Incident response (IR) is a set of information security policies and procedures that can be used to identify, contain, and eliminate cyberattacks. The goal of incident response is to enable an organization to quickly detect and halt attacks, minimizing damage and preventing future attacks of the same type.
Incident Response
Steps: 6 Phases of the Incident Response Lifecycle
Preparation:
This step includes developing of policies and procedures to follow in the
event of a cyber breach. This includes determining the exact composition of the
response team and the triggers to alert internal partners. Key to this process
is effective training to respond to a breach and documentation to record
actions taken for later review.
Identification:
This step is the process of detecting a breach and enabling a quick,
focused response. IT security teams identify breaches using various threat
intelligence streams, intrusion detection systems, and firewalls.
During this phase, after an incident is confirmed, communication plans
are also typically initiated. These plans inform security members,
stakeholders, authorities, legal counsel, and eventually users of the incident
and what steps need to be taken.
Containment:
One of the first steps after identification is to contain the damage and
prevent further penetration. This can be accomplished by taking specific
sub-networks offline and relying on system backups to maintain operations.
Containment is often accomplished in sub-phases:
- Short term containment—immediate threats are isolated in place. For
example, the area of your network that an attacker is currently in may be
segmented off. Or, a server that is infected may be taken offline and
traffic redirected to a failover.
- Long term containment—additional access controls are applied to
unaffected systems. Meanwhile, clean, patched versions of systems and
resources are created and prepared for the recovery phase.
Eradication:
This stage involves neutralizing the threat and restoring internal
systems to as close to their previous state as possible. This can involve
secondary monitoring to ensure that affected systems are no longer vulnerable
to subsequent attack.
Once teams are aware of all affected systems and resources, they can
begin ejecting attackers and eliminating malware from systems. This phase
continues until all traces of the attack are removed. In some cases, this may
require taking systems off-line so assets can be replaced with clean versions
in recovery.
Recovery:
Security teams need to validate that all affected systems are no longer
compromised and can be returned to working condition. This also requires
setting timelines to fully restore operations and continued monitoring for any
abnormal network activity. At this stage, it becomes possible to calculate the
cost of the breach and subsequent damage.
Lessons Learned:
One of the most important and often overlooked stages. During this stage,
the incident response team and partners meet to determine how to improve future
efforts. This can involve evaluating current policies and procedures, as well
specific decisions the team made during the incident. Final analysis should be
condensed into a report and used for future training.
·
Incident Response Team
An incident response team is a team responsible for enacting your IRP(Incident
Response Plan). This team is sometimes also referred to as a computer
security incident response team (CSIRT), cyber incident response team (CIRT),
or a computer emergency response team (CERT).
The key duties of your CSIRT are to prevent, manage, and respond to
security incidents. This can involve researching threats, developing policies
and procedures, and training end users in cybersecurity best practices.
An IRP(Incident Response Plan) is a set of documented procedures
detailing the steps that should be taken in each phase of incident response. It
should include guidelines for roles and responsibilities, communication plans,
and standardized response protocols.
No comments:
Post a Comment