Activity 11.1 Incident Severity Classification

Case Study: Your company is experiencing a prolonged DDOS attack on one of their crucial public facing web applications. The attack is preventing the company from selling its services to customers. Every day the attack is causing a loss of nearly two million. The attack is coming from multiple sources simultaneously. As you have exhausted all your options, you are now searching for a third-party to manage the incident response.

  • Classify the incident
  • Assign categorical ratings for funcitonal impact, economic impact, recoverability effort and information impact

Incident Classification

The scope of an incident’s impact can be defined as a both the degree of impairment caused to an organisation and the effort required to recover from the incident. As the DDOS attack is causing significant ecnomic impact, lacks a clear timeframe for resolution and requires engaging a third party – the impact of this incident is high.

Categorical Ratings

Category Rating Justification
Functional Impact HIGH While under DDOS attack, the company has been completely unable to sell their products and provide services to their users.
Economic Impact High As the economic loss is estimated at over 2 million per day, this amount clears the NIST threshold of $500,000 per day. Since the DDOS attack is ongoing with no clear remediation ahead, the company will experience significant losses.
Recoverability Effort Extended The time to recover from this attack is not predictable. As in-house capabilities have been exhausted, the company is now searching for a third party provider to assist. Hiring a third party will also increase the costs associated with the incident.
Information Impact None As the attack is a DDOS attack, availability is the main effected aspect of the business. No information has been exfiltrated at this point.

Activity 11.2 Incident Response Phases

In this activity, I will identify the correct phase of the incdent response process which corresponds to the following:

Activity Phase
Conducting a lessons learned review session. Post-incident activity
Recieving a report from a staff member about a malware infection. Detection and analysis
Upgrading a firewall to block a new type of attack. Preparation
Recovering normal operations after eradicating an incident. Containment, Eradication, Recovery
Identifying the attackers and attacking systems Containment, Eradication, Recovery
Interpreting log entries using a SIEM in order to identify a potential incident Detection and analysis
Assembling the hardware and software required to conduct an incident investigation Preparation

Activity 11.3 Develop an Incident Communications Plan

In this exercise I will imagine I am a CSIRT leader for a large ecommerce website. The website has experienced a security incident where attackers used SQL injection attacks to steal transaction records from the backend database. In response to this incident, I will develop a communications plan to outline the methods for responding to all relevant stakeholders.


XYZ company has several stakeholders, both internal and external which will need to be informed of the data breach. Each stakeholder group requires a different approach to communicate information regarding the breach. The timing, content and approaches will differ for each group. Internal stakeholders which will need to be informed in order of priority are: executive management, board members, the legal team, IT department, the communications department and the general remainder of employees. External stakeholders which will need to be informed, also in order of priority are: suppliers involved in the breech, shareholders, consumers and the general public.

Internal Stakeholders

A brief overview of the intended approach to inform identified internal stakeholders are listed below:

  1. Executive Management
    • First priority
    • Management team to meet with the CSIRT team and create the overall approach for communicating the incident to all other stakeholders
    • Approach to be agreed on and documented by all management team members
    • Timing and deadlines to be set
  2. The Legal team
    • Review the approach developed by executive management
    • Alter any areas which may have significant legal implications
  3. The Board
    • Convene emergency board meeting
    • Recieve board approval and feedback for implementing communication plans
  4. IT department
    • Inform all members of the IT department the technical details of the incident
    • IT team to increase monitoring and awareness posture
  5. The Communications department
    • Present approach to divlugving the incident to the public and general employees
    • Communications team to develop strategies and select approrpiate channels, i.e. media, social media, email, etc for relevant communications
  6. General empoyees
    • Explain incident according to approach laid out by communications team above.

External Stakeholders

A brief overview of the intended approach to inform identified external stakeholders are listed below:

  1. Suppliers
    • Create a priority list of any suppliers whose information may potentially have been divulged during the incident
    • Inform these suppliers and advise them of the nature of the information exfiltrated
    • Advise suplliers on status of company response and steps they can take
  2. Shareholders
    • Send out general shareholder notice via email
    • Send at the same time as emailing general consumers
  3. Consumers
    • Communicate breach first to consumers affected via official email
  4. General Public
    • Notify the media and general public based on the approach outlined by the communications team
    • Use a multi-channel approach, i.e. twitter, facebook, television, email, etc.


Before communicating the nature of a breach to stakeholders, careful consideration needs to be taken to develop the correct approach. This initial consideration requires significant input from executive management, the legal team and the communications department. Finally, once all stakeholders have been informed it is essential to review the effectiveness of the communcations and identify areas for improvement.


A glossary of all the terms, acronyms and slang I run across for this chapter.

Security Event Any observable event relating to a security function
Security Incident A serious violation or impending violation of an organisation's computer security policies
CSIRT Computer Security Incident Response Team
Incident Response Process Preparation > Detection and Analysis > Containment Eradication Recovery > Post Incident Activity
Security Event Indicators Four major categories of security event indicators: Alerts, Logs, Public Info, Internal People Reporting Issues, file integrity checking software
NTP Network Time Protocol; Syncing Time is Essential for ensuring accurate timestamps across devices
Procedures Provide detailed tactical info needed when responding to an incident
Policy Provides high level guidance and creates a framework for incident response
External or Removable Media NIST Threat Classification - An attack conducted from external storage such as a USB drive
Attrition NIST Threat Classification - Brute force attacks intended to compromise, degrade or destroy
Web NIST Threat Classification - Attacks executed from web based applications such as malicious downloads or XSS
Email NIST Threat Classification - Attacks executed in an email via the attachment or body
Impersonation NIST Threat Classification - Replacing something benign with something malicious such as MITM or SQL injection
Improper Usage NIST Threat Classification - When an authorized user violates the Acceptable Use Policy resulting in a security issue
Loss or Theft of Equipment NIST Threat Classification - Loss of a laptop, smartphone, device or authentication token
Unknown NIST Threat Classification - An attack of unknown origin
APT Advanced Persistent Threat - Highly skilled hackers focused on singular objectives
Functional Impact The degree of impairment an incident causes to an organization, measured on a scale of none, low, medium and high
Economic Impact The degree an incident causes economic damage. Measured in losses on a scale of none, low, medium and high
Recoverability Effort NIST Measurement of the time services will be unavailable, measured on a scale of regular, supplemented, extended and not recoverable
Datatype The nature and classification of data effects the incident response
Impact Categories NIST impact categories are defined as none, privacy breach, proprietary breach and integrity loss.