Incident response is cyclical, with each stage feeding the next. The first two stages, Preparation and Identification, are a constant part of daily activities as security pros stay abreast of threats and monitor systems and networks. The six stages outlined below are taught as part of SANS Institute's incident handling and forensic courses.
1 | Preparation The security team builds a strong foundation by getting necessary training, acquiring and learning to use tools, and developing policy.
2 | Identification This is where a security event is determined to be a genuine problem. Accurate and accessible data is a must. IT reviews intrusion-detection systems, security incident and event management systems, and host logs; security teams acquire additional data from system administrators and run incident-response tools when necessary.
3 | Containment The team performs technical triage to prevent additional systems from being compromised and further data taken. It implements firewall rules, checks backup system, and coordinates with the Internet service provider.
4 | Eradication IT removes malicious components from affected systems or rebuilds them using trusted media and backups.
5 | Recovery Systems are returned to service and monitored for signs of more attacker activity.
6 | Lessons Learned A team must review the security incident, identify its root cause, and assess the incident-handling process to determine what should be improved. It creates an executive summary of the incident and implements process changes. --John Sawyer
John Sawyer is a senior security analyst with InGuardians. Write to us at [email protected].