When referencing incident response (IR), it can be instinctive to conjure up images of firefighting, focused on reactive action taken to quickly respond to and handle an active security incident during what is usually a high-pressure, high-stakes situation. We are all familiar with the stories of ever-evolving adversaries wreaking immediate (or delayed) havoc to an organization’s business operations, and causing lasting detrimental impact to their reputation and bottom line.
What is Incident Response?
The National Institute of Standards and Technology (NIST) defines incident response (or incident handling) as “the mitigation of violations of security policies and recommended practices,” while SANS Institute defines incident handling as an “action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related incidents.”
Incident Response Life Cycles
At first glance, the single-sentence glossary definitions above seem to underscore the reactive nature of incident response, highlighting a trigger event that leads to switching into action. Beyond that, NIST, SANS and ISO, for example, all publish an incident response life cycle to aid responders and their organizations. These life cycles provide a useful framework and approach to incident response, outlining phases of incident response and offering checklists to help ensure effective and efficient response.
NIST SP 600-61 r2
SANS
ISO
Secureworks®
Preparation
Preparation
Prepare
Prepare
Detection & Analysis
Identification
Identify
Detect & Investigate
Containment, Eradication & Recovery
Containment
Assess
Remediate
Eradication
Respond
Recovery
Post-incident activity
Lessons Learned
Learn
Follow-up
What Incident Response Life Cycles Teach Us
An examination of the phases as set out in the table above highlights three things:
The standard of choice may differ by organization and can be ..
Support the originator by clicking the read the rest link below.
