Incident response planning can be risky business. It requires you to consider what could happen in the future, so you can best plan for it now. Shorting the predictions can result in severe strategic, reputation, operational, or financial failures, but overestimating the risk exposure can be inefficient and costly, taking resources away from other important business and security matters. So, where do you draw the line? The best incident response planners know the secret to planning can be found in one simple word: effective. While it is not possible to predict every type of incident, you can form a plan to be used as a guide for all your responses. This is a core idea in the NIST Computer Security Incident Handling Guide. NIST recommends following a six-phase approach to handling incidents. To best understand this topic, we will explore the six phases in this article and provide practical examples of each. DetectionDetection is the phase in which your organization is alerted to a suspicious event. For your incident response plan to be most effective, your detection plans should answer two questions:
MethodsDetection methods are most successful when they exist in a layered environment. Having multiple channels for detection casts a wide net and can help you see more clearly if an event is an incident because of the multiple points of similar data (event correlation). Some common detection methods include:
Each of these detection methods can provide valuable information regarding an incident's authenticity, origins, and/or activities. Documenting the detection methods used by your organization can help identify any gaps in detection, which can result in a more adaptable plan for any type of incident. First StepsWhen all the pieces start to come together and a suspicious event is detected, your plan should outline three steps to take during the detection stage:
When a potential incident is detected, the early steps can be some of the most critical. It is important to have first steps outlined to ensure that regardless of the type of event, personnel know what to do, when to do it, and who is responsible for initiating the response process. AnalysisAnalysis is the phase in which your organization takes steps to verify whether a suspected event is an incident or not. For your incident response plan to be most effective, your analysis plans should include details to help you answer two questions:
CharacteristicsRegardless of the type of event, your plan should encourage incident handlers to look at four characteristics:
With the answers to these questions in mind, handlers can confirm if the event is an incident and begin walking through the classification process. ClassificationClassifying an incident allows your team to communicate about the nature and scope of an incident, determine which response plans should be implemented, and enable trend analysis during post-incident activities. Two common forms of classification include:
Including classification strategies in your response plan helps ensure you have the resources you need, so you don't have to make as many decisions in the moment. ContainmentOnce an incident has been analyzed, your plan should include containment strategies to help you isolate affected areas. For your incident response plan to be most effective, your containment plans should guide your team to answer the following questions:
The containment strategy will be largely determined in the moment, as it will depend on the nature of the incident, as well as the affected systems, areas, and/or people. By defining containment considerations up front, you can guide decisions and help ensure the chosen plan is the most effective and prudent for your organization. EradicationWhile the containment phase is all about stopping the incident from spreading, eradication is about getting rid of it entirely. Like containment, eradication strategies are largely going to depend on the specific incident, and at times, be joined with the recovery phase. For your response plan to be most effective, eradication strategies should help you answer these questions:
During the eradication process, if you find the incident has affected other systems, further analysis and containment should be performed. RecoveryThe recovery phase is the part of the response plan in which affected areas are returned to normal operation. For your incident response plan to be most effective, your recovery strategies should include recommended steps to follow to achieve this goal. Examples may include restoring data from a backup, rebuilding servers, replacing hardware, reprovisioning accounts, etc. The ultimate recovery goal is to do what you can to return your systems to a secure state and protect them from recurrence of the same incident. Once processes and systems are restored, they should be tested to ensure they are fully functional and ready to return to production. PostmortemThe final phase in responding to an incident is postmortem. Your plan should define the actions that come after incident recovery to review and document lessons learned from the incident. Three common activities included as part of the postmortem include:
The goal of the postmortem is to take what was learned from the incident and use the information to further improve the effectiveness of the incident response plan. Bringing It All TogetherAs incidents continue to increase in frequency and severity, a well-documented plan for the six-phases of incident management is a must for any organization. Building the plan alone can be challenging, but with the right partner, your plan can be effective and ready for any type of incident that comes your way. Tandem Incident Management is designed with organizations, like yours, in mind. Tandem's flexible framework includes an incident response plan component, as well as an incident tracking system, designed to walk your organization through developing and using the six-phase plan. To learn more about Tandem Incident Management, visit Tandem.App/Incident-Management-Software. |