Tuesday, November 20, 2018

Incident Response Plan

Incident Response

The ability to respond to events, incidents, threats that pose a negative effect on our network is known as Incident response.

The primary goal is to limit the disruption to the network, services and business processes.

The incident response should be planned prior to any incident happen. Below are some of key considerations to keep in mind;

  • There should be a Incident response team formed and trained with adequate knowledge of incident management.
  • There should be formal policies and procedures drafted and communicated to all stakeholders.
  • Necessary tools should be identified and kept with easy access.
  • There should be Senior Management Support obtained before the team planning and operation. 
  • The escalation matrix should be documented and shared with stakeholders.

Incident Response Life Cycle

 

 

 

Preparation Phase:

In preparation phase, the response team need to check the capability of incident response. There should be coordination and planning how to identify the requirements. There should be plans for implementation such as:

  • Developing policies, process, and procedures.
  • Define and establish incident handling criteria.
  • Classification of risk and criticality.
  • Define post incident review process and change management process.

Identification Phase:

 In this phase, there should be identification of suspicious activity or any unusual behavioral activity that might affect or compromise the infrastructure or business. There should be proactive detection, reactive detection and monitoring implemented to detect the intrusions, analyse network traffic, review audit logs, Use of Honey pots etc.

Contain Phase:

In this phase the detected incidents, intrusions should be sorted, categorized. There should be correlation and prioritization of incidents. Response team should also isolate the infected system as on immediate basis such as pull network cables, isolate from router/VLAN.

NB: Forensic evidence should be kept intact.

Eradicate and Remediate Phase:

In this phase core team have more responsibility to restore or rebuild the system, restore from saved media, backups to its baseline configuration. Team should work more proactively to scan the system once again, remove the malware, and do the system hardening.

Lessons Learned Phase:

In this phase, team should document all the findings, process to remediation, take feedback from the team. This post incident activity is also important and it help to protect and defend the future incidents or events. All the process should be kept information for KEDB and future reference.

Every organization should also use certain frameworks such as NIST Cyber Security Framework for a systematic process approach which can help in overall risk management process. Later we will cover the Cyber Security Framework (CSF) in an another blog.

Please share your feedback. Thanks!

 -DR

 

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Network Scanning Tools

Network Scanning through Nmap and Nessus Network scanning is a process used to troubleshoot active devices on a network for vulnerabilities....

  • Basics of Ethernet
    Ethernet   Ethernet is the Media access method in a network where all the device or hosts , that share data or share the bandwidth in betw...
  • Telecom | STM-1/4/16 SDH Multiplexer- Part 2
    STM-1/4/16 SDH Multiplexer In my older post I have covered the basic STM and STM-1. STM1 is a synchronous digital hierarchy (SDH) is standar...
  • General IT Controls -ITGC & GTAG
    General IT Controls (GITC or ITGC) Information Technology General Controls is a type of internal controls which is combined a set of policie...