What are the correct steps in order for responding to a security incident?
It’s inevitable that you will be affected by a cybersecurity threat one day – whether it be a direct attack or a breach of a third-party provider. 61% of SMBs have experienced a cybersecurity threat in the past year, and the numbers are going up. Therefore, when (not if) that day comes you will need to be prepared to mitigate the effects. So how should you respond to a cybersecurity incident? Show
That’s where a cybersecurity incident response plan comes into play. What Is Incident Response?Incident response in cybersecurity is an organized approach to preparing, detecting, controlling, and recovering from a cybersecurity breach. Cybersecurity incidents can be detrimental to the health of a company. In many cases, serious incidents can lead to data loss, and the failure of services, operations, and functions. Imagine Google was affected by a cybersecurity incident – who knows how many millions of people would be affected? It’d be hard to know “How to send large files online” without operating the world’s most used search engine. To prevent catastrophic outcomes of a cybersecurity breach, businesses should have an incident response plan. What Is An Incident Response PlanAn incident response plan, as determined by the National Institute of Standards and Technology (NIST), is a document which utilizes a set of information security policies and guidelines to identify and prioritize risks, mitigate threats and restore service after a cybersecurity breach. The predetermined set of instructions aims to limit the consequences of malicious cyberattacks on an organization’s information system. For most cybersecurity incidents, the time it takes to detect and respond impacts the severity and longevity of a breach. Therefore, to limit the impact on your organization, it’s important to follow these 7 steps as soon as possible. 7 Phases of Incident Response1. PreparationIt’s nearly impossible to create a well-organized response to a cybersecurity threat in the moment. An incident response plan needs to be carefully prepared in advance of an attack to give your organization a fighting chance. In order to do so, your organization must conduct a risk assessment which identifies and addresses all potential threats within and outside of your organization. Once assessed, there should be consistent maintenance to prevent attacks. For example, if your information system has a vulnerability from a recent update, make sure it is immediately addressed and maintained over time. Otherwise, cyber attackers will use that critical vulnerability to enter your system like we’ve seen many times this year already. 2. IdentificationAll phases of an incident response plan are important, however, identification takes precedence. Organizations that are able to identify potential threats and determine their severity can prioritize how they’re managed and are most likely to experience minor consequences compared to companies that cannot. The identification phase involves completing penetration testing – a simulated attack on your own system to evaluate its security and understand the likelihood of an event and its potential impact. By identifying current and potential cybersecurity threats, your organization is better prepared to contain the threat. 3. ContainmentDon’t panic! The primal response to a cybersecurity breach may be deleting everything and turning systems offline – but there’s a better way to contain a breach. If a system is turned offline and/or data is deleted, you risk losing valuable information about where the breach occurred, how it happened, or the ability to devise a plan based on the evidence. Instead, you can:
After the threat is contained, it will be a lot easier to eradicate it entirely. 4. EradicationIt’s time to eliminate the threat now that it has been contained. The eradication phase focuses on removing the problem and restoring harmed systems. This involves a complete reimaging of a system’s hard drive to ensure all malicious content has been thoroughly wiped and is no longer present for reinfection. 5. RecoveryIt feels like a nonstop triathlon of effort to respond to an incident. It’s finally time to recharge. Now that the threat has been contained and eradicated, the main goal is to bring systems back online and continue business as usual. In this phase, full service should be restored and previously infected systems and/or networks must be tested, monitored, and validated to verify the same assets are not reinfected. Additionally, all affected users, within and outside of your organization, should be informed of the breach and its present status. In cases where account credentials were compromised, steps should be in place to reset passwords and/or deactivate accounts. 6. LearningWhat’s the best way to show an attacker whose boss? Learn. Create a report detailing a play-by-play review of the incident which answers the 5 W’s (i.e. who, what, where, when, why). The purpose of documentation is to learn from the incidents that occurred in order to identify weaknesses and prevent reoccurrence. This information can be used to create a cybersecurity training plan for employees and act as referencing material in the event of another case. It’s highly recommended that the learning phase occurs within two weeks of the incident for better documentation. It’s like studying for a test – the sooner you learn the material, the better recall you’ll have. 7. Re-testingNow that you’ve completed the six core phases, it’s time for the final step. An incident response plan should always have a re-testing element. Re-testing grants the opportunity to fine-tune your plan to ensure it covers all necessary areas of security within the organization. You can use your findings to improve the process, adjust your plans and procedures, and find any gaps that may have gone unnoticed. Benefits of Incident Response PlanIn the end, it could be challenging to see the advantages of your incident response plan while you’re still mourning the loss of a cybersecurity breach. However, if you need more convincing to develop an incident response plan, perhaps the following advantages will do the trick:
Incident Response Plan TemplateReady to take control of your security? We’ve found some informative (and free) cybersecurity incident response plan templates to help get you started:
ConclusionCongrats! You’ve survived a cybersecurity incident with minimal damage. Unfortunately, there’s no time to celebrate. Cyberattacks have been skyrocketing ever since the push for digitalization and remote work due to COVID-19. Now that more confidential information is hosted online, it serves as a goldmine for hackers. Thus, the need to be prepared. The success of a cybersecurity incident plan is only as great as the people who create and uphold them. When surveying more than 2,848 IT and IT Security professionals, 77% of respondents stated that they lacked a formal incident response plan across their organization. It’s important, now more than ever, to create a cybersecurity incident plan to help protect your organization against cyber threats and be prepared in the event of a breach. What are the steps taken during a security incident response?Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.
What are the 5 steps to incident response?SANS Incident Response Steps. Step #1: Preparation.. Step #2: Identification.. Step #3: Containment.. Step #4: Eradication.. Step #5: Recovery.. Step #6: Lessons Learned.. What are the 7 steps in incident response?7 Phases of Incident Response. Preparation. It's nearly impossible to create a well-organized response to a cybersecurity threat in the moment. ... . Identification. All phases of an incident response plan are important, however, identification takes precedence. ... . Containment. Don't panic! ... . Eradication. ... . Recovery. ... . Learning. ... . Re-testing.. Which of the following is the proper order for incident response?Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned.
|