The Core Phases of Incident Response & Remediation
Planning and preparing for unexpected security incidents is perhaps one of the most difficult challenges for security practitioners. With a robust incident response (IR) plan, professionals can follow a foundation or standard for handling incidents.
You can use the following phases as a foundation to plan and implement your incident response plan.
Preparation
A security team needs to prepare for a security incident whenever necessary. Preparation is one of the most essential steps to an incident response plan because it determines how the IR team will respond to a myriad of incidents that may affect the organization.
In the preparation phase, the security team should establish a written set of security policies that defines a security incident, how data breaches will be handled, and the policies for end users throughout the organization. SANS Institute offers helpful templates that you can access here:
General Information Security Policy
- Acceptable Encryption Policy
- Acceptable Use Policy
- Clean Desk Policy
- Data Breach Response Policy
- Disaster Recovery Plan Policy
- Digital Signature Acceptance Policy
- Email Policy
- Ethics Policy
- Pandemic Response Planning Policy
- Password Construction Guidelines
- Password Protection Policy
- Security Response Plan Policy
- End User Encryption Key Protection Policy
Network Security Policy
Server Security Policy
Application Security
Once the security policies have been created, your organization will need to create a strategy for handling incidents. In the strategy, you may need to prioritize various incidents, who will manage and remediate incidents, what tools will be used to manage incident response, who will communicate and document important updates, and who will follow-up on incidents with law enforcement officials, if necessary.
Lastly, your incident response team should be trained using simulation exercises, so they are well-prepared when an actual security incident happens. Regular training on incident response helps the entire team of responders know their roles and responsibilities throughout the IR process.
Identification
During the identification phase, your IR team will need to identify threats from log alerts, IDS/IPS, firewalls, and any other suspicious activity occurring on the network. Once a threat has been identified, it should be documented and communicated per the policy established during the preparation phase.
Incident responders should communicate the scope and impact of the threat and be as detailed as possible in all information related to the incident. This information can be used later in the lessons learned phases and if authorities require detailed information pertaining to the incident.
Containment
Once a threat has been identified, the IR team should work to contain the threat to prevent further damage to other systems and the organization at large. It is during this phase that the responder quickly isolates any infected machine and works on backing up any critical data on an infected system, if possible.
Next, a temporary fix should be implemented on an infected machine to prevent the threat from escalating. The goal is to limit the number of systems compromised during this phase.
Eradication
Once the threat has been sufficiently contained, the IR team should work to implement a more permanent fix. This might include patching hardware, reconfiguring systems and application architecture, or rebuilding systems for production. The goal is to eliminate the entry point(s) that the threat actor used to obtain access to the network.
During the eradication phase, the IR team should also be documenting all actions required to eradicate the threat. In addition, any defenses in the network should be improved so that the same incident doesn’t occur again.
Recovery
At the recovery stage, any production systems affected by a threat will be brought back online. This includes any data recovery or restoration efforts that need to take place as well.
The IR team will need to decide when operations will be restored, test and verify that infected systems are fully restored, continue to monitor for malicious activity, and validate recovery.
Lessons Learned
Finally, the IR team should finalize documentation from the incident investigation and remediation as well as supply a detailed report that reviews the entire incident response process. It’s during this phase that the team gleans insights from the IR process to improve steps in each phase for the future.
A formal or informal meeting can be conducted to debrief and cover the scope of the incident. The IR team may also want to provide recommendations for improvement in the IR process and how the threat can be contained and eradicated in the future.
With these phases, a security team can put together their own blueprint for incident response and investigation. If you lack the resources and/or time to handle security incidents, consider the value in outsourcing the IR process to a third-party managed security services provider (MSSP).
Great article, very informative and well done