Вы находитесь на странице: 1из 2

27/1/2019 TestOut LabSim

2.6.1 First Responder

First Responder
A first responder is the first person on the scene after a security incident has occurred. Your organization's network security policies should
contain specifications and procedures for first responders. The policies and procedures should exactly specify the responsibilities of a first
responder.

The role of the first responder is very important. The two main goals of a first responder are to contain the damage associated with the attack as
much as possible, and at the same time, preserve any evidence. Let's look at some general guidelines you can implement to accomplish these two
goals.

Training Users
First, train users to contact first responders if a security incident is suspected. This helps prevent the users from trying to intervene, because the
users may make the situation worse or destroy evidence. Train users not to touch anything if they think a security event has either happened or is
happening. The users should immediately contact a first responder.

Who the first responder is depends on the organization. A large organization may have a dedicated response team with trained first responders.
Smaller organizations probably have individuals within the IS Department who have been cross-trained on first responder skills, techniques, and
procedures. In either case, those are the individuals to contact should a security event occur. The important point is that users shouldn't try to
intervene themselves. Train users to immediately contact the first responders if a security issue is suspected.

Securing the Scene


When on site, the first thing the first responder needs to do is to secure the scene. The goal is to contain the damage. Initially, the first responder
should identify the scope of the security event and determine whether that event is still in progress. If it is in progress, then the first responder
should do whatever it takes to shut down the attack, which may be as simple as pulling out a network cable.

The next step in securing the scene is to preserve all evidence. Stopping an attack in progress may destroy evidence. The first responder has to
decide how to stop the attack while preserving as much evidence as possible. The first responder must use their best judgment in such cases.

In addition, while securing the scene, the first responder must escalate the issue to the right people within the organization. The organization's
leadership needs to be informed, because they are held liable for what has happened and they need to have the correct information. It is critical
that the right people are informed of the security event and that the appropriate people are brought on site.

The first responder is not necessarily the person who's going to fix the problem. The first responder is similar to an Emergency Medical Technician
(EMT) who rides in an ambulance. When an accident occurs, an ambulance with an EMT goes to the site. The EMT is the first responder, and does
whatever is necessary to keep the accident victim alive until further medical treatment is obtained. The same principle applies with security events.
The first responders try to contain the problem, similar to stopping the bleeding on an accident victim. First responders also try to preserve
evidence. Then, people who have the expertise to fix the problem take over. This is where proper escalation is important. Experts are brought on
site to fix whatever problems were caused by the security incident.

All first responders should have immediate access to a call list. The call list should specify a contact for each type of incident that may occur. The
call list will help ensure that all issues are escalated properly.

Documentation
In addition, the first responder should document exactly what happened. The first responder should note the time the call is received, what was
observed at the site, and what the user who reported the incident said and observed.

First Responder Tools


Just as an EMT has a medical bag with the tools needed to preserve life, a security first responder should also have tools to accomplish the two
goals we've talked about. Key tools include system documentation, the role of the particular system affected, and the specifics of the system.
System specifics include the system make and model, amount of memory installed, operating system type and version, networking information
such as IP addresses, and so on. Also, the first responder should know the services running on the system, the system's exposure to the outside
world to determine the scope of the attack, and whether the attack came from inside or the outside.

It is highly recommended that the first responder have a web-enabled smartphone or tablet device, not a notebook system with only WiFi
connectivity. Depending on the nature of the attack, Internet access in the organization may not be available through the standard network
connection. A smartphone with Internet connectivity allows for sending out notification emails and using the Internet for problem resolution.

Also, the first responder should have a USB flash drive containing commonly used utilities and tools. A port scanner, like Nmap and anti-malware
utilities can be useful. Consider creating a flash drive that has a fully-functioning operating system with various security tools installed on it. Using
security-optimized Linux distribution on such a device is advisable, because they are more insular to security threats than other operating systems,
like Windows.

Summary

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 1/2
27/1/2019 TestOut LabSim
In this lesson we talked about the role of the first responder in incident response. We talked about the goals of the first responder. Then we talked
about general guidelines to help that first responder achieve those goals, such as notifying the right people, securing the scene, training users to
call first responders when a security event occurs, and so on. Then we talked about some of the tools that a first responder should have on site
when a security event has occurred.

TestOut Corporation All rights reserved.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 2/2

Вам также может понравиться