRE CVE):

        curl https://cve.circl.lu/api/search/exploitdb

Does the Exploit Have Any Worm-Like Capabilities?

  • Why: Worm-like capabilities indicate the potential for rapid, widespread propagation across the network.

    • Examples:

      • Analyze malware behavior for self-replication:

        strings malicious_file | grep "worm"

      • Use sandboxing tools like Cuckoo Sandbox to observe propagation:

        cuckoo submit /path/to/malicious_file

3. Prioritizing Incidents Based on Severity

Once the above questions are answered, incidents can be categorized and prioritized:

  • High-Impact Incidents:

    • Examples: Ransomware encrypting critical data, unauthorized access to sensitive systems.

    • Actions:

      • Escalate immediately to senior leadership and incident response teams.

      • Isolate affected systems and initiate forensic analysis.

      • Notify relevant stakeholders (e.g., legal, PR).

  • High-Number of Impacted Systems:

    • Examples: Widespread malware infections or phishing campaigns affecting multiple users.

    • Actions:

      • Deploy automated containment measures (e.g., disable network access for infected devices).

      • Notify all affected users and provide guidance on next steps.

      • Conduct post-incident reviews to identify root causes and prevent recurrence.

Conclusion

Answering these key questions provides a comprehensive understanding of the severity and extent of a security incident. By evaluating factors such as exploitation impact, requirements, affected systems, and exploit characteristics, organizations can prioritize their response efforts effectively.

PreviousInitial InvestigationNextIncident Confidentiality & Communication

Last updated