Cyber Security Incident Response (CIRT)

What is Incident Response in Cyber Security

An incident response plan is a document that outlines an organization’s procedures, steps, and responsibilities of its incident response program. An effective cybersecurity incident response requires a lot of pre-planning and a written incident response plan that can be used when an incident occurs. Incident response planning should include the following details:

1. How incident response supports the organization’s broader mission.
2. The organization’s approach to incident response.
3. Specific tasks to be accomplished during each phase of the incident response.
4. Roles and responsibilities of each team member.
5. How the incident will be tracked.
6. What the escalation procedures are.
7. How information will be communicated between the incident response team and the rest of the organization and other stakeholders.
8. Metrics to capture the effectiveness of plan capabilities.

What are the Phases of Incident Response?

The National Institute of Standards and Technology (NIST), identifies four phases to effective incident response:

Preparation: 

Incidents happen suddenly. They can cause element chaos for an organization, so planning and preparation is critical to an effective response. Developing and testing specific threat response solutions based on threat events that can have the greatest negative impact on an organization.

Detection and Analysis: 

The second phase of IR is to determine whether an incident occurred, its severity, and its type. This entails reviewing alerts, logs, systems and interviewing users to determine the details of what happened and the method as attack vector used. This phase also includes triaging to decide the order of operation as it pertains to containment and eradication.

Containment, Eradication, and Recovery: 

Many incident response models depict the recovery phase as a distinct and separate phase, however, the NIST model combines containment, eradication, and recovery into a single phase, so they are addressed here according to the NIST model. The containment phase is designed to halt the effects of an incident before it can cause further damage. This includes disconnecting infected systems from the network as quickly as possible. Depending on the situation, other systems will also likely need to be disconnected. As this is being done, or soon after, additional members of the team begin locating and removing the cause of the incident on infected systems and make necessary updates or changes necessary to eradicate the offending malware from systems. In some cases, hard drives need to be wiped and known uninfected backed-up data or images are scanned and cleared during the recovery process to restore the system and data operational capacity.

Post-incident Activity:

A lesson-learned meeting involving all relevant parties should be held after a major incident. A root-cause analysis is developed and gaps to improvement areas relevant to the incident response are identified, with the goal of preventing a recurrence and improving incident response procedures.