Before beginning the 7 Phases of Incident Response, it is essential to recognize that each organization has distinct requirements. It is acceptable to modify these phases as necessary because what works for one organization may not work for another. It is probably safe to follow your IT staff’s suggestions to combine multiple steps.
Phases 3 and 4, for instance, or phases 5 and 6 could easily be combined. Furthermore, for routine or minor incidents, phase 7 may not be necessary.
7 Phases Of Incident Response
Phase One: Preparation and Planning
The preparation and planning phase—the first of the seven phases of incident response—should begin before an emergency occurs. Utilize this opportunity to dole out jobs, focus on assignments and agent responsibilities regarding all interested parties. Laying out an unmistakable levels of leadership all along, complete with subordinate and strong staff, is the way to executing a reliable, convenient, and compelling plan.
This phase never really ends. It is absolutely necessary for your team to always be prepared for new viruses, up-to-date ransomware, and next-generation network attacks because new threats and vulnerabilities appear almost daily. Therefore, you should review and update your preparation efforts on a regular basis.
Phase Two: Threat Recognition and Detection
A lot of businesses have trouble recognizing and detecting threats. However, security threats occur regardless of whether your team discovers them. One of the phases of incident response that cannot be skipped is this one because it is a requirement for containing, analyzing, and eliminating the threat.
Create a classification system for any identified threats for the best results. This makes it easier to isolate the affected systems and minimize damage while also allowing you to prioritize them according to urgency.
By most standards, low-level threats like network scans, probes, or unsuccessful entry attempts are accepted as normal.
Most businesses, on the other hand, use software-based tools like antivirus, anti-malware, and network firewalls to stop most of these basic attacks.
A mid-level threat is considered to be improper network use which includes the implementation of malicious code. Keep in mind that these incidents can occur from within, either intentionally or unintentionally.
Consequently, it is essential to conduct a thorough investigation of the circumstance prior to arriving at a conclusion.
Denial-of-service (DOS) attacks and unauthorized access are regarded as high-level threats. These activities need to be properly identified and contained as soon as possible because they have the potential to access confidential data or shut down your entire system.
Phase Three: Containment of the Threat
Although deleting everything and shutting down systems may be the initial response to a cybersecurity breach, there is a more effective strategy for containing it. You run the risk of losing important information about where the breach occurred, how it happened, or the ability to make a plan based on the evidence if a system goes offline or data is deleted.
You can, instead:
- Disengage tainted frameworks from the web to forestall information spilling
- Change access control accreditations to reinforce security
- Quarantine distinguished malware for proof and future examination
- Cripple remote access ability and remote passages
- Make a reinforcement of your information
After the danger is contained, it will be much simpler to completely kill it.
Phase Four: Analysis and Investigation
It is best to finish this phase as soon as phase three is finished and the threat is completely contained. In order to repair your system and prevent future attacks, it is essential to understand the problem’s underlying cause. In many situations, you’ll zero in on three main considerations:
- What took place: Describe the nature of the attack, including the systems that were harmed.
- How the episode happened – Did the episode happen in light of client blunder, or is it the consequence of an outer assault?
- The date and time of the incident – This is your chronology of events. It is useful for identifying any affected resources and determining the incident’s underlying cause.
Additionally, root cause analysis (RCA) aids in the production of reports that inform other stakeholders in the organization of significant incidents.
Phase Five: Mitigation and Eradication
Conducting a complete eradication is only possible after you have thoroughly analyzed and comprehended the original threat, making mitigation and eradication possibly the most crucial step in the seven phases of incident response. Your antivirus or anti-malware software automatically eliminates some threats, like viruses and malware. Some call for human intervention.
After eradication is complete, you can begin restoring your IT environment and resuming any paused service delivery by deleting and replacing affected assets, patching or correcting remaining vulnerabilities, migrating or moving unaffected resources to new systems, upgrading older, legacy systems, and installing additional network protection.
Phase Six: Recovery and Restoration
After the threat has been eradicated, it is time to bring systems back online and continue business as usual.
In this phase, full service should be restored and the affected systems or networks must be tested, monitored, and validated to verify that they are not re-infected. Furthermore, all affected users, within and outside of your organization, should be informed of the breach and its present status. In cases where account credentials were compromised, passwords should be reset or accounts deactivated.
Phase Seven: Testing and Follow-Up
Re-testing should always be a part of an incident response plan as it gives you the chance to fine-tune your plan so that it covers all of the necessary security aspects of the organization. You can make use of your findings to enhance the procedure, modify your plans and procedures, and discover any omissions that you may not have noticed previously.
What Is an Action Plan for an Incident?
In response planning, incident goals (known as control objectives in NIMS), operational period goals, and the response strategy established by incident command are all formalized in an incident action plan (IAP). It provides important information on event and response parameters and general strategies for achieving the overall strategy’s goals and objectives. In a similar vein, the IAP makes it easier to disseminate crucial information regarding the state of the response assets themselves. Action plans must be updated on a regular basis (at least once per operational period) to keep the system’s guidance consistent and current because incident parameters change.
Consideration should be given to including the following in an IAP:
- Response strategies (priorities and the general approach to accomplishing the objectives)
- Response tactics (methods developed by Operations to accomplish the objectives)
- Organization list with ICS chart showing primary roles and relationships
- Assignment list with specific tasks
- Critical situation updates and assessments
- Composite resource status updates
- Health and safety plan (to prevent responder injury or illness)
- Communications plan (how functional areas can exchange information)
- Logistics plan (e.g. procedures to support Operations with equipment, supplies, etc.)
- Responder medical plan which gives care instructions to responders
- Incident map which is a map of the scene of the incident; and
- Additional component plans, as the incident indicates.
How to Write an Action Plan
Step 1: Define your end goal. If you don’t know exactly what you want to do and what you want to accomplish, you’ll fail.
Arranging another drive? First things first: decide where you are now and where you want to go.
Problem solved? Before assigning a priority to any potential solutions, conduct an analysis of the situation.
Then, jot down your objective. Also, run your goal through the SMART criteria before moving on to the next step.
To put it another way, make sure it is:
- Specific—clear and well-defined;
- Measurable—include measurable indicators to track progress;
- Attainable—reasonable and attainable with the resources, time, money, experience, and so on.
- Relevant, in line with your other goals;
- Timely, with a deadline.
Step 2: Make a list of the steps to be taken. The objective is obvious. What specific steps should you take to achieve it?
Make a rough list of all the tasks to be completed, their due dates, and the people who are responsible using this template.
It is essential to ensure that everyone on your team is involved in this process and has access to the document. This way, everyone involved in the project will be aware of their roles and responsibilities.
Make sure that each task has a clear definition and can be completed. Reduce larger tasks that are more difficult to complete and manage into smaller ones whenever possible.
Step 3: Add deadlines and assign tasks a priority. It is time to reorganize the list by assigning task’s priority. You may need to prioritize some steps because they may be obstructing other substeps.
Include deadlines and ensure that they are achievable. Before setting deadlines, discuss their capabilities with the person in charge of carrying it out.
Step 4: Set achievements: Achievements can be viewed as smaller than normal objectives paving the way to the fundamental objective toward the end. Even though the final due date is a long way off, adding milestones gives the team members something to look forward to and helps them stay motivated.
Beginning with the ultimate objective, work your way backward as you set milestones. Keep in mind that you shouldn’t put too little or too much time between each milestone you set. It’s best to set milestones apart by two weeks.
Step 5: Distinguish the assets required. Before you start out, it’s essential to guarantee that you have every current one of the vital assets to follow through with the jobs. Also, you must first devise a strategy to acquire them if they are not currently available. Your budget should also be included in this. In your action plan, you can mark the costs of each task, if any, in a specific column.
Step 6: Envision your activity plan. The place of this step is to make something that everybody can comprehend initially and that can be imparted to everybody.
Make sure that the elements we have identified thus far—tasks, task owners, deadlines, resources, etc.—are clearly communicated in your action plan, regardless of whether it is presented in the form of a flowchart, Gantt chart, or table. Everyone should be able to easily access and edit this document.
Step 7: Keep an eye on your team. Take some time to look at how far you’ve come. On this final action plan, you can mark completed tasks as completed to highlight your progress toward the goal.
This will also bring to light the tasks that have been put off or are coming up behind schedule. If this happens, you need to figure out why and come up with suitable solutions. The action plan should then be adjusted accordingly.