Incident Response

Backup recovery, disaster recovery

If you experience a security breach such as ransomware or data corruption, you must perform backup recovery measures.

First, you need to identify potential impacts such as service interruptions that may arise during the execution of this.

Additionally, you should assess which level of recovery is required among the options and develop a backup plan.

• file level
• Application data level
• Application level
• Server volume level
• Server level
• Managed Service Level

If service interruption is not permitted during the recovery period, you might consider reviewing a disaster recovery scenario.

Matters related to backup recovery and disaster recovery are covered in more detail in the Reliability Principles.

Incident response scenario

Security incidents and personal data breaches not only diminish an organization’s credibility but can also cause legal and financial damages.

To respond quickly and effectively when an accident occurs, a comprehensive and systematic response plan must be prepared in advance.

After a breach attempt is detected, a swift and systematic response is required.

The response procedures must be clearly delineated by stage, and all members must fully understand the procedures.

Incident detection and reporting, initial response, incident investigation and recovery, and post‑analysis and improvement stages each play a critical role.

In particular, rapid actions during the initial response phase are essential to quickly restore the system immediately after an incident.

It includes not only technical measures such as network blocking to prevent the spread of incidents, but also rapid communication with relevant departments.

When a breach incident occurs, it is important to accurately analyze the cause of the incident and identify the scope of damage.

To do this, it is necessary to have the capability to systematically collect and analyze log data, use digital forensics tools to thoroughly investigate the cause of incidents, and develop measures to prevent recurrence.

Information collected through breach incident analysis can serve as valuable material for improving future security response strategies, so it should be managed to allow quick reference when an incident occurs.

The following are items that should be included in an incident response scenario.

• Definition and scope of security incidents such as personal information leakage and data tampering
• Emergency contact system (including external experts, specialized companies, specialized institutions)
• Procedures and Methods for Declaring a Security Incident
• Procedures for reporting, notifying, recording, and reporting (to relevant agencies, users, etc.) when a security incident occurs
• Analysis of breach incident causes, response, and recovery procedures
• Composition, Responsibilities, and Roles of the Incident Response Recovery Organization
• Procurement of equipment and resources for incident recovery
• Incident cause analysis and response report preparation
• Incident response and recovery training, training scenario
• Necessary measures for preventing and recovering from other security incidents

The figure below is an example of a security incident response procedure, and the response process can be tailored to each organization.

Incident response automation

An automated response plan must be established and executed in advance to enable immediate response when an event occurs.

For example, you can use a DDoS Protection service to counter DDoS attacks, and you can increase the number of servers via Auto-Scaling to handle the attack.

When scaling is initiated, setting up an alert notifies the administrator of abnormal server expansion, allowing the administrator to recognize and respond promptly.