Module 2: Escalate incidents

I’m excited that you
could join me today! Previously, you learned about the importance of
various asset types. You also learned about
the relationship between incidents and events. Now, we’ll focus on
escalating those incidents and events to the right people. Protecting the
data and assets of an organization is the primary
goal of a security team. The decisions you
make every day are important for helping the security team
achieve that goal. Recognizing when and how to escalate security
incidents is crucial. It helps ensure simple issues don’t become larger problems
for an organization. Escalation is a term you should familiarize
yourself with. It’s likely to resurface
often as you continue your journey into
the security profession. In the following videos, we’ll discuss incident
escalation from an entry-level
analyst’s perspective. Then, we’ll explore various incident
classification types and the impacts
security incidents can have on business operations. Finally, we’ll share some general guidelines
for escalating incidents. Coming up, we’ll start by focusing on incident escalation and how it can be
used to prevent a seemingly small
issue from becoming a bigger problem.
Let’s get started!

Security Incident Escalation for Entry-Level Analysts: A Practical Guide

Welcome, new analysts! This tutorial equips you with the knowledge and skills to confidently navigate the crucial process of security incident escalation. Protecting an organization’s data and assets begins with recognizing and addressing potential threats promptly, and escalation plays a key role in this.

Understanding the Basics:

• What is Incident Escalation?: It’s the identifying, assessing, and (if necessary) transferring a potential security incident to a more experienced team member or higher level of authority within the security organization.
• Why is it Important?: Timely escalation prevents minor issues from spiraling into major crises. It ensures the right expertise tackles the problem efficiently, minimizing damage and optimizing response.
• Not All Incidents Need Escalation: Learn to differentiate between anomalies and true security threats. Over-escalation consumes valuable resources and can disrupt workflows.

Essential Skills for Effective Escalation:

• Attention to Detail: Hone your eagle eye to spot even subtle anomalies in network behavior, system logs, or user activity that might indicate a potential security incident.
• Understanding Escalation Guidelines: Every organization has defined procedures for incident reporting and escalation. Familiarize yourself thoroughly with your company’s specific escalation process, including whom to contact and when.
• Clear and Concise Communication: When escalating an incident, accurately and concisely communicate the details, including the nature of the incident, observed symptoms, time of occurrence, and any initial assessment.

Demystifying Security Team Roles:

Larger organizations have dedicated teams with specialized skills to handle different aspects of an incident. These may include:

• Incident Response Team: Leads the investigation, containment, and eradication of the threat.
• Security Operations Center (SOC): Monitors systems and infrastructure for suspicious activity and alerts analysts to potential incidents.
• Engineering Team: Provides technical expertise for troubleshooting and patching vulnerabilities.
• Public Relations Team: Manages communications with stakeholders and the public in case of a major incident.
• Legal Team: Provides legal guidance and compliance support during incident response.

The Domino Effect of Delayed Escalation:

Remember, even the smallest security incident, if left unchecked, can snowball into a significant crisis. Imagine a minor malware infection:

• Delayed escalation: The infection spreads, compromising sensitive data and causing system disruptions.
• Potential consequences: Financial losses due to downtime, data breaches exposing customer information, and reputational damage.

Playing Your Part as an Entry-Level Analyst:

As a frontline analyst, you’re the first line of defense. Your keen observation and timely escalation contribute significantly to the organization’s overall security posture. Think of yourself as the first domino in a chain reaction. Your accurate and responsible escalation triggers the right responses, preventing the dominoes from falling and causing widespread damage.

What’s Next:

• Deep dive into different security incident classifications to understand the severity levels and appropriate escalation paths.
• Explore practical tactics for effective communication and collaboration with various security teams during incident response.
• Analyze real-world case studies to apply your newly acquired knowledge and hone your escalation skills.

Remember: Effective incident escalation is an acquired skill. Be patient, practice consistently, and don’t hesitate to seek guidance from senior analysts or your mentor. You are a vital part of the security team, and your responsible escalation decisions play a crucial role in keeping your organization safe from harm.

Additional Resources:

• SANS Institute: https://www.sans.org/cyber-security-courses/
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• OWASP Top 10 Web Application Security Risks: https://owasp.org/www-project-top-ten/

Stay vigilant, escalate wisely, and together, we can build a fortress-like security posture for your organization!

Security analysts are hired to protect company assets and data, including knowing when and how to escalate
security incidents. In this video, we’ll define security incident
escalation and discuss your role in making
decisions that help protect your organization’s
data and assets. So what is incident escalation? And why is it so important for
security professionals? Incident escalation
is the process of identifying a potential
security incident, triaging it, and (if appropriate) handing it off to a more
experienced team member. It’s important to
also recognize that not every incident
needs to be escalated. In this video, we’ll cover what types of incidents
should be escalated. As an entry-level analyst,
it’s unlikely that you’ll be responding to security
incidents independently. However, it’s important that
you know how to evaluate and escalate incidents to
the right individual or team when necessary. Let’s discuss the
essential skills needed to properly escalate
security incidents. There are two essential
skills that will help you identify security incidents
that need to be escalated: attention to detail and
an ability to follow an organization’s escalation
guidelines or processes. Attention to detail will help
you quickly identify when something doesn’t
seem right within the organization’s
network or systems. Following a company’s escalation
guidelines or processes will help you know
how to properly escalate the issue
you’ve identified. Larger organizations’
security teams have many levels, and each level, or member, of that team plays a major role in protecting the
company’s assets and data. However, smaller and
medium sized companies have only one or two people responsible for the
organization’s security. For now, we’ll focus on the roles in bigger
organizations. From the Chief Information
Security Officer, also known as the CISO, to the engineering team,
public relations team, and even the legal team, every member of the
security team matters. Each team member’s
role depends on the nature and scope
of the incident. These roles are
highlighted within a company’s escalation process. Even the smallest
security incident can become a much larger
issue if not addressed. And that’s where you come in! Imagine you’re
working at your desk and notice what appears
to be a minor incident, but you decide to take a break before addressing
or escalating it. This decision could have
major consequences. If a small issue goes
unescalated for too long, it has the potential to become a larger problem that
costs the company money, exposes sensitive customer data, or damages the
company’s reputation. However, with a high-level of attention to detail, and
an ability to follow your organization’s
escalation guidelines and processes, it may be possible to avoid exposing the business, and its customers,
to harmful incidents. As an entry-level analyst, you play an important role. You help the security
team identify issues within the network and systems and help make sure the right person on the team is alerted when incidents occur. Think about an assembly line. Would the final step in the
line be negatively impacted if the first step were done
incorrectly, or not at all? Of course it would! Every decision you make helps the entire security team protect an organization’s
assets and data. Knowing when and how to
escalate security incidents is one of many
important decisions you’ll need to make
on a daily basis. Later in this course, we’ll discuss the various
levels of security incidents. Knowing those levels will help
you determine the level of urgency needed to escalate
different incident types.

Security Incident Classification: A Roadmap for Entry-Level Analysts

Welcome, future security heroes! This tutorial equips you with the knowledge and skills to navigate the critical world of security incident classification, the foundation for effective response and escalation. As an entry-level analyst, understanding different incident types will empower you to make informed decisions about when and how to raise the alarm.

Demystifying the Types:

• Malware Infections: Malicious software infiltrating systems and networks, causing disruptions and compromise. Malware comes in many flavors, from simple phishing attempts to complex ransomware attacks that encrypt critical data.
• Unauthorized Access: Unpermitted access to systems or applications, often achieved through brute force attacks or stolen credentials. This access can enable data theft, system manipulation, and other malicious activities.
• Improper Usage: Employees violating company policies regarding technology usage. This can be unintentional (installing unauthorized software) or intentional (misusing company resources for personal gain).

Classification Matters:

Accurately classifying incidents is key to triggering the right response and minimizing damage. Consider these factors:

• Impact: How significantly does the incident affect the organization’s operations, data, or reputation? A ransomware attack crippling entire systems demands immediate escalation, while unintentional software installation might require a less urgent approach.
• Urgency: Does the incident require immediate action to prevent further damage, or can it be investigated and addressed later? Time becomes critical in scenarios like data breaches or ongoing system attacks.
• Intent: Was the incident deliberate malicious activity or an unintentional mistake? Understanding the intent behind an incident can guide your escalation response and potential disciplinary actions.

The Escalation Equation:

Remember, not every incident necessitates a frantic alarm. Analyze the situation using the classification framework above to determine the appropriate escalation path:

• High-Impact Incidents: Malware infections targeting critical systems, major data breaches, and confirmed unauthorized access by malicious actors fall under this category. Immediate escalation to senior analysts or incident response teams is crucial.
• Medium-Impact Incidents: Unintentional improper usage, suspicious network activity, or minor malware infections warrant further investigation and potential escalation depending on the observed severity and potential threats.
• Low-Impact Incidents: Isolated cases of unintentional policy violations or minor suspicious activity might require documentation and internal reporting, but not immediate escalation.

Beyond the Basics:

As you progress in your security journey, explore:

• Advanced Incident Classification Frameworks: NIST Cybersecurity Framework and MITRE ATT&CK offer in-depth frameworks for categorizing and analyzing incidents.
• Threat Intelligence: Utilize threat intelligence feeds and analysis tools to stay updated on emerging threats and vulnerabilities.
• Scenario-Based Practicing: Test your classification skills through simulated incidents, honing your decision-making and escalation judgment.

Remember: Accurate incident classification is a powerful tool in your security arsenal. By understanding the different types, assessing their impact, and applying your knowledge to escalate effectively, you contribute significantly to your organization’s security posture.

Together, let’s build a safe and secure digital world, one classified incident at a time!

Additional Resources:

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• MITRE ATT&CK: https://attack.mitre.org/
• SANS Institute: https://www.sans.org/

Stay sharp, classify wisely, and escalate confidently! You’re a vital part of the security team, and your classification skills play a crucial role in keeping your organization safe.

Previously, we defined what it means to escalate
an incident. We also discussed
the skills needed to properly escalate incidents
when the time comes. In this video, we’re
going to cover a few incident classification
types to be aware of: malware infection, unauthorized access,
and improper usage. A malware infection
is the incident type that occurs when malicious
software designed to disrupt a system infiltrates an organization’s
computers or network. As discussed in a
previous course, malware infections can
come in many forms. Some are simple and others
are a bit more complex. One example is a
phishing attempt. These are relatively
simple malware infections. Another example is a
ransomware attack, which is considered
much more complex. Malware infections can cause a system’s network to run
an unusually low speeds. Attackers can even prevent an organization from
viewing critical data, unless the organization pays the attacker a ransom
to unlock the data. This incident type is especially impactful to an
organization because of the amount of sensitive
data stored on an organization’s
network and computers. Escalating malware infections is an important aspect of protecting the organization
that you work for. But wait, there’s more. The second incident type we’ll discuss is unauthorized access. This is an incident type that occurs when an individual gains digital or physical access to a system or application
without permission. As you may recall, earlier in the program, we
discussed brute force attacks, which use trial and error
to compromise passwords, login credentials,
and encryption keys. These attacks are often
used to help attackers gain unauthorized access to an organization’s systems
or applications. All unauthorized
access incidents are important to escalate. However, the urgency of that
escalation depends on how critical that system is to the organization’s
business operations. We’ll explore this idea in more detail later
in this course. The third incident we’ll
discuss is improper usage. This is an incident type that
occurs when an employee of an organization violates the organization’s
acceptable use policies. This one can be a
bit complicated. There are instances when
improper usage is unintentional. For an example, an employee may attempt to access
software licenses for personal use or even use a company’s system to access a
friend’s or coworker’s data. Maybe the employee
wasn’t aware of the policy they were violating, or maybe the policy
wasn’t properly defined and communicated
to employees. But there are other times when improper usage is
an intentional act. So how do you know if an
improper usage incident is accidental or intentional? That can be a difficult
decision to make. That’s why improper
usage incidents should always be escalated
to a supervisor. As a member of an
organization’s security team, it’s likely that
you’ll encounter a variety of incident
types while on the job. So it’s important to know what they are and how to escalate them.

The Domino Effect of Unescalated Incidents: A Security Analyst’s Guide

Welcome, future security champions! This tutorial unpacks the domino effect of unescalated incidents, empowering you to understand the potential consequences of delaying action and equipping you with skills to prioritize and escalate effectively.

The Ripple Begins:

Imagine a seemingly minor anomaly: unusual log activity in a recently banned app. Left uninvestigated, this ripple can turn into a tsunami of trouble. This scenario exemplifies the domino effect – a small incident, when ignored, triggers a chain reaction of increasingly severe consequences.

From Small Snags to Major Disruptions:

Let’s dissect the potential dominoes:

• Initial Incident: Unnoticed suspicious activity in the banned app.
• Missed Escalation: The analyst forgets to report the activity during the supervisor meeting.
• Data Breach: Days later, a data breach cripples a manufacturing site, halting operations and causing financial losses.
• Root Cause Discovery: Investigation reveals the breach originated from the banned app.

Lessons Learned:

• Every incident matters: Ignoring seemingly small anomalies can pave the way for larger issues.
• Timely escalation is crucial: Early intervention often prevents minor incidents from escalating into major incidents.
• Criticality evolves: Incident criticality might be unclear initially, requiring investigation and reassessment for effective prioritization.

Prioritizing Like a Pro:

Not all incidents require immediate escalation. Learn to assess urgency based on factors like:

• Impacted assets: Critical assets like manufacturing plants or PII databases demand higher urgency compared to less critical incidents.
• Potential damage: Consider the extent of potential harm the incident could cause if left unchecked.
• Available information: As you gather more information, the criticality and urgency may change, necessitating reassessment and adjusted escalation.

Mastering the Escalation Flow:

Develop a robust escalation procedure:

• Clearly document incidents: Maintain detailed logs of observed anomalies, even seemingly minor ones.
• Understand escalation paths: Know who to contact and when based on your organization’s specific protocol.
• Communicate effectively: Clearly convey the observed anomaly, potential impact, and urgency to ensure appropriate action.

Remember: You, the analyst, are the first line of defense. Your vigilance and timely escalation play a critical role in preventing the domino effect of unaddressed incidents. Embrace your responsibility, prioritize effectively, and escalate swiftly to keep your organization safe.

Additional Resources:

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• MITRE ATT&CK: https://attack.mitre.org/
• SANS Institute: https://docs.broadcom.com/doc/proactive-approach-incident-response

Stay vigilant, escalate wisely, and prevent the dominoes from falling! Together, we can build a robust security posture that withstands even the smallest tremors.

When should an incident handler escalate a high-level security incident?

It should be escalated immediately.

High-level security incidents should be escalated and handled immediately. The more time that passes before an incident is escalated, the higher the risk.

So far, we’ve discussed
different incident types and the importance of escalating those incidents to
the right person. But what happens if an incident goes unescalated for too long? In this video, we’ll discuss
the potential impact that even the smallest
incident can have on an organization, if it goes
unnoticed. Are you ready? Great! Now let’s take a journey into a day in the life of an
organization’s security team. It’s been a quiet day
for the security team. Suddenly, you notice
there’s been unusual log activity in an app that was recently banned
from the organization. You make a note to mention this activity during the next meeting with
your supervisor. But you forget, and
never mention it. Following this same scenario, let’s fast forward
to a week later. You and your supervisor
are meeting again. But now, the supervisor indicates that a data
breach has occurred. This breach has impacted one of the manufacturing sites
for the organization. Now, all operations at the manufacturing site
have been put on hold. This causes the company to
lose money and precious time. Days later, the security team discovers that the data breach began with suspicious
activity in the app that was recently
banned from the organization. What we’ve learned from
this scenario is that a simple incident can lead to a much larger issue, if
not escalated properly. Incident criticality is also
important to note here. Initially an incident can be escalated with a medium
level of criticality if the analyst doesn’t
have enough information to determine the amount of damage done to the organization. Once an experienced
incident handler reviews the incident, the incident may be increased or decreased to a high or
low criticality level. Every security incident you encounter is important
to an organization, but some incidents are certainly
more urgent than others. So, what’s the best way to determine the urgency of a
security incident? It really depends on the asset or assets that the
incident affects. For example, if an employee forgets their login password
for their work computer, a low-level security
incident may be prompted if they have repeated
failed login attempts. This incident needs
to be addressed, but the impact of this
incident is likely minimal. In other instances, assets are critical to an organization’s
business operations, such as a manufacturing plant or database that stores PII. These types of assets need to be protected with a higher
level of urgency. The impact of an
attacker gaining unauthorized access to a
manufacturing application or PII is far greater than a forgotten password,
because the attacker could interfere with the
manufacturing processes or expose private
customer data. I hope this video has helped you understand the importance of knowing the relationship between assets and security incidents. Later in this
course, we’ll share some new concepts related to escalation timing
and why your role in that process matters.

Conquering the Challenge: A Practical Guide to Incident Escalation

Welcome, future security guardians! This tutorial equips you with the essential knowledge and skills to navigate the critical world of incident escalation, the cornerstone of swift and effective security response. As an analyst, knowing when and how to raise the alarm protects your organization from unforeseen threats.

Navigating the Policy Landscape:

Each organization is a unique security ecosystem, and so are its escalation policies. These policies provide the roadmap for reporting incidents, outlining who to contact and when depending on the severity and nature of the threat. Forget a one-size-fits-all approach – embrace the dynamism of individual policies.

Knowing Your Course:

While memorization isn’t your goal, thoroughly acquaint yourself with your organization’s escalation policy. Consider these steps:

• Location, Location, Location: Locate the policy within your company network or intranet.
• Bookmark for Easy Access: Save the policy as a handy reference on your work device.
• Dive into the Details: Don’t skip the specifics! Understand the different notification tiers, contact information, and procedures for various incident types.

Facing the Unexpected:

Be prepared for challenges that might disrupt the smooth flow of escalation:

• Supervisor Unavailable: Don’t let an absent supervisor halt your response. Follow the policy’s alternative escalation paths, ensuring someone is notified.
• Unclear Scenarios: If an incident falls outside the clear-cut categories, use your judgment and consult senior analysts for guidance. Remember, timely action is crucial, even in uncertain situations.

Precision in Every Step:

Your adherence to the escalation policy plays a vital role in protecting your organization:

• Following the Protocol: Proper escalation ensures the right people are notified at the right time, enabling swift response and minimizing damage.
• Prioritization Power: The policy helps you prioritize incidents based on their severity and potential impact, focusing your efforts on the most critical threats.
• Trust and Transparency: Following the policy demonstrates your commitment to organizational security and builds trust with your team.

Remember: Mastering incident escalation is an ongoing journey. As you gain experience, delve deeper into your organization’s specific procedures, actively participate in security training, and don’t hesitate to seek clarification from senior analysts.

By embracing the intricacies of your organization’s escalation policy and applying these practical tips, you become a champion of effective security response. Together, let’s build a resilient digital wall against any threat, one escalated incident at a time!

Additional Resources:

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• SANS Institute: https://www.sans.org/
• MITRE ATT&CK: https://attack.mitre.org/

Stay informed, escalate wisely, and stand guard against the digital shadows! You are a vital cog in the security machine, and your responsible escalation decisions safeguard your organization’s digital well-being.

We’ve shared quite a bit about the
importance of your role when it comes to escalating incidents. We’ve even discussed a few incident
types that you may encounter. But what are the actual steps you need to
take to properly escalate an incident? The answer to that question actually
depends on the organization you’re working for. There isn’t a set standard or process for incident escalation that
all organizations use. Every security team has
their own processes and procedures when it comes
to handling incidents. In this video, we’re going to
discuss general guidelines for incident escalation and
how to apply them on the job. Let’s get started! Each organization has its own process for
handling security incidents. That process is known as
an escalation policy, which is a set of actions that
outline who should be notified when an incident alert occurs and
how that incident should be handled. Ideally, the escalation process
would go smoothly every time. But in the workplace, challenges to
that process can happen unexpectedly. For example, what if your immediate
supervisor is out of office? If an incident occurs that day,
it still needs to be escalated to someone. This is one example of why understanding
your organization’s escalation policy is important. You don’t need to memorize your
organization’s escalation policy, but it is wise to save or
bookmark it on your work device. This way, you’ll always have
access to it when you need it. Following an organization’s escalation
policy is essential, because the actions you take help
protect the organization and the people it serves
from malicious actors. The escalation policy for an organization
can be an extensive document. So it’s up to you to pay
attention to the small details within the escalation policy
of your organization. Attention to detail can make the
difference between escalating an incident to the right or wrong person. It can also help you prioritize
which incidents need to be escalated with more or less urgency. Every organization handles incident
escalation differently, but analysts need to ensure that
incidents are handled correctly. Great work expanding
your security mindset!

Now you’ve had an opportunity to learn
about the essential role you’ll be playing by escalating incidents. Let’s review what we covered
in this section of the course. We started off by defining
incident escalation and discussing useful traits needed
to properly escalate incidents. We also explored a few incident
classification types and their potential impacts to an organization. From there, we discussed how small
security incidents can become bigger problems if not properly addressed. Finally, we covered some
general guidelines for the actual process of incident escalation. This process varies depending on
the organization you work for, but one thing should always remain
the same: Your attention to detail! Understanding how each
incident affects the data and assets of an organization
is really important, because the decisions you make can affect
the entire security team and organization. Are you ready to continue
your security journey?! Coming up we’ll discuss stakeholders and
how to communicate effectively with them.