Alibaba Cloud Incident Response Service pairs you with senior security experts who provide one-on-one support to resolve urgent security incidents quickly and cost-effectively, minimizing the impact on your business.
Security and compliance
The Incident Response Service, part of Alibaba Cloud Managed Security Service (MSSP), draws on years of cybersecurity expertise and adheres to national information security incident response standards. When a security incident occurs, we provide 24/7 remote emergency response following a standardized lifecycle: prevention, intelligence gathering, containment, eradication, and recovery.
Beyond immediate incident handling, the service includes post-incident planning and cloud security strategy design to help you mitigate future risks and strengthen your overall security posture.
Service references
Security incident definition
Service content
The Incident Response Service is delivered remotely and includes an incident response report with remediation recommendations to help prevent future intrusions. The service covers:
-
Investigating whether a host has been compromised.
-
Containing ongoing attacks to prevent further damage.
-
Finding and removing malicious programs, such as mining programs, viruses, worms, and trojans.
-
Finding and removing webshells, hidden links, and trojan pages from websites.
-
Addressing anomalies caused by the intrusion to help restore business operations.
-
Analyzing the attacker's methods to identify the root cause of the intrusion.
-
Analyzing post-intrusion activities to assess the impact of the compromise.
The list of assets to be investigated must be submitted within 5 calendar days of purchasing the service.
Service process
-
Purchase the Incident Response Service.
If a security incident occurs in your business system, you must purchase the service. You can , visit the Incident Response Service purchase page. After purchasing, you must provide a list of assets for incident response within five calendar days.
ImportantTo prevent further loss, we recommend backing up the affected assets.
-
Alibaba Cloud handles the security incident.
-
An Alibaba Cloud security engineer will contact you to review the security incident, and then confirm and classify it.
-
If the security engineer detects an ongoing attack or actions that could further damage the system during the response, they will take containment measures to mitigate the damage.
Common containment measures include disconnecting from the network, shutting down specific business services, or powering off the operating system.
-
After analyzing the security incident, the security engineer begins remediation.
Remediation typically includes:
-
Removing trojans, viruses, and other malicious code from the system.
-
Removing webshells, hidden links, and trojan pages from websites.
-
Restoring system configurations altered by the attacker and deleting backdoor accounts they created.
-
Removing unauthorized system services and terminating abnormal processes.
-
Restoring normal business services after the investigation is complete.
-
-
The security engineer investigates the attacker's methods, determines the cause of the security incident, and assesses the threat level and damage. To do this, they analyze network traffic, system logs, web logs, application logs, and database logs, correlating this information with data from security products.
NoteIn some security incidents, if the attacker has cleared the logs or the system did not retain relevant logs, determining the root cause of the intrusion may not be possible.
-
After the incident is resolved, the security engineer provides an Alibaba Cloud Incident Response Report. This report details the incident, the handling process, the results, a root cause analysis, and corresponding security recommendations.
-
-
After receiving the report, you confirm its contents. You can also provide feedback or file a complaint regarding the service process.
Purchase the incident response service
-
Visit the Incident Response Service purchase page.
-
On the purchase page, select the service edition, quantity, and other required information.
After you select a service edition, the system automatically displays the scope of service for that edition. Please review the service scope carefully and choose the appropriate edition.
For detailed parameter descriptions, see Activate Managed Security Service.
ImportantBefore purchasing, you must authorize the service by clicking Create Service-linked Role.
-
Click Buy Now and complete the payment.
Download the incident response report
-
Log on to the MSSP console.
-
In the left-side navigation pane, choose .
-
On the Emergency Response page, find the service report that you want to download and click Download in the Actions column.