Cyber Incident Response

Are you equipped to handle the threats?

An incident is an event where a compromise or violation of an organization’s security happens. As such, incident responses team must undergo the planning, communication, and practice phases to gain the necessary expertise to respond to an incident in an organization. Incident response embroils four phases. These phases are instrumental in creating a concrete to incident response action and incidence response plan.

Phase 1: Preparation

This phase deals with preparing the team to handle an incident when notification occurs. A policy document must be available to provide the set rules, principles, and acceptable practices within the organization. Without clear policies on risk management, the organization is left vulnerable to lawsuits. A response plan should be in place to handle incidences. This strategy or plan helps identify incidence response prioritization. Prioritization of impacts helps build management buy-in, which is instrumental in providing management support and resources during a crisis.

Phase 2: Communication

Incidence response team should have clear guidelines on communication: whom to contact, when to contact and why during the incident. Lack of clear communication could lead to delayed incident response or inadequate mitigation resources. Documentation of incident response process is a potential lifesaver especially on cases of criminal investigation. A Document on incident could help bring a suspect to justice. Everything done but the incidence response team should be documented. This includes systems, command, actions executed during the responses. This Documentation will answer the Who, What, When, Where, Why, and How questions if they arise.

An incidence response team should be drawn from diverse expert background such as legal, human resources, and IT staff with specific specializations. Other aspects of preparations that must be looked into include Access control, Response tools, and incidence response training.

Phase 3: Identification

This is the phase where an incident must be identified, and its scope determined if indeed the incident is a threat. Identification gathered events from various sources such as error messages, log files and details from intrusion detection systems. These events have to produce evidence that the said notification is an incident.  The incident must be reported immediately to enable the Incident response team to spring into action. Two event handlers must be present to handle the incident; one to identify and assess the incident and another to gather evidence.

Phase 4: Containment.

Incidence containment seeks to limit father damage from occurring.  Short-term containment calls for isolation of the network segment with affected computers and servers that have been hacked. It’s a temporary solution to limit incident before it gets worse.System backup takes a forensic image of affected system. This is necessary before wiping or re-imaging the system. This forensic image serves as evidence of the incident and could be used in investigation of the attack. Long-term containment phase delves into removing hacker accounts and backdoors left by hackers to prevent further escalation while allowing normal operations to flow.

 Phase 5: Eradication

This is where the actual removal or restoration of affected systems occurs. The systems hard drives are re-imaged or ensure malicious content is removed to prevent re-infection.

When an attack occurs, organizations need to be fully prepared to deal with countermeasures. In cases of reputational attack, the faster the response to the attack, the better the outcome. Risk management currently focuses on incident security through management of known risks. Cyber resilience is about ensuring organizational sustainability even when subjected to the inevitable. Cyber resilience anticipates uncertainty as it is difficult to perform comprehensive risk assessment.

Phase 6: Recovery

This phase reintroduces affected systems into production. It is with uttermost care to ensure no incident reappears. In this phase testing, monitoring, and validation of systems is crucial to prevent re-infection.