Exercise Solution: Incident Response Life Cycle

You just received an alert that a critical server on your network is receiving traffic from various IP addresses and no longer has the capacity to handle the number of requests coming through – they are almost ten times the amount of normal traffic. Which actions relate to each phase of the incident response lifecycle?

Preparation

• Monitor networks for unusual activity daily
• Document your infrastructure
• Establish an inventory of your critical assets and processes
• Test DDoS response plan
• Implement an incident response policy that all employees must read
• Implement a security strategy

Detection and Analysis

• Confirm that a distributed denial-of-service attack is occurring
• Understand the logical flow of the DDoS attack and identifying the infrastructure components affected by it
• Review the logs of servers, routers, firewalls, applications, and other impacted infrastructure

Containment, Eradication, and Recovery

• Throttle or block excessive traffic
• Contact ISP for support to in blocking traffic

Post-Incident Activity

• Create a report summarizing the incident and challenges faced throughout