Five steps in an Incident Response plan

In the information security field, Incident Response (IR) term refers to an organized approach to controlling and addressing the aftermath of a security breach/violation (also known as incident), for example, a successful attack against your network or data lost due to a computer virus.

The goal of IR is to mitigate damages from an incident and reduce costs (include time and money) of a system recovery plan.

An IRP indicates the cause of the incident and provides a detailed process that needs to be followed when an incident occurs.

Large organizations often have a Computer Incident Response Team (CIRT) that established to handle a happened incident and perform procedures in the pre-defined IRP. The members of CIRT include personals as IT manager, system/network/security specialist, IT staff.  Depending on each specific case, a representative of law enforcement agency, HR and PR departments also join CIRT.

In this article, I will introduce the overview of five steps in an IRP. Carnegie Mellon University (USA) pioneered this process (five steps).

1: Identifying

The goal of this step is to determine which event has occurred in your system.

2: Investigating

The goal of this step is to find out the root cause of the event identified at the first step. The process of investigating an incident involves collecting and analyzing suspicious entries or unusual network packets in system logs, audit logs.

If investigation is conducted carefully and precisely, you will be possible to determine exactly whether identified event is serious enough to become an incident or not. I am sure that you would not want to waste your time and effort on False Positive (also known as false detection or false alarm) situation. A false positive occurs when you or your security tools (proxy/firewall, IDS/IPS, Anti-virus…) detect or identify a normal event (or innocent object) as an incident (or malicious object).

3: Repairing

Finding the method to correct damaged components, lost resources and restore a messed up system to previously a secure, stable state.

4: Documenting & Reporting

During the entire process of responding to an incident, you should document the steps (1, 2 and 3 above) you take to identify and repair the system or network. This information is valuable and useful in case an incident like this occurs again.

If possible, you should report/disclosure the incident to legal authorities and  information security research groups such as CERT, US-CERT (if you are USA), VNCERT (if you are Vietnam), KRCERT (if you are Korean)… so that those organizations can be aware of the type threat/attack and create proactive countermeasures.

You also should inform hardware/software manufactures of vulnerabilities you discovered in their product(s) and how you closed the gap.

5: Adjusting Procedures

After you controlled and resolved the incident successfully, you need to check your existing procedures, policies in organization again to determine what changes, if any, need to be made.

P/s: Click here to read this article in Vietnamese.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s