The Five Incident Response Steps
It is important to remember that implementing incident response steps is a process and not an isolated event. For a truly successful incident response, the team should have a coordinated approach. There are five key steps in responding to incidents to ensure efficiency.
<iframe width=”560″ height=”315″ src=”https://www.youtube.com/embed/Euhl7hNquTQ” frameborder=”0″ allow=”accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture” allowfullscreen></iframe>
The five important incident response steps are the following.
The key to an effective incident response is preparation. Sometimes even with the best team, they cannot effectively address a situation without the proper guidelines or plan. This should be in place in order to support the team and is one of the most important incident response steps.
Features that should be included in the plan are:
- Develop and document policies and procedures for proper incident response management.
- Create a communication standard so teams can coordinate properly during an incident.
- Incorporate threat intelligence feeds, and perform ongoing analysis and synchronization of feeds.
- Do cyber hunting exercises for a more proactive approach to incident response.
- Assess the current threat detection capability of the organization, and update if needed.
Detection and Reporting
The second in the series of incident response steps is detecting and reporting potential security threats.
Firewalls, IP systems, and data loss prevention solutions can all help you monitor security events in the environment.
Security threats can be detected by correlating the alerts in a SIEM solution.
An incident ticket should then be created and the initial findings documented. An incident classification would then be assigned.
All report processes should include ways to accommodate regulatory reporting escalations.
Most of the understanding of a security threat happens during the analysis part of the incident response steps. Evidence is collected from the data coming in from tools and systems for proper analysis and identification of the incident.
Analysts should focus on three main areas:
- Find any tracks that could have been left behind by the threat actor.
- Collect all the artifacts required to recreate the timeline of events.
- Analyze the systems from a forensic perspective.
Analyze any malicious binaries or tools used by the attacker, and document these programs along with their functionalities. This can be done either through behavioral analysis or static analysis.
- Check systems and the event log to determine what was compromised.
- Document all the accounts, machines, tools, programs, etc. that were compromised for proper containment.
The fourth in the incident response steps is one of the most critical: containing and neutralizing the threat based from all indicators gathered through the analysis. Normal operations can resume after system restoration.
Once all the affected systems are identified, a coordinated shutdown should be done for these devices.
Wiping and Rebuild
All infected devices need to be wiped, then the operating systems are rebuilt from the ground up. Passwords need to be changed for accounts compromised by the threat event.
Threat Mitigation Requests
If domains or IP addresses are identified and known to be used by threat actors, you should issue a threat mitigation request in order to block all future communication with these domains.
There is more work to be done even after containment is successful with the final of the incident response steps.
- Create a complete incident report.
- Closely monitor the activities of affected devices and programs.
- Update your threat intelligence to avoid similar attacks.
- Last but not least of the incident response steps, implement new preventive measures.