Cybercrime has increased, changing the entire approach to how business is conducted. Disaster recovery remains an important part of any business plan, but it is executed only in the direst of circumstances. The new threat landscape has caused a shift in focus to incident response. Unlike the static nature of a disaster recovery structure, incident response is a fluid, real-time construction that requires a different set of disciplines.
There are specific phases of incident response.
Preparation
The first step in any incident response plan is preparation. This may be the most important phase, as failure to adequately prepare can result in nothing more than a scattered and insufficient response in the event of an emergency.
It includes input into the following:
- Statement of management support and endorsement
- Statement of alignment with the organization’s strategy, mission, vision, objectives, and goals
- Objectives of the policy scope and limitations
- Definitions of terms
- Roles and responsibilities
- Prioritization of risk when discovered
- Metrics and performance measures
- Communications planning
- Mandatory adherence to incident response plans, processes, and procedures
- How the policy complies with laws, regulations, or standards the organization must adhere to
- Creation of incident response team
- Communication Planning
Detection and Analysis
Not all events are security incidents. Likewise, not all security incidents rise to the level of that which requires the invocation of the incident response plan.
Tools such as intrusion detection systems, security incident and event management (SIEM), anti-malware, and file integrity monitoring tools. Log files can offer a wealth of information about events on a set of systems. So too can publicly available information from reputable security. These tools are what a qualified security practitioner can use when building a case as to the severity of an incident, insight which will be shared with upper management.
Containment, Eradication, and Recovery
Once the plan is invoked, it is time to take corrective action. Containment is the part where the security practitioner has to “stop the bleeding.” Different events require a different approach, of course. For example, a ransomware event would be handled much differently than the discovery of a compromised database.
Eradication is the phase where the threat needs to be removed from the environment. Some eradication methods can be automated such as virus removal. Others, such as the removal of malicious code, may require more manual intervention.
Recovery may be a quicker way to restore a business to normal operation if eradication is not possible. For example, in the case of a ransomware event, eradication is not the best option. Instead, recovering the system from a recent backup would be the better option.
Post-Incident Activities
Sometimes referred to as the “lessons learned” phase of incident response, the post-incident phase is where the incident is reviewed and documented. This document serves not only to memorialize the incident; it can also be used to modify the original incident response plan. Additionally, the post-incident report can be used as a learning tool for future team members and as a model for structured walkthrough exercises (also known as tabletop exercises).
The Importance of Incident Response
In this age of constant cyber-attack, incident response is a fundamental element of a mature security team. It is a vital process for a business that strives to be prepared in the event of an emergency. Read More
iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.