Incident Response – The Five Steps
Contrary to public perception, incident response is a process and not a one-off event. For incident response to be truly successful, teams have to use an integrated and organized method to tackle any incident.
These are the five key steps that compose an effective incident response program:
At the core of every incident response program that works, is preparation. Even the best men cannot work effectively without preset guidelines. A solid plan to support the team is a must. To successfully address security events, this plan should include four elements: IR policy development and documentation, communication guidelines, threat intelligence feeds, and cyber hunting exercises.
Case Study: My Experience With Professionals
Detection and Reporting
This phase involves monitoring security events to detect as well issue warnings and report on security incidents in sight.
* Security event monitoring is possible with the help of intrusion prevention systems, firewalls, and data loss control measures.
* Potential security incident detection can be done through the correlation of alerts in a Security Information and Event Management (SIEM) system.
* Before alerts are issued, analysts create an incident ticket, present initial findings, and lay down a preliminary incident classification.
* When reporting, there must be room for regulatory reporting escalations.
Triage and Analysis
This is where most efforts to properly scope and understand the security incident takes place. Resources must be utilized to gather data from tools and systems for deeper analysis and to spot compromise indicators. Team members must be very skilled and knowledgeable in live system responses and digital forensics, along with malware and memory analysis.
In collecting evidence, analysts have to concentrate on three core areas:
a. Endpoint Analysis
> Know the tracks left by the threat actor
> Get artifacts necessary to the creation of a timeline of activities
> Conduct a forensic analysis of a detailed copy of systems, and have RAM scan through and point to key artifacts to know what transpired on a device
b. Binary Analysis
> Check into suspicious binaries or tools utilized by the attacker and document the abilities of those these programs.
> Scrutinize current systems and event log technologies to know the scope of compromise.
> Document all machines, accounts, etc. that may have been compromised for damage containment and neutralization.
Containment and Neutralization
This counts among the most critical steps of incident response. The technique for containment and neutralization is anchored on the intelligence and indicators of compromise spotted during the analysis step. After system restoration and security verification, normal operations can continue.
After the incident has been resolved, there is still more work to do. Any information that can be used to stop similar problems in the future, must be documented. This phase can be split into the following:
> completion of incident report to improve the incident response plan and prevent similar security incidents in the future
> ponst-incident monitoring to stop the reappearance of the threat actors
> intelligence feed updates
> identifying measures for preventive maintenance
> improving coordination across the organization for proper implementation of new security methods