Welcome » IT Booklets » Information Security » Security Monitoring » Analysis and Response » Intrusion Response
The goal of intrusion response is to minimize damage to the
institution and its customers through containment of the intrusion,
the restoration of systems, and providing assistance to
The response primarily involves people rather than technologies.
The quality of intrusion response is a function of the
institution's culture, policies and procedures, and training.
Preparation determines the success of any intrusion
response. This involves defining the policies and procedures
that guide the response, assigning responsibilities to individuals,
providing appropriate training, formalizing information flows, and
selecting, installing, and understanding the tools used in the
response effort. Key considerations that directly affect the
institution's policies and procedures include the following:
Successful implementation of any response policy and procedure
requires the assignment of responsibilities and training.
Some organizations formalize the response program with the creation
of a computer security incident response team (CSIRT). The
CSIRT is typically tasked with performing, coordinating, and
supporting responses to security incidents. Due to the wide
range of technical and nontechnical issues that are posed by an
intrusion, typical CSIRT membership includes individuals with a
wide range of backgrounds and expertise, from many different areas
within the institution. Those areas include management,
legal, public relations, as well as information technology.
Other organizations may outsource some of the CSIRT functions, such
as forensic examinations. When CSIRT functions are
outsourced, institutions should ensure that the service provider
follows the institution's policies and maintains the
confidentiality of data.
Institutions should assess the adequacy of their preparations
While containment strategies between institutions can vary, they
typically contain the following broad elements:
Restoration strategies should address the following: