-
Notifications
You must be signed in to change notification settings - Fork 3
Incident Recovery
John Wunder edited this page Dec 1, 2015
·
1 revision
Abstraction Level (High, Medium or Low): Medum
Related Use Cases:
- Sub-use-case of Incident Response
Description: The incident recovery process consists of the steps incident responders take to restore normal operations after a computer security incident. It often involves coordination between the incident response team itself and the IT operations team to rebuild systems, switch to backup servers, and restore data from backups.
Stakeholders/Goals:
- Stakeholder: Incident Response Team
- Goal: Restore normal operations
- Task: Identify impacted assets based on sensor data and threat analysis
- Task: Inform IT operations which assets are impacted and what the impact is
- Goal: Gather data useful for future response activities
- Task: Identify leveraged TTPs in order to better detect adversary activity and inform recovery COAs
- Goal: Restore normal operations
- Stakeholder: IT Operations
- Goal: Restore normal operations
- Task: Receive impacted assets from incident response team and identify viable recovery COAs
- Task: Execute recovery COAs and inform incident response teams
- Goal: Restore normal operations
Preconditions:
- There has been an incident
- An initial threat analysis was performed
Dependencies:
- Threat analysis
Main Success Scenario:
- Incident response team identifies initial impacted assets performs rapid assessment to determine potential COAs
- Incident response team informs IT operations team of affected assets and potential COAs
- IT operations team chooses and executes COA to restore service