An incident response plan is a well-documented plan that includes a series of phases that helps IT security professionals recognize and properly react to cybersecurity incidents.
According to Gartner, the SANS Institute (founded 1989) is one of the world’s premier cybersecurity training organizations. The SANS Institute methodology includes 6 incident response phases as follows: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Within each phase, there are specific areas that should be considered. Next, we will analyze each phase and identify the items that need to be addressed.
The Preparation Phase
Make sure all aspects of your incident response plan (security training, hardware, software resources, etc.) are approved and funded in advance.
Thoroughly explain and document everyone’s roles and responsibilities. This phase must be tested to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they will make critical mistakes.
Make sure that everyone has been trained on security policies, that your incident response team know their roles and have participated in mock drills.
This is also a good time to update and patch your systems, review your remote access protocols, change all user and administrative access credentials, and harden all passwords.
The Identification Phase
During this phase the security team will determine whether your organization systems have been breached. A cybersecurity incident could originate from many different areas.
Briefly, you will acknowledge how and when the incident was discovered, also who discovered it. You will follow the necessary steps to identify the source (point of entry) of the attack vector. Then you will assess how it affects your operations.
The Containment Phase
When a breach is first discovered, people are usually tempted to securely delete everything so they can just get rid of it. This approach will likely hurt the organization in the long run because you will be destroying valuable evidence that your IT security team will need to determine where the breach started and create a plan to prevent it from happening again.
Instead, contain the breach, quarantine the malware you have identified, so it does not spread and cause further damage to your business. If you can, disconnect affected devices from the Internet.
Have short-term and long-term containment strategies in place. Keeping up-to-date backups is essential to restore your business operations.
The Eradication Phase
Once you have contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be patched, and updates should be applied.
The Recovery Phase
This is the process of restoring the affected systems back to a pre-attack version. During this time, it is important to get your systems, devices, and business operations up and running again.
Make sure you monitor the situation, especially the systems/apps that were previously affected to ensure similar attacks will not reoccur by updating your security incident response plan accordingly.
Once the assessment is complete, gather all incident response team members and discuss what you have learned from the security incident. At this point you will analyze and document everything about the breach.
Documentation may be used for data breach insurance. This can save the company from prospective legal costs and fines, not to mention the brand damage associated with a data breach which can be harsh for a business, especially if the organization is a startup.
No one wants to go through a security incident, but it is essential to prepare for one. Know what to do when it happens and regularly test your plan’s efficiency. For this purpose, regularly orchestrate cyberattacks to test your organization’s incident response plan and how fast your team reacts. This habit will generate at least two important results: a deep understanding of your plan (tasks, processes) and a list of gaps that should be addressed. If there is room for improvement, all changes must be properly documented for them to have real, lasting value for your security operations team.