Incident Response

Many corporations have cyber response teams dedicated to the handling of incidents—events that indicate compromised systems or data loss. When organizations use tools to help detect events, it is important that those organizations have a well-defined incident-handling process to efficiently resolve security issues.

According to the SANS Institute's Incident Handler's Handbook, the security incident handling can be separated into phases: preparation, identification, containment, eradication, recovery, and lessons learned.

During the preparation phase, incident handlers and corporations need to make sure they are familiar with company policies and playbooks. These policies and playbooks should outline information such as drills and escalation contacts.

The next phase of the incident-handling process is the identification of the incident. This stage involves accurately reporting the discoverer of the incident, the time, and the technological and business impacts of the incident.

Once the incident has been successfully identified, the incident handler can move to the next phase of the process, containment. Containment involves determining if the incident can be isolated and working with system owners and network administrators to help contain the problem. Incident handlers working with other security teams can help back up the system as well as save forensic copies for evidence.

The next phases involve remediating the incident or compromise. The eradication and recovery phases involve attempting to reimage or restore the system from a secure backup in order to secure the system. Additionally, incident handlers can apply patches or other fixes to protect the system from malware targeting the same vulnerabilities.

The final stage of the incident-handling process is lessons learned. During this phase, security professionals can document all processes of the issues and identify weakness areas to remediate in future incident-handling procedures.

In conclusion, incident handling is a large part of any organization's cybersecurity teams. In order to effectively handle, remediate, and contain incidents, proper incident-handling techniques and processes must be in place in order to maintain a more secure and vigilant environment.

References

Kral, P. (2012, February 21). Incident handler's handbook. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901