6 Main Steps in Incident Response Methodology

Posted by alvina on June 26th, 2018

In case of a security breach such as cyber attack, the planned approach to address and manage its outcome is termed as incident response. Handling the situation in such a way that the damages are reduced and the recovery time and cost also decrease is the main aim of incident response for cyber attack. An organization's security incident response team (CSIRT) is responsible for carrying out the activities required for the incident response. The CSIRT group includes the staff related to information security, general IT, and members of the C-Suite level. Other team members are the legal, human resources and public relations department representatives. The compliance of the CSIRT response and the organization's incident response plan (IRP) is necessary.IRP outlines the response of the organization towards the cyber attack.

If an incident is not handled properly, it can lead to bigger problems leading to the breakdown of the system. So, it is necessary to respond to it quickly in order to lessen the exploited vulnerabilities, ensure the restoration of services and decrease the probability of occurrence of such incidents in the future.

There are 6 main steps involved in the incident response methodology, which are explained below:

1. Well prepared users:

It is necessary to prepare everyone in advance to ensure that the occurrence of any potential incident such as cyber attack can be tactfully handled by the users as well as the IT staff. The management should have ample knowledge and must test the policies and the procedures for a quick recovery so that the remediation process can resolve all the issues in a lesser time, which will significantly reduce the damage that can occur to the system. There must be all the necessary incident response tools prior to the occurrence of any incident to efficiently handle such situations.

2. Identifying a security incident:

If an incident occurs, its type should be identified, such as, if it is a theft of data, insider threat or network attacks. After this, the extremity of the incident should be judged so that the best remedial measure can be chosen from the Incident Response Policy and Procedures, to get it resolved.

3. Isolation of the affected system:

This is necessary to prevent the damage from spreading to the unaffected systems that can lead to further disruption of services.

It is known as the containment phase. In this case, the right persons must be notified immediately so as to initiate the response quickly. The presence of right tools and personnel can help in getting the work done in a lesser time.

4. Removal of the affected systems:

This can be done after identifying the cause behind the incidence. the steps involve forensic analysis and identification of malicious code. Logs should be kept throughout the process. The concerned personnel should identify the information security weaknesses which needs to be addressed.

5. Recovery of the affected systems:

This can be done, once the threats are successfully removed and the normal flow of operation can be restored. Even after this, it is necessary to perpetually monitor the events to make sure that the problem has been completely resolved with no threats remaining in the network. Any suspicious activity can also be caught held in its initial stage through continuous examination.

6. Learning from the incident:

After the issue gets resolved, it has to be documented in detail and analyzed to learn from it and ensure improvement in the future efforts for incidence response. This will also help an organization to identify if there is a need for updating its security posture.