The Core Phases of Incident Response & Remediation

Planning and preparing for unexpected security incidents is perhaps one of the most difficult challenges for security practitioners. With a robust incident response (IR) plan, professionals can follow a foundation or standard for handling incidents.

You can use the following phases as a foundation to plan and implement your incident response plan.

The Core Phases of Incident Response

Preparation

A security team needs to prepare for a security incident whenever necessary. Preparation is one of the most essential steps to an incident response plan because it determines how the IR team will respond to a myriad of incidents that may affect the organization.

In the preparation phase, the security team should establish a written set of security policies that defines a security incident, how data breaches will be handled, and the policies for end users throughout the organization. SANS Institute offers helpful templates that you can access here:

General Information Security Policy

Network Security Policy

Server Security Policy

Application Security


Once the security policies have been created, your organization will need to create a strategy for handling incidents. In the strategy, you may need to prioritize various incidents, who will manage and remediate incidents, what tools will be used to manage incident response, who will communicate and document important updates, and who will follow-up on incidents with law enforcement officials, if necessary.

Lastly, your incident response team should be trained using simulation exercises, so they are well-prepared when an actual security incident happens. Regular training on incident response helps the entire team of responders know their roles and responsibilities throughout the IR process.

Identification

During the identification phase, your IR team will need to identify threats from log alerts, IDS/IPS, firewalls, and any other suspicious activity occurring on the network. Once a threat has been identified, it should be documented and communicated per the policy established during the preparation phase.

Incident responders should communicate the scope and impact of the threat and be as detailed as possible in all information related to the incident. This information can be used later in the lessons learned phases and if authorities require detailed information pertaining to the incident.

Containment

Once a threat has been identified, the IR team should work to contain the threat to prevent further damage to other systems and the organization at large. It is during this phase that the responder quickly isolates any infected machine and works on backing up any critical data on an infected system, if possible.

Next, a temporary fix should be implemented on an infected machine to prevent the threat from escalating. The goal is to limit the number of systems compromised during this phase.

Eradication

Once the threat has been sufficiently contained, the IR team should work to implement a more permanent fix. This might include patching hardware, reconfiguring systems and application architecture, or rebuilding systems for production. The goal is to eliminate the entry point(s) that the threat actor used to obtain access to the network.

During the eradication phase, the IR team should also be documenting all actions required to eradicate the threat. In addition, any defenses in the network should be improved so that the same incident doesn’t occur again.

Recovery

At the recovery stage, any production systems affected by a threat will be brought back online. This includes any data recovery or restoration efforts that need to take place as well.

The IR team will need to decide when operations will be restored, test and verify that infected systems are fully restored, continue to monitor for malicious activity, and validate recovery.

Lessons Learned 

Finally, the IR team should finalize documentation from the incident investigation and remediation as well as supply a detailed report that reviews the entire incident response process. It’s during this phase that the team gleans insights from the IR process to improve steps in each phase for the future.

A formal or informal meeting can be conducted to debrief and cover the scope of the incident. The IR team may also want to provide recommendations for improvement in the IR process and how the threat can be contained and eradicated in the future.

With these phases, a security team can put together their own blueprint for incident response and investigation. If you lack the resources and/or time to handle security incidents, consider the value in outsourcing the IR process to a third-party managed security services provider (MSSP).

Ask Us About Incident Response & Investigation

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

 

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited SOC I & SOC II Type 2 and ISO 20000 & ISO 27001 certified Managed Security Services and Security Consulting Services with expertise across PCI DSS holding the PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past six years. These services are supported by the best-in-class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and complemented by strategic partners around the globe.

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Subscribe to Us!

Recent Security Posts

Essential-Cyber-Security-Tips-Guide.jpg

Twitter Feed