The typical areas of performance by an incident handler are found in most incident response (IR) teams. The following are the primary responsibilities of the handler personnel and describe a typical day (if that actually exists) for an IR team member:
Analyzing reports—All incidents are usually reported to the IR team after or, hopefully, during the incident. These reports are analyzed to identify the type of activity, its potential impact, its scope, how many systems are involved, whether it’s local or larger, and whether it’s a known type of attack. These areas are all analyzed first during the initial response efforts.
Analyzing logs—Evaluating any logs, suspect files or artifacts is a prime responsibility of incident handlers. The network logs, system logs, router logs, firewall logs, sniffer logs, application logs, any supporting information and possibly even the incident artifacts are analyzed to help identify the systems, possibly other sites involved in the incident, and the methods of ingress and attack.
Researching background information—What were the first steps taken by the attackers? When was the affected system last patched? When and where did the attackers enter the network? Identifying the hosts, systems and IP addresses from the attack location or attack vector provides important support information to help prevent future attacks and to isolate potential vulnerabilities in the security posture of the compromised system or network.
Monitoring system and network logs—Watching the system or network once the attack or compromise is discovered can add to the data and information needed to further secure the system in the future. A handler could determine if the compromise is still active by evaluating the logs currently being recorded and may possibly catch the perpetrator in the act.
Technical assistance—Providing technical assistance, whether it is over the phone or by sending an e-mail with a source document and suggestions or steps for recovery, is part of the handler’s duties.
The team may have a web site with all the necessary documentation or there may be a repository of defined information for the organization; in either case, the handler would update this as part of his/her technical assistance responsibilities.
Coordinating and sharing information—The handler will coordinate information with the various affected units within the organization and, possibly, with outside organizations.
Collaboration improves response efforts, and information sharing helps the responders react and contain at a much faster rate than what was seen in the past, so this part of the handler’s job has become much larger in recent years. Tracking of tasks, contacting software and hardware vendors for data research, and preparing briefings and reports are all part of this task.
Other duties—Typically, if the incident warrants it, the handler will assist law enforcement with incidents that involve the criminal element. The handler can be, and is often, called upon to provide detailed expert testimony on previous cases and incidents. He/she also could be tasked with supporting the notification activities of victims of unauthorized release of data.