Information Technology and Services

Computer Incident Response Process

The Computer Incident Response Team (CIRT) investigates and resolves computer security incidents. A security incident occurs when an unauthorized entity gains access to SU computing or network services, equipment or data.

  • If you suspect a violation of your computer's security, contact your department's computer or technical support person immediately.
  • If you are a system administrator, read the guidance at How to Report a Computer Security Incident to determine whether you need to contact the CIRT.  Follow the guidelines on that page to report possible incidents immediately.
  • Departments with internal incident response teams are still required to contact the CIRT in case of incident.  The CIRT will work closely with your security team to investigate the incident.

Process

  • Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
  • Preserving the evidence: To prevent destruction of evidence and maximize chances of identifying the intruder, no interaction with the machine will occur until the CIRT team is in place.
  • Setting up the CIRT team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention.
  • Cleaning up and restoring the system: This process begins after the official report is filed.
  • Notifying the impacted department or equipment owner: This takes place as required unless law enforcement indicates it will interfere with the investigation.
  • Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.

Last Updated: 08/12/14

US Cert Alerts


Tue, 13 Jun 2017 15:45:09 +0000
TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

Mon, 12 Jun 2017 21:44:47 +0000
TA17-163A: CrashOverride Malware

Tue, 06 Jun 2017 00:11:16 +0000
TA17-156A: Reducing the Risk of SNMP Abuse