Incident response

Incident response is a structured process for slowing or stopping attacks during or after a security event.

It involves three phases:

1. Before an incident: Create a classification system for security events, develop response plans, and write playbooks. This is often the hardest phase.

2. During an incident: Detect security events in real time through monitoring. Activate the response plan to block or mitigate the risk.

3. After an incident: Conduct a post-incident review. Use findings to update your response procedures, plans, and playbooks.

How do I classify security incidents and assign severity levels?

Classify incidents and assign severity levels based on event type. This enables organized response using predefined plans and playbooks.

A standard approach is to categorize events by attack type:

Incident category	Example	Description	Severity level	Rationale
Application security events	Web intrusion	A server is targeted by a SQL injection attack.	High	Security devices such as WAF can detect or block these events. WAF alerts include a severity level. The recommended level depends on the attack category.
Network security events	DDoS attack	A DDoS or CC attack targets a server, making the service unavailable.	High	DDoS attacks directly affect service stability and are typically high-severity events.
System security events	Ransomware	The system is infected with ransomware, and core data is encrypted.	High	Alibaba Cloud Security Center reports system events and classifies intrusions based on threat intelligence. Follow Security Center guidelines for classification.
Stability and reliability events	Cloud stability event	Network or application is down.	High	Stability incidents are usually high-risk events.
Data security events	Data breach	Threat intelligence or public sentiment indicates that confidential data has leaked.	High	Severity depends on the content and authenticity of leaked data and the associated business and PR risks.
Vulnerability events	log4j vulnerability	High-impact vulnerability	High	Severity depends on impact. Security Center publishes alerts for critical vulnerabilities. Treat these as high-priority incidents.

What phases should an incident response plan include?

An incident response plan defines procedures for handling security events. At minimum, include these phases:

1. Monitor and detect security events.

2. Confirm the authenticity of the vulnerability or event.

3. Identify the scope of impact, responsible personnel, and affected services.

4. Establish a response strategy, including mitigation and containment.

5. Analyze the event, perform source tracing, and document all information.

6. Conduct a post-incident review.

How do I automate incident response?

Automated playbooks enable immediate response when events occur. Configure playbooks to trigger based on event classification and integrate them with your SIEM or alerting systems.

Common automation scenarios:

1. DDoS attacks: Trigger a playbook to route traffic through Anti-DDoS Pro and Anti-DDoS Premium for traffic scrubbing.

2. Vulnerabilities: Configure a playbook to patch servers automatically based on vulnerability type. Schedule patching within a defined maintenance window.

3. Network attacks: Automatically block attacker IP addresses based on severity. Configure a playbook to extract source IPs from alerts and add them to firewall, WAF, and SLB blocklists.

How do I validate an incident response plan?

Validate your incident response plan through Red Team/Blue Team exercises — simulated attacks against your core systems that test your overall response capabilities.

• Red Team: The attack team simulates adversaries using frameworks like ATT&CK to breach target systems. This validates your security defenses and your team's detection, monitoring, and response capabilities.

• Blue Team: The defense team, drawn from your Security Operations Center (SOC), detects, monitors, analyzes, and responds to security events. During exercises, the Blue Team uses predefined rules and procedures to respond to simulated attacks, providing hands-on training.

Use these exercises to validate and refine your defense strategies.