We implement controls to prevent security incidents. Despite these efforts, Information Security Incidents occur. These incidents can be caused by both internal and external factors and can be unintended or intentional.
There are generally four stages in the incident life cycle:
- Preparation – To prepare, we work to prevent incidents from occurring by making sure the systems, networks, and applications are sufficiently secure. We also develop policies and procedures which establish the steps for handling incidents. Key components in these documents are identifying potential attack vectors, naming individuals responsible for executing the response plan, and an understanding of external parties important to the process, such as law enforcement.
- Detection and Analysis – The processes we have developed and the tools that have been implemented are key in helping to identify when an incident occurs. It is also important to understand the difference between a security incident and security event. The threshold that is established between the two is often used to declare an information security incident. The incident should then be prioritized based on business impact, information impact, and the effort needed to recover. Lastly, at this stage organizations should determine internal and external personnel that should be notified.
- Containment, Eradication, and Recovery – Once an incident has been identified and declared, the next step is to contain the damage. Organizations have been known to suspend internet access, disable servers, and remove a device from the network in an effort to minimize the impact. Once contained, the threat can be eliminated or eradicated, based on the nature of the incident. This is not necessarily as easy as it sounds and may take a significant amount of time and effort to complete. Once eradicated, the important step of recovery begins. We must return the systems to the operational state that existed before the incident. This may or may not be possible but highlights the need for solid recovery and resiliency procedures and stresses the importance of periodically testing those procedures.
- Post-Incident Activity – Once the systems have been restored, it does not end our incident response activity. We absolutely want to sufficiently document the incident and understand our lessons learned. Information security incidents can and do occur in organizations with all levels of cyber security maturity. The groups who understand the anatomy of their incident, adequately plan for those incidents, and learn from history tend to be the most successful.