Respond to Infrastructure Incidents
Learning Objectives
After completing this unit, you’ll be able to:
- Explain how to assess the impact of an incident on infrastructure.
- Describe how to remediate issues detrimental to the health or performance of systems.
Assess the Impact of an Incident
In this unit, we introduce you to the world of infrastructure incidents. We cover how to assess their impact and remediate them after they happen. Your organization may rely on a managed service provider (MSP) to manage its infrastructure. You may also have dependent organizations that rely on your infrastructure. We will therefore discuss considerations when coordinating with your MSP and any related organizations when responding to incidents.
As an infrastructure support specialist, you understand the specific operational impacts of cybersecurity lapses. You know that incidents can have both short- and long-term effects that can impact the success of your entire organization. You focus on what your organization can do in advance to brace for the impact of a security incident.
During an incident, you coordinate with business and technical leaders in your organization, as well as those organizations affected in your sector, to quickly react to incidents and take specific actions to minimize impacts.
Let’s look at some examples of common incidents that can have a negative impact on infrastructure.
Incident |
Description |
|---|---|
A distributed denial of service (DDoS) attack against critical cloud services that renders them unavailable for users |
DDoS is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. |
A malware or ransomware infection that has encrypted critical business files across the corporate network |
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems unusable. Malicious actors can then demand ransom in exchange for decryption. |
A successful phishing attempt that has led to the exposure of personally identifiable information (PII) of customers |
Phishing is the fraudulent practice of sending emails purporting to be from reputable sources, in order to induce individuals to reveal personal information, such as passwords and credit card numbers. |
Remediate Issues
Infrastructure incidents impacting your on-premise or cloud infrastructure are a major security risk to your business. According to PurpleSec, 65% of small businesses have failed to act following a cybersecurity incident. Incidents will happen, but the key is how you respond.
When incidents occur, it’s important that your organization follow an incident management process to manage disruptions and restore services. The Incident Management Information Technology Infrastructure Library (ITIL) framework describes a set of practices to follow. Many incidents are detected through logging (the first step in ITIL’s incident management library). When you detect possible unauthorized activity, you will likely work with the incident response team to triage the alert, analyze the activity, respond if there’s been an infrastructure breach, and remediate. Unauthorized activities can be performed by either an insider or an outside attacker and can include:
- Illegal/unauthorized downloads that introduce malware to a system
- Fraud, waste, and abuse-type activities like using network resources for a business
- Port scanning that excessively degrades performance
- Internet Protocol (IP) spoofing
- Network reconnaissance
- Unauthorized access into servers
Let’s look at an example. Employees and customers begin notifying you that they’re unable to access the network and its associated systems. You investigate, by reviewing and analyzing system logs, and discover that a malicious actor is sending millions of packets to your company’s domain name system (DNS) servers. When users type web address names into the URL bar in their browser, DNS servers are responsible for translating those names to numeric IP addresses, leading them to the correct website. Because your organization’s servers were so overwhelmed with illegitimate requests, they couldn’t handle legitimate ones.
You realize this could be a DDoS attack and notify the incident response team. Based on further investigation, you decide that your DNS servers need to be configured to identify illegitimate traffic. You implement mitigation strategies, such as behavior- and signature-based attack recognition, aimed to sinkhole illegitimate traffic. The term sinkhole means redirecting specific IP network traffic for different security-related purposes, including analysis and forensics, diversion of attacks, and detection of anomalous activities.
In working on the remediation, you may partner with points of contact across the business, technology organization, and application teams to develop and track a remediation plan for the identified outage. You may use an IT service management tool to record the event and remediation. You also will present findings from the remediation to business leadership, as well as update them on progress, hurdles, and issues on a regular basis.
You may need to influence stakeholders across your organization to prioritize risk management issues and drive remediation efforts. You also help verify remediation plans are implemented, and review and identify any remaining gaps that may result in possible network outages.
As part of the follow-up to an event, you may want to update your change management procedures and test plans to prevent an outage like this from occurring in the future. This can also help you prioritize further remedial actions. You also coordinate with the service providers that you rely on, or those organizations relying on your infrastructure, to ensure they weren’t impacted by the outage.
Knowledge Check
Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.
Great work!
Sum It Up
In this module, you’ve been introduced to how to identify your most important infrastructure as well as how to protect it. You’ve learned how to monitor and test your infrastructure to assess its availability and security. You’ve also discovered how to assess the impact of a network event when it does occur and how to remediate these incidents.
Along with the information you reviewed in the Infrastructure Support Module, you should now have a better understanding of what it takes to be an infrastructure support specialist. Interested in learning more about cybersecurity careers? Head on over to the Cybersecurity Learning Hub to explore other roles and hear from real security practitioners.
Resources
-
External Site: National Initiative for Cybersecurity Careers and Studies (NICCS): Cyber Defense Infrastructure Support
-
PDF: Pacific Northwest National Laboratory: How to Implement Security Controls for an Information Security Program at CBRN Facilities
-
External Site: Cybersecurity and Infrastructure Agency (CISA): Ransomware101
-
External Site: University of Massachusetts Dartmouth: Information, Data, System Categorization Process
-
External Site: PurpleSec: 2021 Cyber Security Statistics the Ultimate List of Stats, Data & Trends
