Incident Response Phases
Last updated
Last updated
NIST Special Publication 800-61 recommendation for incident response life cycle/phases
The first stage is preparation, where we plan and prepare for any potential incidents that may happen. This includes things like setting up a war room, defining what constitutes an incident, and training the team on how to respond.
This phase addresses primarily pre-incident planning and coordination.
Having a properly prepared team and plan is key to a successful response process.
The NIST guidelines also point out that while prevention is not a function of incident response, it is key to its success.
Appropriate contacts
Incident reporting processes and systems
War room accommodations
Secure storage
Incident definitions
What counts as an "incident" in your organization?
Containment and eradication definitions created
Training
Incident-handling assets deployment
Software agents running on devices
Hardware in certain environments, etc.
The second stage is identification, where we determine if an event is actually an incident that requires a response. This can be done through various sources like alerts from security systems, notifications from service providers, or even user reports.
Excessive logon attempts
Notifications from MSSP or CSP
Alerts from IDS/IPS, firewalls, HIPS/HIDS and other endpoint protection
End-user initiated, i.e, user reports some activity
SOC analyst-initiated
Threat-hunting team
Confidential data showing up on the internet for sale!
Level 1 - Unauthorized access
Level 2 - Denial of service
Level 3 - Malicious code
Level 4 - Improper usage
Level 5 - Scans/probes/attempted unauthorized access
Level 6 - Investigation of incident
The third stage is containment, where we try to limit the impact of the incident and prevent it from spreading further. This involves protecting critical assets, determining the extent of the compromise, and preventing any further compromise.
Protect and keep available the critical assets (which should have been identified in the Preparation stage)
Determine operational statues of network, systems and other resources
Get a handle of the depth and width of compromise
Prevent further compromise
Make sure you're clear on what the organization's definition of containment is
Do we even know which systems are compromised? Are we disconnecting them from the internet or the network as well?
Are these critical systems? What will be the impact on operations? Will shutting down the systems actually help in our containment effort?
Are the threat actors still active in the environment? Do you know enough yet to attempt to shut down systems?
What's been done to contain the breach?
Has any discovered infections/malware been removed and quarantine?
Have compromised systems been rebuilt? Have they been re-patched to be up to date?
Have all potentially compromised credentials been changed?
Have you applied all recent security patches and updates?
The fourth stage is eradication, where we eliminate the threat from the environment and restore affected systems to their clean state. The goal here is to completely remove the threat and prevent it from happening again.
Eliminate the threat from the environment
Restore affected systems to their previous clean state
Prevent further compromise
The definition is defined by the organization
The final stage is recovery, where we restore interrupted business services and validate that everything is back to normal.
Restoring all interrupted or stopped business services
Performing validation testing to make sure restoration was successful and up to organization requirements
Don't forget to account for time of restoring data
Checking systems to make sure their patches are up to date
We also take the opportunity to learn from the incident and make improvements for the future.
There are follow-up questions for the incident responders to answer:
Was there sufficient preparation?
Did detection occur promptly?
Were communications adequate?
What was the financial or informational cost of the incident?
How can we prevent it from happening again?
