What is Incident Response?
Any event that might cause a disruption to an organization’s operations including system breaches, any threats to harm to the CIA triad, or violation of policies is considered an incident. What should an organization do if such incident occurs? Having an incident response plan provides specific actions to take when an incident occurs and also helps organizations to be prepared.
According to NIST, there are four phases to the Incident Response Lifecycle: Preparation; Detection & Analysis; Containment, Eradication & Recovery; and lastly Post-Incident Activity.
In the preparation phase includes creation of the incident response team, incident response plan and also being proactive. Making sure that there are proper policies in place, and having defense mechanisms to defend the organization’s assets are all part of the preparation phase. In order to implement the defense mechanisms, it is critical to identify all the assets in the organization.
Detection also known as identification involves finding out if the incident has really occurred and the severity of the incident. Searching for indicators of attack and compromise also take part in this phase. After identifying the incident, an analysis done on the possible affected assets to detect any suspicious behavior and collecting information to help investigate the incident.
The goal of the next phase is to overcome the incident. Containing the incident to make sure it does not make lateral movements, removing any malware from the affected systems then recovering the assets back to before the attack.
The final post-incident activity phase is very important as it may help organizations to be more prepared for any possible incidents that might occur in the future. Going over the details of how and where the incident occurred, identifying the vulnerabilities and discussing what steps can be taken in order to strengthen the weaknesses. All processes taken during an incident response should be documented and should be used to learn from the situation.
