What is Incident Response?
Incident response is a set of rules and procedures that are used to identify, contain, and eliminate cybersecurity incidents. An incident is a detrimental event to the company that requires immediate prevention, containment, eradication, and remediation steps to be implemented.
The 6 Phases of an IRP
When an incident occurs, it is important that everyone knows exactly what to do. The more time spent idle during an incident, the worse the problem can become. Today we will take a look at a fundamental concept in Incident Response. The 6 phases of an Incident Response Plan (IRP):
- Lessons learned
The preparation phase is the first step in the IRP. In the preparation phase, risk assessments are performed to determine the overall security posture of the company. That way, the company knows where they stand in terms of security, as well as which assets are the most vulnerable and which are more likely to be targeted by threat actors. That’s it. The first phase is simply asset management so that the security team knows what they’re defending and what exactly they need to do if an incident occurred. More accurate security policies, procedures, and methodologies are developed by the end of this phase. Just to get a bit meta, the IRP is part of the preparation phase!
The identification phase is where the SOC (Security Operations Centre) finds themselves for the most part. Security analysts and threat hunters scour through an aggregated set of standardised logs utilising a SIEM (Security Information and Event Management) solution. Splunk is the most commonly used SIEM software on the market nowadays but at the end of the day, if you understand the query language, and what sort of stuff you are looking for, they are all quite similar and easy to learn. Once an incident is detected, intel must be gathered and documented. This includes information about the type of attack, suspicious IP addresses, the point of entry, etc. Involved parties are also alerted, including stakeholders and incident responders. It’s time to start resolving the incident!
The objective of the containment phase is self-explanatory: To prevent the attack from spreading and to segment off the affected areas. Systems are taken offline and clean and patched versions of these systems are created. The important part of this phase is to isolate the affected networks and systems to prevent the spread and worsening of the incident. Once that has been achieved, we can begin with the next phase.
In the eradication phase, malware and threat actors are removed from the organisation’s network. This phase continues until all traces of the attack are removed. Obviously, the quicker an Incident Response team reacts to an incident, the less damaging, time-consuming, and costly this phase will be. Every second counts during an incident!
Now that the threat has been eliminated, the updated clean systems are brought back online in the recovery phase. Ideally, systems can be restored without loss of data but this isn’t always possible. That’s why security copies are so vital! Systems are also monitored for an extended period of time in case the attackers attempt to return.
The final phase requires the team to analyse the incident. What did the team do well, what could they improve? This can be taken into account when reviewing security policies and measures which is going back to the preparation phase. These 6 phases form a cycle as it is a continous process. Threat actors don’t rest, so we can’t (said someone who doesn’t sleep 🤡).
This was a short blog post and only covered a very small and generic aspect of Incident Response but I wanted to write something since I’ve been reading a bit about IR recently as well as SIEMs. I thought I’d lost my interest for cybersecurity these past few months as I’ve been job hunting. However by reading some books on OT and IR, I’ve rediscovered this passion. I have been busy but I know good things will happen.
I hope everyone is having a great day! 🙂