August 2010

Ten Deadly Sins in Incident Handling

Ten Deadly Sins of Incident Handling

A secured environment is crucial for business
continuity. However, incidents are bound to
happen.
Appropriate
incident
handling
processes ensure prevention of security threats
as well as timely identification and mitigation.
This article delves into the ten deadly sins of
incident handling.

1. Introduction
Risks are inherent to the Internet environment. The security threat profile of cyber
space in general, has increased over the past several years. Threats have become
more sophisticated, frequent and damaging. Cybercrime has become a key
component for organized crime. Cybercriminals take advantage of system and
network vulnerabilities by probing, intruding, and attacking to damage, alter or steal
information. The type of chaos caused by cyber-attacks includes denial of service,
unauthorized intrusions, virus, Trojan attacks and malicious mails. Organizations do
take preventive measures such as proper authorization and encryption mechanisms,
regular updates, anti-virus solutions and user awareness. Of Course, it is not
possible to prevent all security incidents. Hackers manage to find vulnerabilities in
security products and in the network infrastructure. Therefore, the response, better
known as incident handling, plays a major role in network defense.
1.1 Incident Handling
Any unusual activity in a system or network may be cause for alarm. For
example, an employee may find an anomaly in the functioning of an application,
or an intrusion detection tool may indicate a suspicious activity in the network.
These unusual activities are better known as events. These are they types of
events that may lead to a security incident.
Incidents are interruptions caused by adverse events, which result in any
violation of standard security policies. Adverse events such as unauthorized
access, system crash, and malicious code execution, denial of service and
unauthorized use of resources may result in a change in the normal functioning of
the computer systems and/or network.
An incident1 in the form of a virus attack, unauthorized access or an illegal activity
by an insider requires a specific, appropriate response. Incident handling refers
to set of procedures, measures and actions initiated to detect, analyze, respond,
prevent and limit further damage. Incident response should be an integral part of
any information security policy of an organization. The incident handling process
involves preparation, detection, analysis, containment, recovery and post-incident

ThewordIncidentusedinthispaperreferstocomputersecurityincidents.

Page | 1

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Ten Deadly Sins in Incident Handling

August 2010

analysis. An organization may have single or multiple incident handling and

response teams

Page | 2

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

August 2010

Ten Deadly Sins in Incident Handling

2. Ten deadly sins in Incident handling

Incident response makes the difference between recovery and disaster. Here are the
ten deadly sins in incident handling:
i. Failure to identify/detect an incident
As discussed earlier, adverse events may lead to an incident. However, hackers
make changes in their modus-operandi from time to time to by-pass detection.
Intrusion detection tools may not detect all anomalies in systems and network2. If
you do not update the anti-virus software regularly, it may not detect a new form
of virus that may have breached the system security. A user may ignore a
suspicious activity. Sometimes, intrusion detection tools may raise false
positives3. For instance, a high CPU utilization for few minutes or misconfigured
system may lead to false alarm, while there may be no threat.
The reasons sited above are only a few reasons why incident handling is one of
the most challenging tasks to be addressed by the response team. However, an
incident handling team should be able to outline procedures to identify common
or recurring incidents. Incident detection plays a crucial role in determining an
appropriate response, and failure to detect an incident increases vulnerability of
systems and networks, which of course leads to grave cost implications.
An incident handling team can examine various potential threat indicators such
as virus detection, multiple failed login attempts, slow Internet connectivity and
poor system performance to detect possible incidents. A person can use threat
indicators to connect different, seemingly unrelated events. For example, new
files with unusual names may indicate attempts to gain unauthorized access to
compromise the victim machine, or unusual messages or graphics on a computer
screen may indicate malicious code attack. The incident handling team should
utilize announcements regarding new vulnerabilities or new forms of attacks to
examine their own system and network vulnerabilities to assure that they are
fortified to withstand these new threats.
ii. Lack of incident prioritization
Security incidents may differ in severity, therefore it is important to prioritize
incidents for better management of the incident handling process and timely
restoration of business operations. Incident prioritization enables the assignment
of a particular incident to the correct response team. Incidents may also affect the
service level agreements of the business because non-availability of a service to
customers for more than their contracts allowable period could attract penalties
to the organization. Lack of incident prioritization may lead to improper reporting
of the incident or a delay in remedial measures and restoration.

FailuretodetectanactualattackistermedasFalsenegative

Falsepositivesrefertoeventswhereanalarmisraised,evenwhentherearenothreats

Page | 3

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

August 2010

Ten Deadly Sins in Incident Handling

Prioritization of incidents could be based on:

a. The criticality of the targeted resource
b. Impact of incident on current business operations
c. Potential long-term impact on business operations
d. Possible leakage of privileged confidential business data.
e. Urgency of resolution
f.

Possible breach of service level agreements

g. Impact on business reputation

h. Resources required to fix the vulnerabilities
i.

Cost of non-resolution to business, loss of revenue.

Incident prioritization helps in better reporting, timely action, appropriate resource

allocation, and the protection of evidence. Incident prioritization also helps in the
timely reporting of an incident to the appropriate internal and external authorities.
iii. Miscommunication
It is important to communicate an incident/security breach to various internal and
external stakeholders. However, it is also crucial to have a proper communication
policy to avoid miscommunication. Communication to internal and external
agencies would depend on the severity of the incident and its impact on business
operations. Announcing an attack to all employees may alert the intruder and
cause them to destroy the evidence. (If he/she is an insider.) Confronting an
attacker whom you think is responsible for the possible incident may trigger an
alarm for his accomplices in the crime, thereby losing the trail of event, which
could have helped you to bring legal action against the intruder. The first
objective of the incident handling team must be to control the incident. Listed
below are some of the precautions that the personnel within the incident handling
team needs to take while communicating an incident to other parties.
a. Identify the different stakeholders to be notified - Management, law
enforcement authorities, customers, media, general public, management,
IT department, human resource manager, security experts.
b. Take the advice of legal counsel before notifying law enforcement
authorities.
c. Communicate with media through public relations officer.
d. Alert customers only if threat is substantial. It is crucial to avoid panic
among customers, which could hamper incident-handling process.
iv. Not isolation of the infected device/system
One of the important decisions faced by the incident response team is whether to
continue the operations of the infected system or to isolate the system from the
Page | 4

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

August 2010

Ten Deadly Sins in Incident Handling

network. In some cases, an organization may continue to use the infected

machine to ensure operational continuity.
However, an infected system may affect other systems in the network. The
infected system may even serve as a vector to launch an attack on other systems
on the network. Therefore, it is important to isolate the infected system from the
network to protect the network from virus or malicious code.
To ensure business continuity it is advisable to keep redundant backup of the
critical systems to ensure uninterrupted business service in case the primary
system is affected.
v. Inappropriate Log analysis
Reviewing log files is one of the ways to detect transmission of malicious code.
However, one of the common mistakes made by incident handling teams is to
look for only those log lines considered suspicious by the organization. Some of
the log analysis tools filter only defined attack signatures and events from the
logs. To only search for pre-defined events is an approach that will not detect
novel forms of attack or malicious behavior.
Log mining is one of the ways to recognize incidents, and can be a key factor in
detecting patterns of events. Log mining facilitates segmentation for easier
identification. For example, one the incident team members can segment the logs
based on user search, browse history, and user browse patterns.
vi. Restoration of operations without eradicating vulnerability
Incident identification and eradication are important functions of an incident
handling team. However, at times while the organization is in a hurry to restore
business operations, they may choose to restore the affected system without
eradicating the cause of the incident. This practice increases the chance that the
incident will reoccur. Therefore, before restoring operations, it is important to
control the damage caused by the attack. Possible attacks can be discovered by
identifying the cause and symptoms of the incident. It is important to examine and
remove any possible vulnerability that could be exploited by a malicious hacker.
For example, if the incident team encounters an incident that involves user-level
access compromised by a brute force attack, then it is important that they:
a. change the user password,
b. educate the user for stronger password,
c. encourage stronger password usage among all users,
d. review or update the password policy in accordance with industry
accepted standards,
e. check for contaminated files in user account,
f. find vulnerabilities, and
g. Update the anti-virus system.

Page | 5

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

August 2010

Ten Deadly Sins in Incident Handling

It is also important to identify the loopholes in the security infrastructure and

strengthen the defenses in accordance with the latest security updates. A clean
backup can help in restoring the system. The incident team may also decide to
rebuild a fresh system by installing new hardware and software. It is important to
secure the restored system to curtail further attacks.
vii. Inadequate training and lack of skilled and certified personnel
Threats in the cyber space have become more complicated. Hackers can exploit
vulnerabilities in network security devices and software programs. They can also
exploit users actions. Essentially, hackers can exploit a multitude of attack
vectors, attack types and vulnerabilities. Lack of adequate skills and technical
expertise may result in mishandling of incident, loss of evidence, inappropriate
response and complications. Personnel within the incident handling team must be
able to recognize intrusion techniques and different forms of attacks. They must
be able to detect and analyze intrusions as well as possess knowledge of
network devices, operating systems and applications. The Incident handling team
must have personnel skilled in varied domains such as:
a. Network and system security
b. Software engineering
c. Programming skills
d. Language scripting
e. Forensics
f. Vulnerability assessment
g. Penetration testing
The incident handling team must also have knowledge of the various tools and
techniques used in vulnerability assessments, and should keep themselves
updated with the latest events related to information security. It is also important
that this team is aware of the new vulnerabilities that have been discovered
among other incident response teams.
Excellent communication, problem-solving and time management skills are
mandatory for personnel within the incident handling team. Regular training
sessions, e-learning programs and workshops may be required to supplement
the skills of the team members.
viii. Not reviewing incident response or non-validation
Incident response process includes taking the necessary steps to restore the
normal operations after an adverse event or incident. Once the incident is
contained, the affected systems should be recovered . It is important to review
the entire incident response process. Response review should assess:
a. Incident response plan whether preparation was adequate.
b. Steps taken by the team were in accordance with plan, was any flexibility
required.
Page | 6

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

August 2010

Ten Deadly Sins in Incident Handling

c. Successful and failed steps, success in containing the incident

d. Promptness of response, cause for delays
e. If appropriate communication was made and stakeholders notified
f. Challenges faced
g. Resources used was there a need for additional resources
h. Level of management support
i. Areas for improvement (skills, training requirements, procedures,)
Documentation is crucial at all phases of the incident handling and response
process. Team members must document all activities, evidence collected,
vulnerabilities and responses during the course of preparation, detection,
analysis, containment, recovery and post-incident analysis. A thorough review of
the incident response is recommended to ensure prevention of errors and better
preparedness. Reviews also enable development of appropriate response
procedures. Lessons learned from the incident handling and response process
will help to devise better plans and procedures and incorporate new tools and
techniques
ix. Lack of proper coordination with other stakeholders
Appropriate coordination between various stakeholders and the incident handling
team is crucial to ensure a successful incident response process. Lack of proper
coordination may result in chaos, duplication of tasks and delay in the incident
response process. Various stakeholders include: users, system administrators,
network operations, information security officers, chief information officer, other
incident response teams, human resources, public relations officer, legal
departments, and law enforcement agencies. Proper coordination between the
incident response team and the public relations officer is crucial for an
appropriate and timely communication of an adverse event to media and/or
customers. Cooperation with the human resources department is also crucial to
ensure timely action against an internal intruder. Some of the incidents may
require escalation to higher authorities such as the Chief Information Officer or
the Chief Information Security Officer for timely action.
x. Lack of documentation and implementation of standard incident handling
and response procedures
Incident handling and response is a planned process that requires incident
detection, analysis, eradication and recovery within stipulated deadlines.
Therefore, it is important to have a standard set of procedures, which could
facilitate timely intervention to control any adverse event. A standard operating
procedure should:
a. Define an incident and indicate common incidents related to systems,
network, user accounts, files and folders.

Page | 7

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

August 2010

Ten Deadly Sins in Incident Handling

b. Suggest procedures for reporting an incident and the contact details of

appropriate authorities.
c. Define roles and responsibilities of users, system administrators,
Information security officer and incident response teams.
d. Mention contact details of incident response teams, management,
vendors, suppliers, law enforcement authorities, legal team and human
resource team and other requisite teams.
e. Have procedures to categorize incidents in terms of their severity,
business impact and violation of law.
f.

Indicate procedures for incident escalation and notification. Instances of

criminal activity and likely breach of service level agreements may require
escalation to higher authorities.

g. Indicate precautions for handling and protecting evidence.

h. Indicate precautions in dealing with data, systems, applications and
network to prevent or minimize incidents.
i.

Prescribe checklist for dealing with commonly known cyber threats and
incidents.

3. Conclusion
Incident handling is crucial to prevent, detect and mitigate cyber threats in an organization.
Proper procedures must be in place for timely detection and resolution of an incident. An
appropriate incident handling plan must devise effective mechanisms to prevent cyber
threats. It is recommend that organizations incorporate incident handling as an integral part
of their information security policy to ensure minimum disruptions in business activities.

Page | 8

Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited