Questions tagged [incident-response]

The art of responding to incidents in an organized and thoughtful manner.

Incident response, assumed to be information security incidents in this context, is an aspect of the Incident Management discipline. The development of an incident response procedure can take many forms, but always implies a pre-existing formal plan with the following goals:

Limit damages whether they be monetary, reputation, or otherwise
Reduce recovery time
Prevent reoccurrences

The final product of an execution of the response procedure should always result in a formal report detailing the event.

See the CIRT (Computer Incident Response Team) Handbook for more information.

206 questions

163

votes

2 answers

I found unknown PHP code on my server. How do I de-obfuscate the code?

We've been getting a lot of noise regarding hacked PHP files here, and it's taking a lot of time to answer these questions. In many cases, they are off-topic. We've had a discussion about this on Information Security Meta, and many people want these…

asked Feb 23 '16 at 07:13

Mark Buffalo

22,498
8
74
91

151

votes

9 answers

How do organizations check what has been hacked?

In the UK, the company TalkTalk was recently hacked. It was later discovered, after 'investigation' that the hack was not as serious as it could have been (and less than expected). I'm wondering: How do organizations (not necessarily TalkTalk --…

incident-response

asked Oct 27 '15 at 11:22

ᔕᖺᘎᕊ

1,283
2
9
8

votes

5 answers

Can Beehive detect a Snowden-like actor?

In a seminar, one of the Authors of Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks said that this system can prevent actions like Snowden did. From their articles' conclusions; Beehive improves on…

malware antimalware corporate-policy detection incident-response

asked Nov 07 '18 at 11:27

kelalaka

5,409
4
24
47

votes

1 answer

What's the Impact of the CloudFlare Reverse Proxy Bug? ("#CloudBleed")

In Project Zero #1139, it was disclosed that CloudFlare had a bug which disclosed uninitialized memory, leaking private data sent through them via SSL. What's the real impact?

known-vulnerabilities incident-response threat-mitigation threat-modeling incident-analysis

asked Feb 24 '17 at 03:18

Jeff Ferland

38,090
9
93
171

votes

8 answers

Brutalized VPS recovery data now available. Considerations?

Backstory My sites and VPS were stolen from me. The hosting company and I were locked out and unable to access it. They weren't able to create a temp password for access because the attacker blocked it. The last time I was logged into WHM, root…

webserver account-security incident-response account-lockout vps

asked Mar 04 '18 at 18:27

Preston Bennett

votes

3 answers

Should we keep logs forever to investigate past data breaches?

Listening to the Secure code lessons from Have I Been Pwned made me really think about logging. It appears that in the real world a lot of data breaches are discovered long after they happened which makes the investigation and recovery much more…

attacks data-leakage logging incident-response data-recovery

asked Dec 20 '17 at 16:53

alecxe

1,515
5
19
34

votes

5 answers

How do I respond to a published security vulnerability in my application?

In my spare time I write some PHP code the purpose of which is to block link spam and other various malicious activity. On May 11 someone who discovered an XSS vulnerability in the WordPress version of this code published it without notifying me…

incident-response disclosure

asked Aug 29 '12 at 20:44

Michael Hampton

3,877
1
22
32

votes

4 answers

Malware that can survive BIOS re-flashing

The well-respected security consultant Dragos Ruiu is reporting that he has been infected with mysterious malware that can survive re-installation of the OS and re-flashing of the OS. In other words, he has taken an infected machine, wiped it,…

malware incident-response apt

asked Oct 31 '13 at 21:12

D.W.

98,420
30
267
572

votes

4 answers

Why did my provider reset my password after someone else attempted to gain access to my account?

Recently a provider (of SIP trunking services) I subscribe to sent me a strange email. It claimed that someone in another country attempted to reset the password to my account and was unsuccessful in answering my security question. The provider's…

passwords incident-response secret-questions

asked Jul 31 '13 at 18:01

Michael Hampton

3,877
1
22
32

votes

6 answers

After getting doxxed, how can one protect personally identifiable information?

Doxing (publicly releasing private information about an individual, to make it easier to harass them) is becoming an increasingly popular tactic not just for hackivists and Anonymous, but also for petty individual revenge. What are actionable, best…

incident-response social-engineering

asked Nov 30 '15 at 15:40

J Kimball

2,137
1
13
19

votes

4 answers

I detected someone probing my site for weaknesses, what can I do about it?

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave.…

web-application attacks attack-prevention defense incident-response

asked Nov 05 '18 at 14:00

Jad S

votes

8 answers

How to respond to a SSH brute force attack on a single VPS?

I logged onto my VPS this morning to find millions of failed login attempts for the root user and other users that don't even exist. I took the below measures to try and obfuscate the attackers efforts which (have been going on for…

firewalls ssh brute-force incident-response

asked Jan 01 '17 at 01:34

Aage Torleif

votes

7 answers

Fostering an environment where honesty and disclosure are valued

UPDATE: The question is seeking real research based on behavior analysis of a significantly large sample people using well defined experiments. Posting answers based on opinions, or ad-hoc observations, does not address the question, nor does it add…

incident-response disclosure

asked Feb 03 '12 at 04:57

blunders

5,052
4
28
45

votes

8 answers

Best practices for handling computer viruses

I realize this question may be quite broad (and hopefully not a violation of the FAQs), but I'm interested in hearing how many of you handle a computer infected with Malware. In a small-to-medium business (heck, even large businesses like the New…

malware incident-response

asked Feb 01 '13 at 16:30

DKNUCKLES

9,237
2
37
47

votes

10 answers

Is it ever appropriate to fight back?

When an website or system is being attacked, is there ever a scenario where it should automatically take action against the attackers rather than just passively handling the attack? If so, what responses are appropriate and legal? Are there any…

incident-response ethics

asked Nov 16 '10 at 22:46

VirtuosiMedia

3,142
3
26
32

2 3

…

13 14 Next