Incident Response

Backup recovery, disaster recovery

If you experience a security breach such as ransomware or data damage occurs, you must perform backup recovery measures.

First, you need to identify potential impacts such as service interruptions that may occur during the process of performing this.

Furthermore, you need to review which level of recovery is required among the following and establish a backup plan.

• File level
• Application Data Level
• Application level
• Server volume level
• Server level
• Managed Service Level

If service interruption is not allowed during the recovery execution period, you may consider reviewing a disaster recovery scenario.

Backup recovery and disaster recovery matters are covered in more detail in the Reliability Principles.

Incident Response Scenario

Security incidents and personal data leaks not only lower an organization’s credibility, but can also cause legal and economic damage.

If you want to respond quickly and effectively when an accident occurs, you must prepare a comprehensive and systematic response plan in advance.

After an intrusion attempt is detected, swift and systematic response is required.

The response procedures must be clearly distinguished step by step, and all members must fully understand the procedures.

Incident recognition and reporting, initial response, incident investigation and recovery, and post-analysis and improvement stages each play an important role.

Especially, to quickly normalize the system right after an accident occurs, rapid actions in the initial response stage are very important.

This includes not only technical measures such as network blocking to prevent the spread of accidents, but also rapid communication with relevant departments.

If an infringement incident occurs, it is important to accurately analyze the cause of the incident and identify the scope of damage.

To do this, it is necessary to have the capability to systematically collect and analyze log data, use digital forensic tools to precisely investigate the cause of incidents, and establish measures to prevent recurrence.

Information collected through breach incident analysis can be used as important material to improve future security response strategies, so it should be managed to be quickly referenced when an incident occurs.

The following are items that should be included in an incident response scenario.

• Definition and scope of breach incidents such as personal information leakage and data tampering
• Emergency contact system (including external experts, specialized companies, specialized institutions, etc.)
• Incident declaration procedures and methods
• Procedures for reporting, notifying, recording, and reporting in case of a security incident (relevant agencies, users, etc.)
• Incident cause analysis, response, recovery procedures
• Composition and responsibilities, roles of the incident recovery organization
• Procurement of equipment and resources for incident recovery
• Analysis of breach incident cause and response report preparation
• Incident response and recovery training, training scenario
• Other necessary items for preventing and recovering from security incidents

The following diagram is an example of a security incident response procedure, and the incident response procedure can be configured to suit each organization.

Incident Response Automation

You must be able to establish and implement an automated response plan in advance so that you can respond immediately when an event occurs.

For example, you can use DDoS Protection service to respond to DDoS attacks, and you can increase the number of servers through Auto-Scaling to respond to attacks.

If you set up a notification when scaling is initiated, the administrator will be notified of a situation where the server is expanding abnormally, and the administrator can recognize it and respond quickly.