Have you noticed something out of the ordinary when you checked the VPN server logs? For instance, the logs showed you that the person sitting in your firm in America had logged in from Hong Kong. Strange, right? Or, you spotted an unauthorized breach of a file that no one should have access to.
In situations like these, outsource IT helpdesk ‘must not hit the panic button’. You must respond aptly. How can you deal with such cyber incidents? The National Institute of Standards and Technology (NIST) believes that some incidents are inevitable. However, you can circumvent adversity.
This is where the incident management process life cycle come in handy and it is broken down into six phases.
1st Phase of Incident Management
The first step of incident resolution is Preparation. It is straightforward. You need to have a trained incident management team.
The main aim of this phase is to match the organization’s technological parameters with its policies.
- These involve protecting sensitive data, personal information, and network infrastructure.
- You must make sure that all workers are aware of cybersecurity to some extent.
- You should ensure that they have received some instruction in incident response procedures. This will help them in handling a cyber crisis.
- The team members should identify valuable assets and carry out stringent testing. To evaluate this, mock data breaches and incident response drills are mandatory.
You also have to ensure that there is proper funding for the execution of the plan. And that all the resources involved are approved. Most importantly, the plan must have documentation, which specifies the roles and responsibilities.
2nd Phase of Incident Management
The second step of the incident management life cycle is Identification. In this step, the incident response team has to identify the strange occurrences or unrecognized changes in the network.
This step is heavily reliant on awareness. One must be trained to figure out whether an event can be reported as an incident or not.
- Thus, the responsible person has to take a look at the log files and other alerts from firewalls and IDS. For instance, one might report an incident that the system is acting ‘oddly’.
- Other instances of alerts involve unusual processes. It also includes the emergence of new accounts, unusual files, privileges, etc.
In case of a breach or system compromise, there are certain questions that should be addressed. These involve the extent of the breach, the hindrance of business operations, and the source of the issue.
3rd Phase of Incident Management
The third step is Containment. And this phase focuses on the short term. One has to notify the management and tend to the malicious software or the damage that has been done.
- You should not make the mistake of deleting resources as that might hurt you in the long run. The concerned person must prevent the bleeding to avoid further damage.
- In this phase, an incident response handler (IRH) is usually assigned the duty.
- He or she initiates the process and determines the criticality of the situation. They contain affected systems and perform incident categorization.
- The IRH does not take the system completely off the network impulsively. The system might be vital to the business.
- They perform containment to isolate it into a VLAN to continue the process.
It is better to track the adversaries at this stage rather than alert them. By isolating the VLAN, the endpoint remains in the network.
4th Phase of Incident Management
The fourth step following the reporting of the issue is Eradication. This phase involves the removal and restoration of the affected systems. This commences the long-term solution to the issue.
- The concerned person will carry out the task of analyzing the root cause. He or she will have the responsibility of removing the malware from the systems by re-imaging.
- This phase involves the rescanning and monitoring of systems to spot potential footholds on other hosts.
- Based on the issue, someone might create scripts to locate and remove related artifacts. Then, they will apply the necessary patches to prevent future exploitation.
This phase should include crucial actions including evaluating backups, and privileging access credentials. It should also involve verifying that all pertinent security upgrades have been installed.
5th Phase of Incident Management
The fifth step of the incident management life cycle process deals with Recovery. This phase reintroduces the affected systems and brings them back to the network.
- This will depend on whether the systems’ flaws are fixed and how your company plans to guarantee that they are not exploited again.
- The entire process is not easy as straightforward restoring and re-imaging from backup.
- Monitoring and testing of systems are essential to ensure that won’t be any re-infection.
In the case of a serious incident, the Cyber Incident Response Team (CIRT) will be involved to make sure that all things are safe. This will be done in conjunction with other system operators and owners.
6th Phase of Incident Management
The final step of the incident closure involves Lessons Learned. This is considered to be the most vital step that most companies ignore.
- It involves finalizing documentation and figuring out the steps to prevent breaches and anomalies in the future. And it has to be carried out immediately after the recovery phase.
- The Lessons Learned step involves an executive summary and an After-Action Report (AAR). This report will explain the WHO, WHAT, WHERE, WHY, and HOW.
- It’s crucial to convene the whole incident response team once the service has been restored and go through what transpired. It resembles a review of the incident.
This step also provides the opportunity to discuss response effectiveness and how one can enhance it in the future. Furthermore, the documentation will be further used in the future for training.
The incident management life cycle helps in the mitigation of the impact of a breach and analyzes the vulnerabilities. It provides security to the entire business. Furthermore, it guarantees that your business can effectively deploy its personnel. It can also use equipment, and resources to address the problem.