Incident Mitigation and Isolation – CompTIA Security+ SY0-401: 2.5

There are many ways to limit the impact of a security incident. In this video, you’ll learn about methods to stop the attack and limit the scope of the damage.

<< Previous Video: Incident Escalation and NotificationNext: Lessons Learned from Incidents >>

The objective of an incident mitigation is to limit the scope of what the attack might do your systems. If there’s any damage, or any widening of this incident, we may be able to contain it, and limit it from going outside the scope of that containment. These mitigation options might be very different depending on what kind of attack it is. For instance, if their attacking your internal email system you may be able to mitigate that by removing the email system completely from your network. But if the attack is going after your publicly facing web services you may have a limited number of options available to you. Hopefully, then you can go back to your planning process and examine what options may be available to you. Generally, you want to have your critical resources available, as long as possible, you don’t want to remove your publicly facing web servers from the internet, if you can continue to run and still yet contain that particular security incident. The goal is to collect as much information as possible. And then you can use all of that information to help make your decisions on the best way to mitigate this issue.

So what kind of criteria should you consider when you’re planning which strategy to follow, to mitigate this particular security incident? Well, one thing that you can consider is how much damage may be actively occurring, or how much data may be leaving your environment. If you can see the data leaving your network and going outside of your environment, or you can see that active pages on your website are being destroyed, erased, or changed, then you might want to very quickly begin some type of aggressive mitigation.

When these incidents are under way you want to gather as much evidence as possible. Especially, if this is happening from a third party and it may be a criminal attack, you may want to have this available. Especially, if this goes into a trial or any type of legal process. You can refer back to the video on planning for security incident, where we describe all of the things that you can use to help gather evidence when these types of problems occur. You should also consider how your mitigation might affect the services that are available to your customers, or the resources that are available inside of your network to the rest of the organization. The best possible scenario would be to mitigate the security incident and at the same time keep everything else up and running.

Another consideration is the cost of people, and time, and resources that will go into the mitigation strategy that you choose. If you’re deciding between a number of different strategies, one that might cost $1,000 and another one that might cost a million dollars, then you can start to decide which one is the better use of your business resources. You also need to consider how well you’re able to contain this particular security incident. If this happens to be something that’s spreads very quickly in your organization, then you may have to take some very drastic mitigation steps to contain that, or if this is very slow moving you may be able to move around it and still maintain uptime and availability for all of your other resources. And of course, the decision you make on which mitigation step you go with will also take into account how long it takes to actually put this plan into place. You want to have this contained as quickly as possible.

With technology it’s generally a bad idea to let these security incidents play themselves out and run their course, because generally there’s a lot more damage that occurs if that happens. And in some cases these incidents have been going on for quite some time already. So you want to very, very quickly mitigate and contain any problems that you might find. You also want to consider how fast this particular problem is moving. This is something the jumps very quickly between systems, then you’ll want to get your net around and contain that problem, as quickly as possible.

One way to isolate the bad guys is to put them in an environment that looks exactly like your normal environment, except it really isn’t. You’ve created a virtual world, a sandbox if you will, for them to go inside of and you can watch what they’re doing. This way you could start to understand a little bit more about what they’re trying to do, because they’re attacking a fake network. And you can then use that information to protect your real network.

Some malware is looking for an open linked to the internet. And if you work to disconnect your internet connection then it performs a different set of functions, maybe it deletes itself or it deletes other files on your systems. So you want to be very particular about how you contain these systems and incidents in your network.