Incident Response (IR) is not a singular action, but comprises and set of pre-defined actions that form part of a process. Within the IT industry, improper incident response coordination can result in disastrous effects due to data breaches and ransomware.
Luckily, there are publically available standards that provide a framework for IR plans. The most notable of these is the NIST 800-61 Computer Security Incident Handling Guide.
The National Institute of Standards and Technology (NIST) Incident Response guide breaks the process down into four phases. The guide may be quite technical in nature, but it carries the advantage of being independent of platform, operating system or application.
The 4 Phases
Even though preventative measures can be taken to lessen the frequency of security related threats, it cannot laminate all threats and a plan should be in place to deal with threats when they occur.
The four phases include: Preparation; Detection and Analyses; Containment and Eradication and Post Incident Activity.
Preparation ensures that effective systems are in place to deal with incidents. It involves training an Incident Response Team, implementing the correct tools and setting up the appropriate processes before an incident occurs.
A preparation plan or “jump kit” can be created to facilitate a quick and easy response to incidents. These should include:
- Contact information and tools such as on-call information and encryption software.
- Incident analyses hardware and software such as laptops and forensic workstations.
- Incident analyses resources such as port lists, lists of critical assets and cryptographic hashes.
- Incident mitigation software, including media, backup images and security patches.
- Detection and analyses
To prevent an incident from causing damage, you first need to recognize irregular activity and identify it as malicious. Incidents fall into several broad categories that include:
- Denial of Service
- Malicious Code
- Unauthorized Access
- Inappropriate Usage
- Multiple Component
Incident identification or detection can be done through automatic network- or host-based IDS’s, antivirus software and log analyzers; or through manual means such as problem reporting. Most companies receive thousands of potential threats per day, so expertise is needed to properly assess and identify real threats.
Once an incident has been identified, the Incidence Response Team should analyze the scope and severity of the incident, recording every step as they go and calling in additional expertise, if necessary.
Thereafter, incidents should be documented, prioritized and reported.
- Containment, Eradication and Recovery
Containment is necessary for most threats, and will serve to lessen the damage caused by the threat. Containment strategies vary according to the type of incident and organizations are advised to create containment strategies for all major threat types.
Eradication will be necessary for some incidents, for others recovery will deal with removing of traces of the threat. This includes removing malicious code or disabling breached user accounts.
All systems should then be restored to normal, either from backups or from scratch, followed by the tightening of security.
- Post Incident Activity
One of the most important aspects of threat prevention is learning from past experiences. It is therefore important to call a recap-meeting to discuss what happened, so that systems can be improved and further incidents of the same nature can be prevented.
Data collected from each incident should be used to assess the performance of the Incidence Response Team and to fuel and motivate additional resources for the team, where needed.
Each step in the NIST incidence response guide is vital for the proper handling of an incident. Security companies’ IR plans should thus follow the whole life cycle as recommended by NIST for a comprehensive IR solution.