About Incident Response

What is Incident Response?

Incident response (IR) is a set of policies and procedures that you can use to identify, contain, and eliminate cyberattacks. The goal of incident response is to enable an organization to quickly detect and halt attacks, minimizing damage and preventing future attacks of the same type.

There are 6 Main Stages in Incident Response: 

1. Preparation of systems and procedures

2. Identification of Incidents

3. Containment of attackers and incident activity

4. Eradication of attackers and re-entry options

5. Recovery from incidents, including restoration of systems

6. Lessons learned and application feedback to the next round of preparations

Preparation

During your first preparation phase, you review existing security measures and policies to determine effectiveness. This involves performing a risk assessment to determine what vulnerabilities currently exist and the priority of your assets. Information is then applied to prioritizing responses for incident types. It is also used, if possible, to reconfigure systems to cover vulnerabilities and focus protection on high-priority assets.

Identification of threats

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.

 Questions to address 

  • When did the event happen?
  • How was it discovered?
  • Who discovered it?
  • Have any other areas been impacted?
  • What is the scope of the compromise?
  • Does it affect operations?
  • Has the source (point of entry) of the event been discovered?

Containment of Threats

After an incident is identified, containment methods are determined and enacted. The goal is to advance to this stage as quickly as possible to minimize the amount of damage caused.

Containment is often accomplished in sub-phases:

  • Short term containment—immediate threats are isolated in place. For example, the area of your network that an attacker is currently in may be segmented off. Or, a server that is infected may be taken offline and traffic redirected to a failover.
  • Long term containment—additional access controls are applied to unaffected systems. Meanwhile, clean, patched versions of systems and resources are created and prepared for the recovery phase.

Eradication

Eradication is the phase of effective incident response that entails removing the threat and restoring affected systems to their previous state, ideally while minimizing data loss. Ensuring that the proper steps have been taken to this point, including measures that not only remove the malicious content but also ensure that the affected systems are completely clean, are the main actions associated with eradication.

Recovery

Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised are the main tasks associated with this step of incident response. This phase also includes decision making in terms of the time and date to restore operations, testing and verifying the compromised systems, monitoring for abnormal behaviors, and using tools for testing, monitoring, and validating system behavior.

Lessons Learned

The lessons learned phase is one in which your team reviews what steps were taken during a response. Members should address what went well, what didn’t, and make suggestions for future improvements. Any incomplete documentation should also be wrapped up in this phase.