Cybersecurity Incident Response
Definition:
A Cyber incident is an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems.
An incident can be defined as an unexpected disruption to a service. An incident can disrupt your business which will directly or indirectly impact your customers.
Examples of incidents includes the following:
Applications locks, Network services failures, Application crashes, Wi-Fi connectivity issues, file sharing difficulties, unauthorized changes to systems, data or software, Denial of service (DoS), compromised user account etc.
What is the most important thing to do if you suspect a security incident?
If you suspect a incident on a system that contains sensitive data do not attempt to do the investigation or remediation by yourself. You will need to instruct all users on the system to stop work. Remove that system from the office network by unplugging the cable or taking it out from the wireless network and follow the incident response reporting policy according to the existing IR plan.
The importance of reporting an incident:
Incident reporting can act as a heads up to management meaning it helps in raising awareness about the things that can go wrong if corrective and preventative actions are not taking immediately. It gives management the entire ability to have more detailed information to support their proof whenever an incident occurs or reoccurs. It is good to report incidents as they can provide a reminder of possible hazards. When they are reported promptly then easier to monitor the potential problems and root cause as they can always repeat. Reporting helps to identify who, what, when and where during an attack. Reporting an incident as soon as possible can help contain, limit the adverse effect, reducing the cost to an organization both financial and reputation wise.
Incident Response is a system of people, process, and technology leveraged to prepare for, detect, contain, and recover from a suspected cyber security incident or compromise.
People:
- Incident Responders
- Security Operations Center (SOC) Analysts
- Forensic Analysts
- Threat Intelligence
Process:
- Incident Response Plan
- Runbook/Playbook
Technology:
- Response(SIEM, Custom tooling)
- Analysis (Analytical/Forensic tooling)
- Detection (AV/EDR, Customer log services, SIEM)
- Not all security incidents can be prevented so organizations must be prepared
Incident Response Lifecycle:
Incident Response Lifecycle is broken into four phases according to NIST, as follows:
Phase 1 – Preparation:
This covers all actions an organization takes to be ready for incident response and this involves putting together the right resources and tools.
Phase 2 – Detection and Analysis:
To accurately detect and access incidents is difficult for some organizations according to NIST Publication.
Phase 3 – Containment, Eradication, and Recovery:
Advising on the measures necessary to contain the incident, limiting its spread and reducing impact to be as low as possible. Directing the available resources to manage your recovery activities, using the available resources to recover from the incident as quickly and effectively as possible to mitigate service disruptions.
Phase 4 – Post-Event Activity:
The most important part of the lifecycle is learning and improving after an incident to take the adequate time to analyze the efforts of the incident response. Reviewing your incident response procedures following the incident to highlight improvements and inform your planning for next time. Advising on communications both internally and externally, including to authorities, the media and suppliers.
Best Practice
This blog is based on a combination of the best practice cyber incident response framework developed by CREST NIST SP 800-66rev2 and the international standard on incident management, ISO/IEC 27035.
