1. Background
The Morris Worm Incident (Morris Worm Incident) that occurred in November 1988 caused more than 10% of the Internet systems at that time to fail to work. The case shocked the world and caused strong repercussions in the computer science community.
To this end, in 1989, the U.S. Defense Advanced Research Projects Agency funded Carnegie Mellon University to establish the world's first Computer Emergency Response Team/Coordination Center to deal with cyber attacks.
2. Overview of emergency response
Emergency response is a job that requires thorough preparation and organization. It must avoid incorrect operations, actions that could lead to disastrous consequences, omissions of critical steps, and so on.
The goals of emergency response usually include: taking emergency measures and actions to restore business to normal service status; investigating the cause of security incidents to prevent similar security incidents from happening again; providing legally recognized digital evidence when judicial authorities are required to intervene.
Emergency response refers to taking necessary measures as soon as possible to investigate, analyze, prevent and repair a network security incident.
It usually includes the following steps:
- Event discovery: monitor network traffic, system logs and other information, and discover abnormal situations in time.
- Incident Confirmation: Determine if there is a real security incident, triage and evaluate it.
- Emergency response plan: according to the type and severity of the event, formulate the corresponding emergency response plan.
- Emergency Response: Take Immediate Measures