Incident response enables an organization to be equipped for both the known and unknown security matters and also is a reliable method for identifying a security incident immediately when it occurs. Incident response also allows an organization to establish a series of best practices to stop an intrusion before it causes damage. An incident response plan ensures that a planned analysis can take place to provide a targeted response to contain and remediate the threat. Incident response is an essential component of operating a business, as most organizations rely on insightful information that would be damaging if comprised. Incidents could range from simple malware infections to unencrypted employee laptops that could have compromised login credentials and database leaks. Any of these incidents can have both short- and long-term effects that can impact the success of the entire organization.
These are best performed by persons trained and equipped for it, with proven processes and full support from leadership within the business. In addition, with the advent of cyber-insurance, it’s becoming more and more common for a full response to be required before settlement can be made. Even though each business follows a different incident response plan, all IRPs possess the same fundamental workings as they go through the same six-phase process. Each of these phases deals with a few specific areas of obligation, which must be fulfilled to create an Incident Response Plan for the final executions.
Incident Response Phases:-
Incident response is classically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned. Most organizations mainly focus on containment, eradication, and recovery and completely skip lessons learned, but the truth is, that last phase is potentially one of the most important stages of the process.
Let’s learn about theses phases in detail:
Phase 1 Preparation
The initial preparation is the first key to the very first response of the IR team toward any cyberattack on security. It’s all about setting up appropriate and planned procedures with the right tools along with proper mechanism before the occurrence of any incident. The major steps of this phase are as follows:
- Identification of the most important assets and protecting them with all your efforts
- A Analysis of data collected from earlier incidents.
Phase 2 Identification
The second phase Identification refers with the proper information of the actual incident .The objective is to understand the main cause of the compromise, however do not just focus on the one device, could the threat have spread and moved laterally? You will be searching for the suspicious activities, unexpected new files, unusual login attempts, unanticipated user logins or user accounts, and so on.
If an occurrence of incident relates to a malware infection then the following questions rise, what network connections does the malware generate? Does the malware connect to any domains? What files are created on disk? What running processes are created? Are there any unique registry keys that have been created? This data can then be used to search for further evidence of compromise and identify any other infected machines in your estate.
Phase 3 Containment
After preparation and indentify the threat, your responsibility is to know what incident level you are going to deal with, the next move is to enclose and contain the issue. The primary key here is to limit the scope and magnitude of the issue at that point of time. There are two main areas of coverage while doing the containment issue. The following essential areas of coverage are;
- Protecting and keeping available critical computing resources where possible
- Determining the operational status of the infected computer, system or network.
After analysis, you can go ahead for a temporary repair to ensure that the incident won’t escalate its damage anymore. The prime goal of this phase is to minimize the scope and magnitude of the incident. To determine the above facts, you can choose for any of the listed options:
- Option 1: Disconnect the infected entity and let it continue with its standalone operations.
- Option 2: Shut down the whole system immediately.
- Option 3: Let the system operate as usual and keep monitoring its activities.
As a result we can say that all these are reasonable solutions that you can opt for to contain the issue at that particular time period. After establishing and enhancing an effective containment strategy, it’s time to pay attention to evidence gathering and handling which doesn’t come into the picture very often.
Phase 4 Eradication
In this fourth Eradication phase, the IR team is supposed to be working towards a permanent solution with the enclosure of a process responsible for restoring all the affected entities during the process.
Once the incident is successfully contained then the eradication of the threat can begins which will vary depending on what caused a device to be compromised.
Eradication is a simple process of eliminating the threat out of your infected network or system. This phase should only start when all the other internal and external actions are fully completed. The two important aspects of this phase are as follows:
- Clean-up: The process of clean-up should include running a powerful antimalware and antivirus software, uninstalling the infected software, rebooting or replacing the entire operating system and hardware (based on the scope of the incident), and rebuilding the network.
- Notification: Notify all the personnel involved, according to the reporting chain.
Phase 5 Recovery
. The Fifth phase Recovery ensures no threat remains and permitting affected systems back into the production environment at this stage back to life. From the data recovery to any remaining restoration process, this phase covers it all. It takes place in two steps:
- Service restoration: As per the corporate contingency plans
- System/network validation: Testing and verifying the system/network in a functional state.
- Considering what can be done on the restored systems to protect them from recurrence of the same incident.
- Ongoing monitoring for some time after the incident to observe operations and check for abnormal behaviors.
This phase makes sure that the infected entity is recertified as both secure and functional. The goal of recovery is to bring all systems back to full operation, after verifying they are clean and the threat is removed.
Phase 6 Lesson Learnt
The last phase is sometimes skipped by many organizations, but it’s possibly the most important to prevent remediate future incidents. It involves reviewing and revising the steps that were taken during each phase and enhancing both your incident response capability and your security footprint are the important home to do tasks from this phase. After the completion of the investigation, maintain detailed documentation of the complete incident. The practice of such periodical meetings can actually limit incidents.
In future Lessons Learnt assures you to review meeting helps in identifying existing security weaknesses and deficiencies in policies and procedures. As per the conclusions of this meeting, you can change your current IR plan. With this step, your IR team will progress to reflect new and, as the last step of this phase, create a follow-up report after each incident for further usage.
After everything has been returned to normal there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.
- Was there sufficient prep?
- Did detection occur in a timely manner?
- Were communications conducted clearly?
- What was the cost of the incident? Did you have a Business Continuity Plan in place?
- How can we prevent it from happening again?
Once the above queries are answered and improvements are made accordingly, your company and incident response team should be ready to repeat the process. This process can help your organization keep its valuable, personal information secure.