Today I am going to discuss the basics of an Incident Response process. I did not create this, I would love to give credit to those who did! There are other variations out there, however they all follow the basic “prepare > fix > recover” type model.
I will discuss each phase in detail in later posts.
Phase 1 – Preparation
This is the stage which takes place before there is an attack. This obviously only applies to companies with dedicated Incident Response (IR) teams, whether that be outsourced or internal.
Phase 2 – Identification
The attack has occurred, but to what extent? How did the attack start? What systems have been compromised? What type of Malware is currently running rampant in your environment?
Phase 3 – Containment
The most important point for this phase, is to make sure you have thoroughly completed Phase 2, unless you like playing whack-a-mole with Malware.
Phase 4 – Eradication
You have your Malware trapped! Caught in the network with no one to control it and no where for it to go. It’s scared, it’s alone, it’s still evil. Kill it!
Phase 5 – Recovery
A nice cup of Tea…. no? OK, fine, rebuild any systems that need it, reset some passwords and generally tidy up the mess you and the malware made battling for the Cyber landscape.
Phase 6 – Lessons Learned
Also called Lessons Identified or the Wash Up. This is the time to sit down and talk honestly about what happened. Explain how to prevent it from happening again (also ask for a larger budget).