***Welcome to ashrafedu.blogspot.com * * * This website is maintained by ASHRAF***

Posts

    Latest Updates

    Wednesday, May 11, 2022

    Incident Response

    Incident response (IR) is a set of information security policies and procedures that can be used  to identify, contain, and eliminate cyberattacks. The goal of incident response is to enable an organization to quickly detect and halt attacks, minimizing damage and preventing future attacks of the same type.

    Incident Response Steps: 6 Phases of the Incident Response Lifecycle

    Preparation: 

    This step includes developing of policies and procedures to follow in the event of a cyber breach. This includes determining the exact composition of the response team and the triggers to alert internal partners. Key to this process is effective training to respond to a breach and documentation to record actions taken for later review.

    Identification: 

    This step is the process of detecting a breach and enabling a quick, focused response. IT security teams identify breaches using various threat intelligence streams, intrusion detection systems, and firewalls.

    During this phase, after an incident is confirmed, communication plans are also typically initiated. These plans inform security members, stakeholders, authorities, legal counsel, and eventually users of the incident and what steps need to be taken.

    Containment: 

    One of the first steps after identification is to contain the damage and prevent further penetration. This can be accomplished by taking specific sub-networks offline and relying on system backups to maintain operations.

    Containment is often accomplished in sub-phases:

    • Short term containment—immediate threats are isolated in place. For example, the area of your network that an attacker is currently in may be segmented off. Or, a server that is infected may be taken offline and traffic redirected to a failover.
    • Long term containment—additional access controls are applied to unaffected systems. Meanwhile, clean, patched versions of systems and resources are created and prepared for the recovery phase.

    Eradication: 

    This stage involves neutralizing the threat and restoring internal systems to as close to their previous state as possible. This can involve secondary monitoring to ensure that affected systems are no longer vulnerable to subsequent attack.

    Once teams are aware of all affected systems and resources, they can begin ejecting attackers and eliminating malware from systems. This phase continues until all traces of the attack are removed. In some cases, this may require taking systems off-line so assets can be replaced with clean versions in recovery.

    Recovery: 

    Security teams need to validate that all affected systems are no longer compromised and can be returned to working condition. This also requires setting timelines to fully restore operations and continued monitoring for any abnormal network activity. At this stage, it becomes possible to calculate the cost of the breach and subsequent damage.

    Lessons Learned: 

    One of the most important and often overlooked stages. During this stage, the incident response team and partners meet to determine how to improve future efforts. This can involve evaluating current policies and procedures, as well specific decisions the team made during the incident. Final analysis should be condensed into a report and used for future training.

    ·         Incident Response Team

    An incident response team is a team responsible for enacting your IRP(Incident Response Plan). This team is sometimes also referred to as a computer security incident response team (CSIRT), cyber incident response team (CIRT), or a computer emergency response team (CERT).

    The key duties of your CSIRT are to prevent, manage, and respond to security incidents. This can involve researching threats, developing policies and procedures, and training end users in cybersecurity best practices.

    An IRP(Incident Response Plan) is a set of documented procedures detailing the steps that should be taken in each phase of incident response. It should include guidelines for roles and responsibilities, communication plans, and standardized response protocols.

    No comments:

    Post a Comment

    Network session analysis

    Network session analysis Network session analysis is a method of monitoring network activity and availability to identify issues, such as ...