In this article, we are going to learn about the incident response lifecycle. Before that, we are going to see what is Incident Response? Then We will Proceed to the phases of the incident response.
What is Incident Response?
Cyber attacks and other security events happen every day, Incident Response is to quickly identify, analyze, and minimize its effect. These incidents are mostly handled by security analysts or Incident Response Team. These Teams are often called CSIRT – Computer Security Incident Response Team. This Team isn’t compromised of just security professional, The team also have general IT staff, legal member, C-Suite member, etc.
Incident Response is a Reactive approach for quick recovery efforts.
So, The above are the basics of Incident Response. Basically, all these IR teams follow the Incident Response steps or phases provided by NIST.
Phases of Incident Response
There is a total of six phases of Incident Response. We are going to discuss them one by one.
1. Preparation
This is the first phase of the incident response and one of the most important phases. Because in this phase the IR teams create a response plan to deal with different security events. This phase further divides into three parts for greater understanding.
- Develop Response plans for different incidents and test mock scenarious on daily basis and further evauluate you plan.
- Ensure that all your employees have certain knowledge about cyber attacks. Also Ensure you have a trained IR team regarding there roles in the team.
- Ensure that all aspects of your incident response plan are approved.
Basically, In this phase, you have to check you have trained the incident response team.
2. Identification
As the name suggests, in this phase you identify if you have breached or any computer in your network that is breached. You also have to analyze the incident.
There are few questions that have to be answered in this phase.
- When did the event happen?
- How was it discovered?
- Who discovered it?
- Have any other areas been impacted?
- What is the scope of the compromise?
- Does it affect operations?
- Has the source (point of entry) of the event been discovered?
3. Contain
In this Phase, you do everything to mitigate the damage once you already have been compromised. The first thing to come to mind after any malware attack is to delete everything, but you may be deleting some important evidence. That’s why it is to contain the evidence separately that can help you later.
Basically, the compromised systems and any other is isolated from the network to stop further infection.
4. Eradication
Now you have contained the compromised devices and the incident is unable to spread. Therefore the security analyst can implement more permanent fixes and analyze that what exactly happened during the incident and finding the root cause of the incident to prevent similar types of attacks in the future.
5. Recovery
This phase is all about recovering the business operations to normal. to get the affected systems online after the attack. In this phase, you recover all your data and make your business operational.
The IR team have to decide when to bring back all the offline systems after full analysis and monitoring of any vulnerabilities or threat.
6. Lesson Learned
The last phase of the Incident Response Lifecycle, which is ignored by many organizations. is one of the most important steps. In this phase, the IR team has to hold an after-action meeting and discuss what they have learned from this attack. Also, the IR team analyzes all the steps taken during the incident for improving the incident response capability. The IR team also reviews their future plans for a similar type of incident.
Conclusion
These are the six phases of the incident response. Incident Response is best performed by a person who is well trained and equipped with the right tools for it.
Further Reading
- Incident Response Resources – https://www.incidentresponse.com/resources/
- List of Tools for Incident Response – https://github.com/meirwah/awesome-incident-response
For more articles like this please visit our blog page.