Handling an incident
As we covered earlier, IR is all the technical components required in order to analyze and contain an incident, including the logistics, communications, coordination, and planning functions needed to resolve an incident in the most suitable way. As preparation should be a continuous development process, the active side of this process begins with detection, where a system abnormality appears that indicates an attack.
The best way to determine what's abnormal is to know what's normal. In other words, if a user opens a new incident saying that the server's performance is slow, you must know all the variables before you jump to a conclusion. To know whether the server is slow, you must first know what's considered to be a normal speed. This also applies to networks, appliances, and other devices. In order to establish this understanding, make sure you have the following in place:
- A system profile
- A network profile/baseline...