Incident

Response

MODULE 4:
Ø Recognize the incident response.

Ø Know how the incident response important.

Ø Engage with the three elements of incident response

management.

Ø Familiarize the six steps of incident response plan.

What is Incident Response?
- A term used to describe the process by
which an organization handles a data
breach or cyber attack, including the way
the organization attempts to manage the
consequences of the attack or breach
(the “incident”).
- Incident response is the methodology
an organization uses to respond to
and manage a cyber-attack.
- An attack or data breach can wreak
havoc potentially affecting customers,
intellectual property company time
and resources, and brand value.
Ø - An incident response aims to reduce this
damage and recover as quickly as possible.
Investigation is also a key component in
order to learn from the attack and better
prepare for the future.
Ø - Because many companies today
experience a breach at some point in time, a
well developed and repeatable incident
response plan is the best way to protect your
company.
Why is Incident Response Important?

As the cyber-attacks increase in scale and

frequency, incident response plans become more
vital to a company’s cyber defenses.

Poor incident response can alienate customers.

Who is the Incident Response Team?
Incident Response Team
- The company should look to their “Computer
Incident Response Team (CIRT)” to lead incident
response efforts.
- This team is comprised of experts from upper-
level management, IT, information security, IT
auditors when available, as well as any physical
security staff that can aid when an incident
includes direct contact to company systems.
Incident response should also be supported by
HR, legal, and PR or communications.
The Responsible for Incident Response

ØIncident Response Manager –

ØSecurity Analyst –
ØTriage Analyst -
Elements of Incident Response Management?

1. Incident Response Plan

2. Incident Response Team
3. Incident Response Tools
Incident Response Plan

An incident response plan should prepare your team to

deal with threats, indicate how to isolate incidents and
identify their severity, how to stop the attack and
eradicate the underlying cause, how to recover
production systems, and how to conduct a post-mortem
analysis to prevent future attacks.
Steps of Incident Response Plan

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned
https://applied-risk.com/resources/seven-steps-
to-implementing-a-successful-incident-response-
1. Preparation

v Listing all possible threat scenarios.

v Develop policies to implement in the event of a cyber-attack.
v Develop a communication plan.
v Outline the roles, responsibilities, and procedures of your
team.
v Establish a corporate security policy.
v Recruit and train team members, ensure they have access to
relevant systems.
v Ensure team members have access to relevant technologies
and tools
2. Identification

ØIdentify and assess the incident and gathered evidence.

ØDecide on the severity and type of the incident and
escalate if necessary.
ØDocument actions taken, addressing “who, what, where,
why, and how.” This information may be used later as
evidence if the incident reaches a court of law.
3. Containment

ØThe act of preventing the expansion of

harm.
ØTypically involves disconnecting affected
computers from the network.
4. Eradication

ØThese steps may change the configuration of the

organization.
ØThe aim is to make changes while minimizing the
effect on the operations of the organization.
ØYou can achieve this by stopping the bleeding and
limiting the amount of data that is exposed.
5. Recovery

Ø Ensure that affected systems are not in danger and can be

restored to working condition. The purpose of this phase is to
bring affected systems back into the production environment
carefully, to ensure they will not lead to another incident.
Ø Ensure another incident doesn’t occur by restoring systems from
clean backups, replacing compromised files with clean versions,
rebuilding systems from scratch, installing patches, changing
passwords and reinforcing network perimeter security
6. Lessons Learned

ØCompleting incident documentation, performing

analysis to learn from incident and potentially
improving future response efforts.
ØComplete documentation that couldn’t be prepared
during the response process. The team should
identify how the incident was managed and
eradicated
The Incident Response Team

To prepare for and attend to incidents, you should

form a centralized incident response team,
responsible for identifying security breaches and
taking responsive actions.
The team should include:

vIncident response manager (team leader)

vSecurity analysts
vLead investigator
vThreat researchers
vCommunications lead
vDocumentation and timeline lead
vLegal representation
The Incident Response Tools

• Cyber incident response tools are more often used by

security industries to test the vulnerabilities and
provide an emergency incident response to
compromised network and applications and helps to
take the appropriate incident response steps.
Summary

Ø Incident response is an approach to handling security

breaches.

Ø The aim of incident response is to identify an attack, contain

the damage, and eradicate the root cause of the incident.

Ø An incident can be defined as any breach of law, policy or

unacceptable act that concerns information assets, such as
networks, computers, or smartphones.