Incident Response
What is Incident Response (IR)?
Incident response (sometimes called cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.
Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies exactly how different types of cyberattacks should be identified, contained, and resolved. An effective incident response plan can help cybersecurity teams detect and contain cyberthreats and restore affected systems faster, and reduce the lost revenue, regulatory fines and other costs associate with these threats.
Incident Response Phases:
Phase I – Preparation
The major steps of this phase are as follows:
Identification of the most important assets and protecting them with all your efforts, and
Analysis of data collected from earlier incidents
Phase II – Identification
Usually, an incident falls under six classifications:
Unauthorized access
Denial of services
Malicious code
Improper usage
Scans/probes/attempted access
Investigation incident
Phase III – Containment
Having gathered all the necessary information about the incident, the IR team should now be concentrating on the containment of the threat for preventing any further damage. The first step of this phase should be to isolate the infected machine from the network and to back up all the sensitive data of the infected system.
After this, you can go for a temporary fix to ensure that the incident won’t escalate its damage anymore. The primary goal of this phase is to minimize the scope and magnitude of the incident. Make sure you gauge the functional status of your infected system or network. To determine this, you can opt for any of the listed options:
Option 1: Disconnect the infected entity and let it continue with its standalone operations.
Option 2: Shut down the whole system immediately.
Option 3: Let the system operate as usual and keep monitoring its activities.
The detailed log for evidence should contain:
Evidence identifying information: Serial number, model number, hostname, MAC and IP addresses, and location
Evidence holder’s Information: Name, title, and phone number
Location, time, and date with time zone: For each occurrence of evidence handling
Phase IV – Eradication
Eradication is a simple process of eliminating the threat out of your infected network or system. This phase should only start when all the other internal and external actions are completed. The two important aspects of this phase are as follows:
Clean-up: The process of clean-up should include running a powerful antimalware and antivirus software, uninstalling the infected software, rebooting or replacing the entire operating system and hardware (based on the scope of the incident), and rebuilding the network.
Notification: Notify all the personnel involved, according to the reporting chain.
It is advisable to create multiple common incident “playbooks” that can help the IR team to take a consistent approach to the incident.
Phase V – Recovery
At this stage, the compromised system or network will be brought back to life. From the data recovery to any remaining restoration process, this phase covers it all. It takes place in two steps:
Service restoration: As per the corporate contingency plans. System/network validation: Testing and verifying the system/network in a functional state.
This phase makes sure that the infected entity is recertified as both secure and functional.
Phase VI – Lessons Learned
After the completion of the investigation, maintain detailed documentation of the complete incident. This last stage will keep your organization prepared for any future attacks and help you to gain value from incidents.
Incident Response Resources and Playbooks
Last updated