The 7 Stages of an Incident Response Plan
May 20, 2016
Today the organization you work for has their network compromised. Consequently, there is a decent amount of valuable information lost. Your IT department has found what has been taken, but doesn’t know what to do next. So what’s your next move?
Do you sit there and hope that whoever took the info just doesn’t use it? If you do not have a computer incident response or forensics team this information might be lost forever and you may never find out who stole it.
There are methods an incident response team/forensics team uses to not only track who breached your systems, but stop it from happening again.
Doesn’t that sound just a little more intriguing than the first option?
The Seven Stages of Incident Response
It is essential that every organization is prepared for the worst. So how will you handle the situation? Preparation is key and it involves identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies including, but not limited to:
- warning banners
- user privacy expectations
- established incident notification processes
- the development of an incident containment policy
- creation of incident handling checklists
- ensuring the corporate disaster recovery plan is up to date
- making sure the security risk assessment process is functioning and active
Other aspects that should be considered when prepping are training and pre-deployed incident handling assets. When training for an incident you should contemplate different types of training your team needs such as OS support, specialized investigative techniques, incident response tool usage, and corporate environmental procedure requirements.
When looking at your pre-deployed incident handling assets, you want to make sure you have certain tools in place in case of a system breach. This includes monitoring your own sensors, probes, and monitors on critical systems, tracking databases in core systems and completing active audit logs for all server network aspects and components.
The next stage of incident response is identifying the actual incident. The first question you want your team to answer is; is the event an unusual activity or more? Once that answer has been established you are going to want to check out some areas of the affected system. This includes suspicious entries in system or network accounting, excessive login attempts, unexplained new user accounts, unexpected new files, etc.
After you have assessed the situation there are six levels of classification when it comes to incidents. You are going to want to evaluate which one the incident falls under.
- Level 1 – Unauthorized Access
- Level 2 – Denial of Services
- Level 3 – Malicious Code
- Level 4 – Improper Usage
- Level 5 – Scans/Probes/Attempted Access
- Level 6 – Investigation Incident
Once your team knows what incident level they are dealing with, the next move is to contain the issue. The key here is to limit the scope and magnitude of the issue at hand. There are two primary areas of coverage when doing this. These essential areas of coverage are;
- Protecting and keeping available critical computing resources where possible
- Determining the operational status of the infected computer, system or network.
In order to determine the operational status of your infected system and or network, you have three options:
- Disconnect system from the network and allow it to continue stand-alone operations
- Shut down everything immediately
- Continue to allow the system to run on the network and monitor the activities
All of these options are viable solutions to contain the issue at the beginning of the incident response and should be determined a.s.a.p. to allow movement to the next stage.
This is the first step in determining what actually happened to your system, computer or network. A systematic review needs to take place on all the:
- bit-stream copies of the drives
- external storage
- real-time memory
- network devices logs
- system logs
- application logs
- and other supporting data.
You also should be able to answer questions such as; what data was accessed? who did it? and what do the log reviews reveal?
It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.
Eradication is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradication which you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network.
The second step is notification. Notification always includes relevant personnel, both above and below the incident response team manager in the reporting chain.
This is when your company or organization returns to normalcy. There are two steps to recovery.
- Service restoration, which is based on implementing corporate contingency plans
- System and/or network validation, testing, and certifying the system as operational
Any component that was compromised must become re-certified as both operational and secure.
After everything has been returned to normal there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.
- Was there sufficient prep?
- Did detection occur in a timely manner?
- Were communications conducted clearly?
- What was the cost of the incident? Did you have a Business Continuity Plan in place?
- How can we prevent it from happening again?
Once these questions are answered and improvements are made where necessary, your company and incident response team should be ready to repeat the process.
This process can help your organization keep its valuable, personal information secure.
Personalize Your Cyber Security Incident Response Plan
Do you have an incident response team or plan in place at your business? Or would you rather take your chances and hope your IT security holds up?
That’s what we thought. Take a second to download and fill out your own personalized incident response plan. Just download our free incident response template below and adapt a strategy that works for you.
Editor’s Note: This blog post originally appeared last year. We updated to reflect new changes and provide connections to new resources such, as the official NIST Computer Incident Security Handling Guide for reference on getting started on incident response at your organization.