Organizations rely on Incident response to ensure they are immediately aware of security incidents, enabling quick action to minimize damage. They also aim to avoid future follow-up attacks or related incidents.
The SANS Institute provides research and education on information security. In a future webinar, we’ll break downin detail, the six components of the SANS incident response plan, including elements such as preparation, identification, containment, and eradication.
6 complete IR steps
- Preparation: This is the first phase and involves reviewing existing security measures and policies; carry out risk assessments to find potential vulnerabilities; and create a communications plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation phase of your IR plan is critical as it gives you the opportunity to communicate holiday-specific threats and get the wheels moving to address those threats as they are identified.
- Identification: The identification stage is when an incident has been identified – either one that has occurred or is in progress. This can happen in a number of ways: by internal teams, third-party consultants or managed service providers, or, worst case scenario, because the incident results in a data breach or infiltration of your network. Because so many holiday cybersecurity hacks involve end-user credentials, it’s a good idea to contact the security mechanisms that monitor how your network is accessed.
- Detention: The goal of the containment stage is to minimize the damage caused by a security incident. These steps vary depending on the incident and can include protocols such as isolating a device, disabling email accounts, or disconnecting a vulnerable system from the main network. Because containment measures often have severe business implications, short-term and long-term decisions must be made in advance so that there are no last-minute hassles of addressing security concerns.
- Eradication: Once you’ve resolved a security incident, the next step is to ensure the threat has been completely removed. It may also involve investigative steps to find out who, what, when, where and why the incident occurred. Erasure may involve a disk cleanup procedure, restoring the system to a clean backup version, or a full disk re-imaging. The eradication phase may also include removing malicious files, modifying registry keys, and possibly reinstalling the operating system.
- Recovery: The recovery phase is the light at the end of the tunnel, allowing your organization to return to business as usual. As with containment, recovery protocols are best established in advance so that appropriate actions are taken to ensure systems are secure.
- Lessons learned: During the learning phase, you will need to document what happened and record how your IR strategy worked at every step. This is an important time to consider details such as how long it will take to detect and deal with the incident. Are there any signs of lingering malware or compromised systems post eradication? Is it a scam related to a holiday hacker scheme? And if so, what can you do to prevent it next year?
How a lean security team can reduce stress
It’s one thing to incorporate best practices into your IR strategy. But establishing and then implementing these best practices is easier said than done when you don’t have the time or resources.
Leaders of smaller security teams face additional challenges triggered by this lack of resources. Tight budgets coupled with not having enough staff to manage security operations have left many lean security teams resigned to the idea that they won’t be able to keep their organizations safe from all-too-common attacks. Fortunately, there are resources for security teams in these difficult times. Cynet Incident Response Service offers a unique combination of Cynet’s security experience together with proprietary technology that enables fast and accurate incident response.