How you will rate or give priority to a security incident is a key factor which determines the efficiency of organizations security incident response. Having an effective incident severity rating system will help to prioritize the critical incidents from small threats. We may think how can a single rating impact the regulations and requirements that must be considered in incident response? The answer is it’s not the result but the process that matters, and the rating process can have significant benefits to your organization
Different organizations will have different methodologies on how to assign severity to a reported incident.
Major factors we need to consider to rate an incident.
- IP/domain reputation
The reputation of the source or Destination which the internal source is communicating. We can check it out from sites such as Cisco talosinteligence , Virustotal etc.
How familiar the attack to the world and age of the attack. If its a recently published vulnerability and no fix is available it requires urgent attention.
Another factor related to attack is how relevant the attack to your environment. If you think that corresponding vulnerability is there in your environment and chances are there for exploitation then we need to give priority.
What are the impacts of the incident? if it’s something related to the reputation of the organization, service availability, financial impact to the company or customer and legal impacts it needs high priority.
- Pattern - Check for a pattern, if it's occurring repeatedly it needs high attention
- Device type & sensitivity - the importance of the subjected device and the sensitivity of information it carrying or passing.
Considering the above factors we need to assign the desired priority to ensure the incident is addressed properly with required importance.
Authored By - Jinu Sunny
TCS Cyber Security Practice