Incident Response refers to the processes and policies an organization utilises in response to a cyber incident such as an attack or data breach. The objective of Incident Response is to mitigate the damage of an attack i.e. reduce the recovery time, effort, costs and reputational damage associated with a cyber attack or data breach. Apart from mitigating various consequences of a cyber attack, the process of Incident Response can help organizations prevent future attacks that threaten their information security.
In our last blog we talked about what is incident response. In this post, we look at basic incident response template.
Below are five key steps of Incident Response template that every organization should consider:
Incident Response management is customisable and unique to each organization but usually consist of five key steps that exist as a life cycle that occurs every time a cyber incident takes place. Below are these five steps explained:
During this stage of the life cycle, organizations evaluate the effectiveness of their existing security measures and policies in place. Evaluation usually consists of identifying vulnerabilities via assessments or scans which helps in prioritizing which type of incidents need to be responded to as soon as they are identified. The main function of this phase is to improve existing policies and procedures even if they have to be re-written.
In this second phase of the life cycle, Incident Response teams work on identifying the presence of any suspicious activity within their organization, by utilising the procedures outlined in the preparation and planning stage. In the event that a threat is identified, a detailed analysis of its origin, its type as well as the goals of the attackers needs to take place. During this phase, it is critical that Incident Response teams collect and document all the evidence found. Once this information has been procured, it needs to be effectively communicated across the organization. Using plans established in the prior phase, stakeholders, authorities and legal counsel need to be alerted and instructed on the steps that need to be taken now that a cyber incident has occurred.
After the identification of a threat the next step is to contain and eliminate it. Organization’s should prioritise getting to the containment stage as quickly as possible so that repercussions of the attack can be controlled and mitigated. There are two key ways containment can be achieved, short-term and long-term.
Short-term containment refers to the process of isolating immediate threats, for example, this may involve segmenting networks or turning servers offline that have been affected by the attacker. Long-term containment on the other hand involves re-assigning access controls to unaffected areas to lower the chance of the attack spreading across infrastructure.
Once the threat has been contained and an understanding of its extent has been achieved, organization’s need to work on elimination. Security teams can begin ejecting attackers and eliminating malware from systems. This phase continues until all traces of the attack are removed.
In this fourth stage of the life cycle, organizations bring patched and updated replacement systems online. In a perfect scenario systems can be brought online without any data loss, but more often than not, teams must determine when the last clean copy of data was created and restore from it. The recovery phase also involves security teams monitoring networks and systems for a period after the attack to make sure malicious actors don’t return.
In the final stage of the life cycle, organizations review how effective their incident response was and what can be done better next time. This stage also involves security teams completing thorough documentation of events for later review or reference.
So that is a basic 5-step incident response template that you can use as a base to build your incident response plan, customised to your unique business needs.
Does your company currently have an incident response plan in place? StickmanCyber's expert team can help review your current cybersecurity setup and set up the right incident response plan to secure your business.