It’s the weekend, you have ensured the last employee has gone home, switched off the lights, checked the windows and made sure all the exits are locked. Unbeknown to you earlier that month a worm found a weak spot in your network and has been waiting for the right time to activate. That time is now and your systems are currently being attacked. Come Monday morning your systems and network will be unusable and nobody is able to begin work, what do you do?
Importance of incident response
Any incident that is not properly contained and handled can and usually will escalate into a bigger problem that can ultimately lead to a damaging data breach or system collapse. Responding to an incident quickly will help your organisation minimise losses, mitigate exploited vulnerabilities, restore services and processes, and reduce the risks that future incidents pose.
Incident response enables your business to be prepared for the unknown as well as the known and is a reliable method for identifying a security incident immediately when it occurs. Incident response also allows you to establish a series of best practices to stop an intrusion before it causes damage.
Incident response plan
An IRP should include procedures for detecting, responding to and limiting the effects of a data security breach.
Incident response plans usually include instructions on how to respond to potential attack scenarios, including data breaches, denial of service/distributed denial of service attacks, intrusions, virus, worms or malware outbreaks or insider threats and network attacks.
Without it you may not detect the attack, or it may not follow proper protocol to contain the threat and recover from it when a breach is detected.
There are six key phases of an incident response plan:
- Preparation: Preparing users and IT staff to handle potential incidents should they should arise
- Identification: Determining whether an event is, indeed, a security incident
- Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage
- Eradication: Finding the root cause of the incident, removing affected systems from the production environment
- Recovery: Permitting affected systems back into the production environment, ensuring no threat remains
- Lessons learned: Completing incident documentation, performing analysis to learn from the incident and potentially improve future response efforts
An incident response plan can benefit your company by outlining how to minimise the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders.
The plan should identify and describe the roles and responsibilities of the incident response team members who are responsible for testing the plan and putting it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover breached information.