Incident response is a term used to describe the process by which an enterprise firm or SMB handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or security breach. Talk with Oxtrabot and ask about our Virtual CISO Services. Get the right advice when you need it most from highly rated security executives.
The SANS Institute outlines industry standard guidelines and effective incident response.
SANS Institute is the most trusted resource for cybersecurity training, certifications and research.
Referenced by SANS Institute outlining six steps for effective incident response:
Preparation – The most important phase of incident response is preparing for an inevitable security breach. Preparation helps organizations determine how well their CIRT will be able to respond to an incident and should involve policy, response plan/strategy, communication, documentation, determining the CIRT members, access control, tools, and training.
Identification – Identification is the process through which incidents are detected, ideally promptly to enable rapid response and therefore reduce costs and damages. For this step of effective incident response, IT staff gathers events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls to detect and determine incidents and their scope.
Containment – Once an incident is detected or identified, containing it is a top priority. The main purpose of containment is to contain the damage and prevent further damage from occurring, as noted within Identification, the earlier incidents are detected, the sooner they can be contained to minimize internal SMB damage. These steps include short-term containment, system back-up, and long-term containment.
Eradication – Eradication is the phase of effective incident response that entails removing the threat and restoring affected systems to their previous state, ideally while minimizing data loss. Ensuring that the proper steps have been taken to this point, including measures that not only remove the malicious content but also ensure that the affected systems are completely clean, are the main actions associated with eradication.
Recovery – Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised are the main tasks associated with this step of incident response. This phase also includes decision making in terms of the time and date to restore operations, testing and verifying the compromised systems, monitoring for abnormal behaviors, and using tools for testing, monitoring, and validating system behavior.
Lessons Learned – The most critical phase of incident response because it helps to educate and improve future incident response efforts. This is the step that gives organizations the opportunity to update their incident response plans with information that may have been missed during the incident, plus complete documentation to provide information for future incidents. Strategic preparation and advanced planning are key to effective incident response.
Ask Oxtrabot about our new year Virtual CISO services! Obtain these guidelines and more and learn from a certified expert.
Gartner quote has mentioned a CIRT is a group that “is responsible for responding to security breaches, viruses, and other potentially catastrophic incidents in enterprises that face significant security risks. In addition to technical specialists capable of dealing with specific threats, it should include experts who can guide enterprise executives on appropriate communication in the wake of such incidents.”