what, why and how to, in simple terms!
What is incident response and why is it important?
Incident response is simply a set of information security policies and procedures specific to an organization that can be used to identify, contain, and eliminate cyber-attacks.
This should include everything from identifying an attack, understanding, and prioritizing the attack based on its severity, investigating the attack to get a better understanding the extent of attack, Mitigating the attack, remediation and documenting but also implementing steps towards trying to ensure that this attack will never happen again.
Needless to say, it is of the utmost importance to have a strong incident response plan, as it prepares you for emergency, provides a centralized way to keep everyone informed during an attack, exposes gaps in the security process, preserves critical knowledge and best practices, perfect the incident response practice through repetition, Documentation of the incident response plan reduces an organization’s liability and can illustrate compliance. NIST Rev2 800-61, computer security incident handling guide.
What are the six phases of an incident response process?
There are 6 phases of incident response:
1.Preparation– providing training to the incident response team whether it’s an employee or group of employees on site, or a third-party team to contact in the event of an incident .
2.Detection/Identification, and Analysis– once a scenario is identified as an incident through several different ways, this phase of the incident response process is focused on analyzing the symptoms after the incident, with some awareness to decide if an incident is indeed occurring and how much priority should be placed on it (usually through analyzing log files and reviewing forensic images).
3.Containment– damaged or affected systems are removed from production. Devices are isolated, and/or if it’s an account that’s affected they are locked down. This phase aims to prevent further damage or spread.
4.Eradication– after we have successfully contained the incident, we can now start removing and remediating the affected systems or devices, discovered in the identification phase. We can start restoring the systems from backup and reimaging devices. Restoration should only be done after proper investigation and analysis after the incident has taken place and documented, including how the incident occurred and what can be done to prevent it from happening again.
5.Recovery– this phase is simply testing and implementing the repairs and restoration that occurred during the eradication phase. This highlights the attempt to transition back to normal operations.
6.Lessons Learned/ post-incident activity– according to ascend technologies, this phase is one of the most important in incident response. At every phase detailed documentation of what was being done should be evident through the steps and processes taken. At this phase it is vital to review these steps that were taken, and to note the important information and its results learned from this incident.
Most importantly, how you can use this information to improve your security and future incident response capability, by highlighting things like how the incident occurred in the first place, what had to be done to identify, contain, and ultimately remediate the affected devices and systems.
What is real time incident response?
My understanding of what real time incident response is the ability to monitor, detect and respond to incidents in real time. Normally this is done by the security operations team at a security operation center aka SoC. He went on to elaborate that having a good security information and event management (SIEM) solution/tool is vital to real time incident response. This tool will generate alerts that can aid to let us know where to look, and where an Event might be happening, whether just for information or an actual incident. Everything under security operations tie into the SIEM, the incident response team, threat hunting, intrusion detection, risk management, can all get their first sense of direction in an incident, from the soc team.
How would you create an incident response plan?
The best way to create an incident response plan is to create it specific to your network configuration and devices. You can ask your network and security vendors to share their incident response plans with you, so your first responders know exactly what to do in the event of an incident using their products.
From my understanding, it is vital that everyone in your organization understands their role, from first responders, legal team, and communications team in the event of an incident. Best practices for creating or building an incident response plan is to create a simple well-defined process, listing very straightforward details, procedures, and explanation as to what to do in an emergency.
However, you want to create a plan specifically for your first responders, so they know exactly the proper procedures and steps involved to take from preparation to post incident activity.
Create a communication strategy which highlights who needs to be informed during a security breach or incident.
Use an incident response plan template This takes an in-depth look at how others in the industry have dealt with incident response and adapt that template to suit your organization.
Put your incident response plan to the test by having a breach incident exercise for example wargaming which simply creates fake malicious e-mail with trackable link, that is sent to employees. You need to monitor this e-mail on your network and accounts through your first responders.