5 Step of Incident Response

Five Step of Incident Response

Incident response may be a process, not an isolated event. so as for incident response to achieve success , teams should take a coordinated and arranged approach to any incident. There are five important steps that each response program should cover so as to effectively address the wide selection of security incidents that a corporation could experience.

Preparation is that the key to effective incident response. Even the simplest incident response team cannot effectively address an event without predetermined guidelines. a robust plan must be in situ to support your team. so as to successfully address security events, these features should be included in an event response plan:

  • Develop and Document IR Policies: Establish policies, procedures, and agreements for incident response management.
  • Define Communication Guidelines: Create communication standards and guidelines to enable seamless communication during and after an event .
  • Incorporate Threat Intelligence Feeds: Perform ongoing collection, analysis, and synchronization of your threat intelligence feeds.
  • Conduct Cyber Hunting Exercises: Conduct operational threat hunting exercises to seek out incidents occurring within your environment. this enables for more proactive incident response.
  • Assess Your Threat Detection Capability: Assess your current threat detection capability and update risk assessment and improvement programs.

The following resources may assist you develop an idea that meets your company’s requirements:

NIST Guide: Guide to check , Training, and Exercise Programs for IT Plans and Capabilities
SANS Guide: SANS Institute InfoSec room , Incident Handling, Annual Testing and Training

The focus of this phase is to watch security events so as to detect, alert, and report on potential security incidents.

  • Monitor: Monitor security events in your environment using firewalls, intrusion prevention systems, and data loss prevention.
  • Detect: Detect potential security incidents by correlating alerts within a SIEM solution.
  • Alert: Analysts create an event ticket, document initial findings, and assign an initial incident classification.
  • Report: Your reporting process should include accommodation for regulatory reporting escalations.

The bulk of the trouble in properly scoping and understanding the safety incident takes place during this step. Resources should be utilized to gather data from tools and systems for further analysis and to spot indicators of compromise. Individuals should have in-depth skills and an in depth understanding of live system responses, digital forensics, memory analysis, and malware analysis.

As evidence is collected, analysts should specialize in three primary areas:

Endpoint Analysis

  • Determine what tracks may are left behind by the threat actor.
  • Gather the artifacts needed to create a timeline of activities.
  • Analyze a bit-for-bit copy of systems from a forensic perspective and capture RAM to parse through and identify key artifacts to work out what occurred on a tool .

Binary Analysis

  • Investigate malicious binaries or tools leveraged by the attacker and document the functionalities of these programs. This analysis is performed in two ways.

Behavioral Analysis

  • Execute the computer virus during a VM to watch its behavior
    Static Analysis: Reverse engineer the computer virus to scope out the whole functionality.

Enterprise Hunting

  • Analyze existing systems and event log technologies to work out the scope of compromise.
    Document all compromised accounts, machines, etc. in order that effective containment and neutralization are often performed.

Also Read: Important Categories of Incident

This is one among the foremost critical stages of incident response. The strategy for containment and neutralization is predicated on the intelligence and indicators of compromise gathered during the analysis phase. After the system is restored and security is verified, normal operations can resume.

  • Coordinated Shutdown: Once you’ve got identified all systems within the environment that are compromised by a threat actor, perform a coordinated shutdown of those devices. A notification must be sent to all or any IR team members to make sure proper timing.
  • Wipe and Rebuild: Wipe the infected devices and rebuild the OS from the bottom up. Change passwords of all compromised accounts.
  • Threat Mitigation Requests: If you’ve got identified domains or IP addresses that are known to be leveraged by threat actors for command and control, issue threat mitigation requests to dam the communication from all egress channels connected to those domains.

There is more work to be done after the incident is resolved. make certain to properly document any information which will be wont to prevent similar occurrences from happening again within the future.

  • Complete an event Report: Documenting the incident will help to enhance the incident response plan and augment additional security measures to avoid such security incidents within the future.
  • Monitor Post-Incident: Closely monitor for activities post-incident since threat actors will re-appear again. We recommend a security log hawk analyzing SIEM data for any signs of indicators tripping which will are related to the prior incident.
  • Update Threat Intelligence: Update the organization’s threat intelligence feeds.
  • Identify preventative measures: Create new security initiatives to stop future incidents.
  • Gain Cross-Functional Buy-In: Coordinating across the organization is critical to the right implementation of latest security initiatives.

Topic Related Questions

Top Incident Handling Knowledge

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


Leave a Comment