6 Key Steps to Incident Response Planning
As the threat of cyber-attacks increase for every business, once basic disaster recovery plans are evolving to encompass incident response planning. Proper planning and well thought out steps can help reduce an incident from crisis mode to non-impactful.
So, what’s an incident? An "incident" refers to an adverse event that implies or attempts to harm. An event is any observable occurrence in a system and/or network such as a system reboot, network outage, password change or server crash. The six steps below can be remembered with the acronym PICERL (Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned).
- Preparation: “By failing to prepare, you're preparing to fail.” – Benjamin Franklin. Implementing the correct organizational policies and procedures is one of the biggest steps you can take towards preparing the business to deal with an incident. Have you identified and empowered the correct resources to respond to an incident? Have you assessed what operational impact an incident may have on your organization? Laying this groundwork is the critical first step to incident preparedness.
- Identification: The bulk of all incidents detected usually comes from either sensor platforms or the things people just happen to notice. It’s important to distinguish between simple mistakes by users, admins or others and actual nefarious behavior. It’s essential we can ascertain with a high degree of accuracy whether we've identified an incident which threatens to compromise the security of the organization.
- Containment: The first thing we need to do is take immediate action to contain the incident so it can’t spread and cause further damage. Containment is about damage limitation, protecting your critical assets and preventing the attackers or malicious code from spreading even further. This can include immediate short-term actions to stop the bleeding, followed by backups to capture volatile evidence and ultimately making sure the bad guy has been denied access.
- Eradication: The most critical element to eradicating the threat is identifying the point of compromise, examining the scope of the attack and acting to remove any residual back-door access left by the attacker. One needs to get rid of the attacker's artifacts on the compromised machines. Determine root cause and symptoms of the incident and ultimately determine how it was executed to prevent further similar attacks.
- Recovery: This is the phase in which often your traditional backup and disaster recovery plans come into place. Often the incident has knocked systems offline and proper recovery and restoration steps must be followed.
- Lessons Learned: During every incident, mistakes occur. Learning from these mistakes and highlighting what went well is a critical process to improving your ongoing disaster recovery plans. Following a proper post mortem exercise is highly recommended.
- A Growing Trend in Cyber Crime
- Cyber Liability E-Book
- Cyber Attacks Q&A Video
- The Anti-Social Advantage
ABOUT THE AUTHOR