How to respond correctly for security incident.

Posted on 2014-08-10
Last Modified: 2014-08-12
Hi all,

looking for security experts please.

If you find that one of your customer trying attacking you or pushing huge traffic to your network..what is the right way to deal with this problem?right processes or actions in more details? internally or externally.

Question by:besmile4ever
    LVL 10

    Expert Comment

    by:Scott Thomson
    Well I guess first you have to figure out which one it is.. is it an attack or is it a butload of data.
    Secondly what kind of data is it and what services are you hosting for them?

    If they are pushing 20 gigs of bluerays then we have an issue
    If they are downloading 50 gigs of torrents then again we have a problem.
    If they are migrating an exchange account then its fairly legit.

    So here is what I would do. depending on what services you provide for them I would speak to the manager of that particular company and just let him know that a large amount of data has been pushed through of late. it's better if you can identify the data or the cause of the data as stated above and just let them know that this may be causing them some functionality issues if the data is being pushed through on a constant basis.

    Then the manager will be the one to handle it because if it's bluerays etc he will punish the employee and than you for being vigilant and letting him know. and if its exchange he may ask the user for operational reasons to choose a different time.

    Can you give us some more info?

    Author Comment

    Good scott.

    thanks for your nice response. well, let us say that the customer pushing 20 gigs. I need to know the right process.
    as I understand for you that I need to contact the manger first?

    what is next?

    Author Comment

    what you need to do exactly to your network administrator and your customer?
    LVL 10

    Expert Comment

    by:Scott Thomson
    Its hard to give you a full answer until you even generally specify what services you provide and what role you have to this customer? Can you elaborate for us I we can help further?

    No specifics needed just
    "We supply email services and this guy is sending 20 gigs a day.. I am the companys customer service rep and I would like to know how to approach this"
    LVL 19

    Accepted Solution

    Here would be my steps (again without knowing specifics, it's hard to provide more details).

    -analyze the network traffic to determine if it is legitimate
    -if traffic is not legitimate:

    1. Capture Sample data

    Capture sample data


    Find your company's computer use policy


    Alert management about infraction


    Provide proof


    Block traffic


    Revise security measures/group policy to prevent problem in future?
    That's a decent baseline. If traffic was legitimate, then analyzing and comparing throughput patterns can  help you determine if  your network is big enough to handle traffic, etc...
    LVL 5

    Assisted Solution

    by:Sean Jackson
    I agree with the above feedback, but also want to remind you to be aware of whatever regulatory controls you are trying to meet, and if you are required to disclose the incident, should your forensic efforts prove fruitful.
    LVL 10

    Assisted Solution

    by:Scott Thomson
    ^ I agree with Iammontoya

    But you also need to make sure that you can prove anything you would like to say to them.
    Once we get all the details we can probably each post a letter or set of instructions to follow that will point you in the right direction.

    Author Comment

    Many thnks to you all.

    Iammontoya: almost your answer is what I need.
    LVL 10

    Expert Comment

    by:Scott Thomson
    Gald we could help you. let us know if you get stuck anywhere :)

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now