Response -

After the possible incident has been discovered and the proper entities notified,
the initial response commences. This step involves determining whether the reported
activity is truly an incident, is underway, or has occurred. This portion of the
management process can also serve as a form of triage, where the incident (if it is
decided one exists) can be categorized so as to guide the subsequent phases of the
process. This step should involve security practitioners trained and knowledgeable
in incident identification and management. Someone with experience in incident
handling needs to review the situation and, if necessary, formally declare an
incident and activate the incident response team. This does not mean, however, that
only one person should be involved in making this determination; the security
practitioner tasked with this portion of the process should make use of any assets
required to make an accurate determination. Sources that can aid in this
determination might include other security team members (such as log or forensics
analysts), additional personnel from other departments (such as networking and
systems administrators/architects), devices (such as the detection equipment/tools
listed in the discussion of the previous phase), and data (including possibly event
logs or video feeds, depending on the nature of the supposed incident).

Mitigation -

The initial mitigation effort depends on many factors, including the nature and
breadth of the incident, the organization’s risk appetite and critical business
needs, and any policy or regulatory drivers. This phase includes the immediate
action taken upon determining an incident has occurred/is occurring, but it will
not be the final effort in addressing the incident.

The main variables affecting how an incident is initially addressed are the
following:

• Time
• Risk
• Impact

For every organization, these factors will have different priorities.

The desired end state will also have some bearing on how activity is conducted at
this phase. In some organizations, eventual legal action (prosecution or
litigation) is the desired end state; in those cases, the organization wants to
gather as much information as possible about the cause of the incident and anyone
responsible for the incident, which may mean leaving the environment at risk while
information is gathered. In other organizations, the desired end state might be
maximal containment, so the initial action at this phase might include incurring
significant impact to the operational environment, losing the opportunity to gather
incident data but minimizing the potential for additional losses from the incident.

Depending on the organization and the type of incident, this phase might take place
concurrently with the previous (response) phase. Typically, any mitigation action
taken at this phase should be the decision of the incident manager (usually a
security practitioner), and it should be informed by the organization’s incident
response policy and procedures. The incident should be handled by a team of subject
matter experts that have insight into the various aspects of security and IT. The
team composition should include representatives from several departments, such as
the following:

• Security practitioners
• IT administrators/architects
• General counsel
• Human resources (HR)
• Public relations
• Management