Curriculum
Course: Cyber Security
Login

Curriculum

Cyber Security

Text lesson

Escalation Chains

Some alerts necessitate immediate action, making it crucial for the SOC to establish a defined process for contacting the appropriate individuals during different incidents. Since incidents can affect various business units, the SOC should know who to contact, when, and through which communication channels.

Here’s an example of an escalation chain for incidents affecting a specific part of the organization:

  1. Create an incident in the designated Incident Tracking System, assigning it to the correct department or individual.
  2. If no action is taken, send an SMS and email to the primary contact.
  3. If there’s still no response, make a phone call to the primary contact.
  4. If action is still lacking, call the secondary contact.

Classification of Incidents

Incidents should be classified based on their:

  • Category
  • Criticality
  • Sensitivity

The classification of an incident and its attributes will dictate the measures the SOC takes to address the issue.

The incident category determines the appropriate response. It is essential for the SOC to understand the implications of each incident type for the organization. Examples of incidents include:

  • Insider Hacking
  • Malware on Client Workstation
  • Worm Spreading Across the Network
  • Distributed Denial of Service (DDoS) Attack
  • Leaked Credentials

The criticality of an incident is assessed based on factors such as the number of affected systems, the potential consequences of not addressing the incident, and the specific systems involved. Accurately determining criticality is crucial for the SOC to effectively manage and close incidents, as it dictates the urgency of the response—whether the incident requires immediate action or can be deferred until later.

Sensitivity indicates who needs to be informed about the incident, with some incidents requiring a high level of discretion.