6 Phases in the Incident Response Plan - SecurityMetrics

An incident response plan is a documented, written plan with 6 distinct phases that helps IT professionals and staff recognize and deal with a cybersecurity ... BLOGHOME> Cybersecurity> 6PhasesintheIncidentResponsePlan 6PhasesintheIncidentResponsePlan Whatisanincidentresponseplanforcybersecurity?Learnhowtomanageadatabreachwiththe6phasesintheincidentresponseplan. Anincidentresponseplanisadocumented,writtenplanwith6distinctphasesthathelpsITprofessionalsandstaffrecognizeanddealwithacybersecurityincidentlikeadatabreachorcyberattack.Properlycreatingandmanaginganincidentresponseplaninvolvesregularupdatesandtraining. ThreatIntelligenceCenterNewsFeed:StayuptodateonthelatestthreatrisksSubscribeIsanincidentresponseplanaPCIDSSrequirement?Yes,Requirement12ofthePCIDSSspecifiesthestepsbusinessesmusttakerelatingtotheirincidentresponseplan,including: 12.10.2–Testincidentresponseplanatleastannually12.10.3–Assigncertainemployeestobeavailable24/7todealwithincidences 12.10.4–Properlyandregularlytrainthestaffwithincidentresponseresponsibilities12.10.5–Setupalertsfromintrusion-detection,intrusion-prevention,andfile-integritymonitoringsystems12.10.6–ImplementaprocesstoupdateandmanagetheincidentresponseplanperindustryandorganizationalchangesHowtocreateanincidentresponseplan Anincidentresponseplanshouldbesetuptoaddressasuspecteddatabreachinaseriesofphases.Withineachphase,therearespecificareasofneedthatshouldbeconsidered.Theincidentresponsephasesare:PreparationIdentificationContainmentEradicationRecoveryLessonsLearnedLet’slookateachphaseinmoredepthandpointouttheitemsthatyouneedtoaddress.SEEALSO:6StepstoMakinganIncidentResponsePlan1.PreparationThisphasewillbetheworkhorseofyourincidentresponseplanning,andintheend,themostcrucialphasetoprotectyourbusiness.Partofthisphaseincludes:EnsureyouremployeesareproperlytrainedregardingtheirincidentresponserolesandresponsibilitiesintheeventofdatabreachDevelopincidentresponsedrillscenariosandregularlyconductmockdatabreachestoevaluateyourincidentresponseplan.Ensurethatallaspectsofyourincidentresponseplan(training,execution,hardwareandsoftwareresources,etc.)areapprovedandfundedinadvanceYourresponseplanshouldbewelldocumented,thoroughlyexplainingeveryone’srolesandresponsibilities.Thentheplanmustbetestedinordertoassurethatyouremployeeswillperformastheyweretrained.Themorepreparedyouremployeesare,thelesslikelythey’llmakecriticalmistakes. Questionstoaddress Haseveryonebeentrainedonsecuritypolicies?Haveyoursecuritypoliciesandincidentresponseplanbeenapprovedbyappropriatemanagement?DoestheIncidentResponseTeamknowtheirrolesandtherequirednotificationstomake?HaveallIncidentResponseTeammembersparticipatedinmockdrills?SEEALSO:5ThingsYourIncidentResponsePlanNeedsDownloadOurIncidentResponsePlanWhitePaperDownloadHere2.IdentificationThisistheprocesswhereyoudeterminewhetheryou’vebeenbreached.Abreach,orincident,couldoriginatefrommanydifferentareas. Questionstoaddress Whendidtheeventhappen?Howwasitdiscovered?Whodiscoveredit?Haveanyotherareasbeenimpacted?Whatisthescopeofthecompromise?Doesitaffectoperations?Hasthesource(pointofentry)oftheeventbeendiscovered?3.ContainmentWhenabreachisfirstdiscovered,yourinitialinstinctmaybetosecurelydeleteeverythingsoyoucanjustgetridofit.However,thatwilllikelyhurtyouinthelongrunsinceyou’llbedestroyingvaluableevidencethatyouneedtodeterminewherethebreachstartedanddeviseaplantopreventitfromhappeningagain.Instead,containthebreachsoitdoesn’tspreadandcausefurtherdamagetoyourbusiness.Ifyoucan,disconnectaffecteddevicesfromtheInternet.Haveshort-termandlong-termcontainmentstrategiesready.It’salsogoodtohavearedundantsystemback-uptohelprestorebusinessoperations.Thatway,anycompromiseddataisn’tlostforever.Thisisalsoagoodtimetoupdateandpatchyoursystems,reviewyourremoteaccessprotocols(requiringmandatorymulti-factorauthentication),changealluserandadministrativeaccesscredentialsandhardenallpasswords. Questionstoaddress What’sbeendonetocontainthebreachshortterm?What’sbeendonetocontainthebreachlongterm?Hasanydiscoveredmalwarebeenquarantinedfromtherestoftheenvironment?Whatsortofbackupsareinplace?Doesyourremoteaccessrequiretruemulti-factorauthentication?Haveallaccesscredentialsbeenreviewedforlegitimacy,hardenedandchanged?Haveyouappliedallrecentsecuritypatchesandupdates?SEEALSO:SecurityMetricsLearningCenter4.EradicationOnceyou’vecontainedtheissue,youneedtofindandeliminatetherootcauseofthebreach.Thismeansallmalwareshouldbesecurelyremoved,systemsshouldagainbehardenedandpatched,andupdatesshouldbeapplied.Whetheryoudothisyourself,orhireathirdpartytodoit,youneedtobethorough.Ifanytraceofmalwareorsecurityissuesremaininyoursystems,youmaystillbelosingvaluabledata,andyourliabilitycouldincrease. Questionstoaddress Haveartifacts/malwarefromtheattackerbeensecurelyremoved?Hasthesystembehardened,patched,andupdatesapplied?Canthesystembere-imaged?5.RecoveryThisistheprocessofrestoringandreturningaffectedsystemsanddevicesbackintoyourbusinessenvironment.Duringthistime,it’simportanttogetyoursystemsandbusinessoperationsupandrunningagainwithoutthefearofanotherbreach. Questionstoaddress Whencansystemsbereturnedtoproduction?Havesystemsbeenpatched,hardenedandtested?Canthesystemberestoredfromatrustedback-up?Howlongwilltheaffectedsystemsbemonitoredandwhatwillyoulookforwhenmonitoring?Whattoolswillensuresimilarattackswillnotreoccur?(Fileintegritymonitoring,intrusiondetection/protection,etc)6.LessonsLearnedOncetheinvestigationiscomplete,holdanafter-actionmeetingwithallIncidentResponseTeammembersanddiscusswhatyou’velearnedfromthedatabreach. Thisiswhereyouwillanalyzeanddocumenteverythingaboutthebreach. Determinewhatworkedwellinyourresponseplan,andwherethereweresomeholes.Lessonslearnedfrombothmockandrealeventswillhelpstrengthenyoursystemsagainstthefutureattacks. Questionstoaddress Whatchangesneedtobemadetothesecurity?Howshouldemployeebetraineddifferently?Whatweaknessdidthebreachexploit?Howwillyouensureasimilarbreachdoesn’thappenagain?Noonewantstogothroughadatabreach,butit’sessentialtoplanforone.Prepareforit,knowwhattodowhenithappens,andlearnallthatyoucanafterwards.Needhelpwithadatabreach?TalktooneofourForensicInvestigators.DavidEllis(GCIH,QSA,PFI,CISSP)isVPofForensicInvestigationsatSecurityMetricswithover25yearsoflawenforcementandinvestigativeexperience. By:DavidEllisVP,InvestigationsCISSP,QSA,PFI JoinThousandsofSecurityProfessionalsandSubscribeSubscribe