Creating an Incident Response Classification Framework

Posted on September 14, 2016
 

 

An Incident Classification Framework

Creating an incident classification framework is an important element in enabling the proper prioritization of incidents. It will also help you to develop meaningful metrics for future remediation. We recommend a two-tiered scheme that focuses on classifying the incident at the highest level (category, type, and severity) to prioritize incident management. Incident classification may change frequently during the incident management lifecycle as the team learns more about the incident from the analysis being performed.

Category:

  • Unauthorized access of the network
  • Malware
  • Denial of Service
  • Improper Usage by an IT administrator (accidentally or intentionally)
  • Unsuccessful Access Attempt

Type:

  • Targeted vs Opportunistic Threat
  • Advanced Persistent Threat
  • State Sponsored act of Espionage
  • Hacktivism Threat
  • Insider Threat

Severity

  • Critical Impact- Threat to public safety or life
  • High Impact- Threat to sensitive data
  • Moderate Impact- Threat to Computer Systems
  • Low Impact- Disruption of services

Incident Taxonomy

The second tier of this framework is incident taxonomy. Taxonomy focuses on detailing additional information about an incident that you need to identify root cause and trends. It can also provide you with information that is essential for incident response metrics. Classifying incidents for each of the following six criteria can give you detailed information on the incident that will be crucial in helping to find the best way to resolve the incident and prevent repeated incidents in the future. It is much easier to contain an incident when there is an understanding of that incident, and the correct protocol in handling it.

Direct Method

  • End User
  • 3rd Party Service Provider
  • Law Enforcement such as the FBI
  • Data Loss Prevention system, Firewall, Anti-Virus, Proxy, and Netflow

Attack Vector

  • Viruses
  • Email attachments
  • Web pages
  • Pop-up windows
  • Instant messages

Impact

  • Employee Dismissal
  • HR/ Ethics Violation
  • Loss of Productivity
  • Unauthorized Privileges
  • Brand Image
  • Lawsuit
  • Denial of Service

Intent

  • Malicious
  • Theft
  • Accidental
  • Physical Damage
  • Fraud
  • Espionage

Data Exposed

  • Public
  • Confidential
  • Export Control
  • Financial Reporting
  • Unknown

Root Cause

  • Unauthorized Action
  • Vulnerability Management
  • Theft
  • Security Control Failure/Gap
  • Disregard of Policy
  • User Negligence
  • Non-Compliance to Standards such as PII, PCI, HIPPA
  • Service Provider Negligence
Incident Responders Field Guide Visual CTA

Read more in our Field Guide to Incident Response Series

  1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
  2. The Do’s and Don’ts of Incident Response
  3. Building Your Incident Response Team: Key Roles and Responsibilities
  4. Creating an Incident Response Classification Framework
  5. The Five Steps of Incident Response
  6. 3 Tips to Make Incident Response More Effective
  7. Using Existing Tools to Facilitate Incident Response
  8. Learning From a Security Incident: A Post-Mortem Checklist
Related Content
Don't Fall Behind; Get The Latest Security Insights Delivered To Your Inbox Each Week

Recommended Resources