Forcepoint defines incident response as the methodology an organization uses to respond to and manage a cyberattack. An attack or information breach can unleash devastation possibly influencing clients, protected innovation organization time and assets, and brand esteem. Here, incident response intends to lessen this harm and recoup as fast as could reasonably be expected. Examination is likewise a key part so as to gain from the attack and better plan for what’s to come. Since numerous organizations today experience a breach sooner or later in time, an all around created and repeatable incident response plan is the most ideal approach to ensure your organization.
Incident Response Plan
According to SANS institute, the incident response plan can be divided into six stages viz preparation, identification, containment, eradication, recovery & lessons learned. Each of these stages carry a significant value in the incident response process.
The first stage preparation includes developing of policies, and procedures following an event or a cyberattack. This will incorporate deciding the specific organization of the response team and the triggers to caution inside partners. Key to this cycle is effective preparation to react to a breach and documentation to record activities taken for later audit.
The second stage identification is the process of detecting a breach and enabling a quick, focused response. IT security teams identify breaches using various threat intelligence streams, intrusion detection systems, and firewalls.
The third stage containment follows after identification is to contain the damage and prevent further penetration. This can be accomplished by taking specific sub-networks offline and relying on system backups to maintain operations.
The fourth stage eradication neutralizing the breach or the attack restoring internal systems to as close to their previous state as possible. This can involve secondary monitoring to ensure that affected systems are no longer vulnerable to subsequent attack.
The fifth stage recovery refers to the data recovery of the organization which might have been damaged or deleted during the attack. Security teams need to validate that all affected systems are no longer compromised and can be returned to working condition.
The final stage lessons learned, constitutes to one of the important activity as it is essential to learn the breach and the plan of action to avoid such mishappenings and future and ensure safety of information. During this stage, the incident response team and partners meet to determine how to improve future efforts. This can involve evaluating current policies and procedures, as well specific decisions the team made during the incident.
Importance of Incident response
Now, that we have an idea of how incident response works and the various stages described on the left, it is without a doubt imperative to have an incident response. This is not only to defend current attacks or breaches but also be prepared if the event has to reoccur. According to Crowdstrike, incident response helps in multiple dimensions. Because an incident response plan is not solely a technical matter, the IR plan must be designed to align with an organization’s priorities and its level of acceptable risk.
Incident response pioneers need to comprehend their associations’ momentary operational prerequisites and long haul key objectives so as to limit disturbance and limit information loss during and after an incident.
The insight gained through the incident response cycle can feedback into the risk management process just as the incident response measure itself, to guarantee better treatment of future occurrences and a more grounded security pose by and large.
When investors, shareholders, customers, the media, judges, and auditors ask about an incident, a business with an incident response plan can point to its records and prove that it acted responsibly and thoroughly to an attack.
Crowdstrike stresses on the need to develop an incident response plan. Organizations often lack the in-house skills to develop or execute an effective plan on their own. If they are lucky enough to have a dedicated team, they are likely exhausted by floods of false positives from their automated detection systems or are too busy handling existing tasks to keep up with the latest threats.
“The plan should also define who is in charge and who has the authority to make certain critical decisions. Those aren’t things to figure out–let alone argue over–in the heat of the moment.“Crowdstrike
Data breaches cost companies’ operational downtime, reputational, and financial loss. The longer any vulnerability stays in a system, the more lethal it becomes. For most of the organizations, breaches lead to devaluation of stock value and loss of customer trust.
It is the process and procedures that are predefined to manage an incident. It involves the planning and the actionable stage, before, during, and after an incident is detected
Both incident handling and incident response go hand in hand. It is often assumed as one function for better ease in processes. This is where incident management comes in. Incident management is the scope of having both incident response and incident handling come together to ensure the end-to-end process, right from reporting an issue to planning and resolving the issue.
It is a set of technical activities done in order to analyze, detect, defend against, and respond to an incident. It is a part of the incident handling and incident management process. It is often used in synchrony with the term incident handling.
- Forcepoint – Incident Response – Reference
- Crowdstrike – WHAT IS INCIDENT RESPONSE & WHY YOU NEED A PLAN? – Reference
- EC Council – Your Ultimate Guide to Incident Response – Reference
- CISCO – Incident Response for IT – Reference