Incident Response :
Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Responding to an incident quickly will help an organization minimize losses, mitigate exploited vulnerabilities, restore services and processes, and reduce the risks that future incidents pose. (Defn Src)
According to the SANS Institute, there are six key phases of an incident response plan:
Preparation: Preparing users and IT staff to handle potential incidents if arise.
Identification: Determining whether an event is, indeed, a security incident
Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage
Eradication: Finding the root cause of the incident, removing affected systems from the production environment
Recovery: Permitting affected systems back into the production environment, ensuring no threat remains
Lessons learned: Completing incident documentation, performing analysis to learn from the incident and potentially improve future response efforts
Incident Response Use Cases
|Identify & Update Compromised Host||Run Malware Scan, Update Firewall Rules, Disconnect System from Internet, Disable Compromised User Accounts.|
|All user monitoring||Find out real user account, newly created user accounts, Disable compromised user accounts, reset passwords of all user.|
|Investigate and Mitigate Data Exfiltration||Block Data Transfer, Disable Compromised Hosts and User Accounts|
|Handle Services||Find out stopped services, system processes, recover them, restart them.|
|Act against . . .||Act against Affected Host, Network Traffic,|
Table : Resource for table is www.resolvesystems.com
- Some more incident response use cases may be : Call Experts, Figure out what is going on and how this happened, try to investigate process, methods and devices & tools (if possible) used during attack.
Video Tutorial of this Part will be available in http://youtube.com/studentvideotutorial
Featured image via Pixabay.Com