All Products
Search

This Product

    Managed Security Service:Incident Response Service

    Document Center

    Managed Security Service:Incident Response Service

    Last Updated:Sep 29, 2024

    Incident Response Service has experienced security experts to help you respond to emergency incidents on a one-on-one basis. During the process, the security experts adopt standard service procedures and project management procedures, develop comprehensive security solutions, and help you respond to security incidents at the earliest opportunity and at minimum costs.

    Introduction to Incident Response Service

    Background information

    Incident Response Service is provided based on years of practical expertise and management experience in security attack and defense and the relevant national standards for the response to and handling of information security incidents. If an information security incident occurs, professional responses to the incident is provided on 24/7 basis. The responses are conducted based on prevention, intelligence information collection, mitigation, elimination, and restoration procedures This helps you quickly respond to the incidents and restore your workloads. The post-incident design and planning of efficient cloud security management solutions are also provided, which prevents security incidents and reduce impacts on your business.

    Service references

    Incident Response Service complies with national standards to ensure standardization and service quality in terms of the service content and service process. The following items are national standards and relevant Alibaba Cloud best practices that are referenced:

    • Information technology - Security techniques -Information security incident management guide - GB/Z 20985-2007

    • Information security technology - Guidelines for the category and classification of Information security incidents - GB/Z 20986-2007

    • Alibaba Cloud best practices for incident response

    Security incident types

    Incident Response Service provides remote security technical support to help you handle the following types of security incidents.

    Type

    Description

    Malware incident

    Computer virus, worm, Trojan, botnet, blended attack, and web browser plug-in incidents

    Network attack incident

    Backdoor attack, vulnerability attack, network eavesdropping, phishing, and interference incidents

    Information destruction incident

    Information tampering, forgery, and interception, data breach, and loss incidents

    Information security incident

    Information incidents related to the Internet that endanger national security, social stability, and public interests, such as disseminating illegal information, organizing illegal gatherings, inciting mobs, and hyping sensitive issues.

    Note

    The preceding incidents are classified based on Information security technology - Guidelines for the category and classification of Information security incidents - GB/Z 20986-2007.

    Service content

    Incident Response Service provides remote incident analysis and onsite incident analysis. In remote incident analysis, security experts provide remote emergency handling and analysis services. In onsite incident analysis, security experts provide onsite emergency handling and analysis services. The following section describes the service details:

    • Check whether hosts are intruded by attackers.

    • Investigate security incidents such as database tampering and data breaches.

    • Handle ongoing attacks to prevent further attacks by attackers.

    • Find and remove malicious programs such as mining programs, viruses, worms, and trojans.

    • Find and remove webshells, hidden links, and trojans from websites.

    • Handle exceptions caused by intrusions and help you quickly restore your workloads.

    • Analyze intrusion methods and try to identify the cause of the intrusion.

    • Analyze the behavior of attackers after the intrusion and determine the impact of the intrusion.

    • Provide vulnerability fixing suggestions and guidance on security hardening to prevent intrusions.

    • Provide security incident service reports.

    Important

    You must submit the objects that you want to inspect within five days after you purchase Incident Response Service.

    Service process

    image

    1. Purchase Incident Response Service.

      When a security incident occurs in your business system, you can activate Managed Security Service (MSSP) 8/5 Edition and purchase Incident Response Service. Then, you can submit an asset list for inspection within five days after the purchase. For more information, see Getting Started.

      Important

      To prevent data loss or business loss, we recommend that you back up the data of the attacked assets.

    2. Alibaba Cloud handles security incidents.

      1. An Alibaba Cloud security engineer contacts you to learn the details of the security incidents and then confirms and classifies the security incidents.

      2. If the security engineer determines that the attacker is attacking or attempting to further damage your system during the incident response, the security engineer can take suppression methods to minimize the impact of the security incident.

        Common suppression methods include disconnecting network connections, disabling specific business services, and shutting down operating systems.

      3. After the security engineer analyzes the security incidents, the security incidents may perform the following operations:

        • Remove trojans, viruses, and malicious code from your system.

        • Remove trojans, hidden links, and trojans from websites.

        • Restore the system configurations that are tampered with by attackers and delete the backdoor accounts created by attackers.

        • Delete abnormal system services and terminate abnormal processes.

        • After the security engineer troubleshoots the issues, the security engineer restores your workloads.

      4. The security engineer analyzes the methods used by attackers to intrude your system, investigates the causes of security incidents, and determines the risk severity and damage. This analysis is based on network traffic, system logs, web logs, application logs, database logs, and the data from security services.

        Note

        In several security incidents, if an attacker cleans up logs or the system does not retain relevant logs, the cause of the intrusion may not be identified.

      5. After a security incident is handled, the security engineer provides an Alibaba Cloud security incident response report that describes the incident, handling process, handling results, and cause analysis and then provides corresponding security suggestions.

    3. After you receive the report, you can confirm the report content, and provide feedback or complaints to Alibaba Cloud about issues in the service process.

    Download an incident response service report

    1. Log on to the MSSP console.

    2. In the left-side navigation pane, choose Service Report > Emergency Response.

    3. On the Emergency Response page, find the service report that you want to download and click Download in the Actions column.