Incident Response (IR)
Introduction
There’s been an alarming increase of cyberattacks and data breaches. Even the largest of organizations with the best cyber security infrastructure and strongest security operations can be compromised.
There’s no way to fully prevent a business from getting cyber-attacked. For this reason, the only thing they can do is to have a proper response strategy when these attacks occur. Doing so can help control the damage to a business’ operations, bottomline and most importantly, its brand reputation.
Cybersecurity Incident Response Plan
A Cybersecurity Incident Response Plan is the cornerstone of an effective cybersecurity response strategy. It’s essentially a guide that your business will follow in the event of a cyberattack. It presents the actions that need to be taken to minimize the damage and protect your business data during an attack.
An effective incident response plan should follow these steps:
- Preparation: Proactive planning, training, and testing. Documentation of procedures.
- Detection and analysis: A cyber incident has occurred. Gather to discuss the risks and impacts. Determine which processes and assets are business-critical. Perform analysis of the threat. Determine the IOCs.
- Containment: Process for separating and isolating affected system(s) from rest of the network.
- Eradication and recovery: Perform vulnerability mitigation. Patch and restore of effected systems. If needed, sanitize and securely dispose of certain systems. Reconstitution of resources and restoration of capabilities & services. Verification of logging/communication to security monitoring.
- Post-incident activities: Meet to perform post-incident discussions. Complete a lessons-learned report. Retention of evidence. Verify that continuous monitoring is occurring. If needed, update the incident response plan itself.
Source: https://www.comptia.org/certifications/cybersecurity-analyst