Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents.
The SANS Institute provides research and education on information security. In the upcoming webinar, we'll outline, in detail, six components of a SANS incident response plan, including elements such as preparation, identification, containment, and eradication.
The 6 steps of a complete IR
- Preparation: This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identified.
- Identification: The identification stage is when an incident has been identified – either one that has occurred or is currently in progress. This can happen a number of ways: by an in-house team, a third-party consultant or managed service provider, or, worst case scenario, because the incident has resulted in a data breach or infiltration of your network. Because so many holiday cybersecurity hacks involve end-user credentials, it is worth dialing up safety mechanisms that monitor how your networks are being accessed.
- Containment: The goal of the containment stage is to minimize damage done by a security incident. This step varies depending on the incident and can include protocols such as isolating a device, disabling email accounts, or disconnecting vulnerable systems from the main network. Because containment actions often have severe business implications, it is imperative that both short-term and long-term decisions are determined ahead of time so there is no last minute scrambling to address the security issue.
- Eradication: Once you've contained the security incident, the next step is to make sure the threat has been completely removed. This may also involve investigative measures to find out who, what, when, where and why the incident occurred. Eradication may involve disk cleaning procedures, restoring systems to a clean backup version, or full disk reimaging. The eradication stage may also include deleting malicious files, modifying registry keys, and possibly re-installing operating systems.
- Recovery: The recovery stage is the light at the end of the tunnel, allowing your organization to return to business as usual. Same as containment, recovery protocols are best established beforehand so appropriate measures are taken to ensure systems are safe.
- Lessons learned: During the lessons learned phase, you will need to document what happened and note how your IR strategy worked at each step. This is a key time to consider details like how long it took to detect and contain the incident. Were there any signs of lingering malware or compromised systems post-eradication? Was it a scam connected to a holiday hacker scheme? And if so, what can you do to prevent it next year?
How lean security teams can stress less
Incorporating best practices into your IR strategy is one thing. But building and then implementing these best practices is easier said than done when you don't have the time or resources.
Leaders of smaller security teams face additional challenges triggered by these lack of resources. Bare-bones budgets compounded by not having enough staff to manage security operations is leaving many lean security teams feeling resigned to the idea that they will not be able to keep their organization safe from the all too common onslaught of attacks. Fortunately, there are resources for security teams in this exact predicament. Cynet Incident Response Services offers a unique combination of Cynet's security experience together with proprietary technology enables fast and accurate incident response.