By Ubong Kingsley-Udoh
The earlier signs that you have a security incident are neither white nor black. Most individuals and organisations approach a security incident in every imaginable way and it’s always a knee-jerk reaction. To remediating a security incident, a proper incident response plan should be established.
In simpler terms, Incident response is the process of detecting and analysing incidents and palliating the consequence of an incident on an organisation. It’s very pivotal that every organisation should establish and enforce an Incident Response Plan to be implemented by an Incident Response Team.
Frequent attacks compromise the operations of organisations and it’s imperative organisations create procedures, policies and plans to effectively protect against incidents. The goals of an Incident Response Plan should include but not limited to:
- Assert that an incident has occurred
- Restore business continuity
- Minimise the impact of the incident
- Ascertain how the incident occurred
- Forestall future attacks/incidents
- Improve the organisation’s security posturing
- Communicate clearly with management and team members
INCIDENT RESPONSE LIFE CYCLE
An Incident Response Plan enwrapped in the Incident Response Lifecycle offers unique advantages that can significantly mitigate the downside of a breach. The IRP Plan from a best practice standpoint should encapsulate all the layers of the lifecycle processes: preparation, detection & analysis, containment, eradication & recovery and post-incident activities.
PREPARATION
Getting prepared is a vital process in the incident remediation process. Preparation is important to lessen the risk of an attack and this includes an organisation’s systems and applications. The Incident Response personnel should endeavour to have all the tools and resources up to date and the areas of focus should include network security, risk assessments, malware prevention and employee awareness.
DETECTION & ANALYSIS
Due to the large scale of attack vectors in recent times, detecting incidents precisely is quite difficult for most organisations. Presently, there are tons of network security tools such as Intrusion Protection System and Intrusion Detection System that help in mitigating attacks. When an incident occurs, the Incident Response personnel should analyse and validate each incident as quickly as possible. The analysis at first should focus on determining the incident extent, the systems/applications that are affected and how the incident happened. After the analysis, an indicator must be assigned so as to prioritise how bad the incidents are and the impact it has had on the organisation. Team members must communicate in clear terms to upper management and the feedback gotten must be distributed across the board.
CONTAINMENT, ERADICATION & RECOVERY
Containment is of vital importance before an incident permeates throughout an organisation’s network. As best practice, standards, procedures and strategies on containment must have been predetermined to make decision making easier. The decision-making process of the incident handler is the game-changer in containing threats. Collecting and keeping evidence is also vital if there would be a legal basis concerning the incident. Elimination is also vital to shred out components of the incident that could hamper business continuity such as malware or compromised accounts. In the end, system administrators restore and recover failed systems and most importantly remedy vulnerabilities to avoid similar threats from occurring again.
POST-INCIDENT ACTIVITY
As soon as the organisational processes have been restored and gone back to normal, it’s very paramount to initiate a knowledge transfer process on the lessons learnt. A full-scale report should be created to serve as a guide for ameliorating similar incidents in the foreseeable future. Incident data collected should be mined for actionable insights and this could help ascertain costs to the organisation to mention but a few. Failure to establishing the right Incident Response Plan could leave your organisation open to cyber-attacks while having the right Incident Response Plan would help mitigate incidents and improve the security posturing of organisations.
