You have an incident – may be a breach in progress, may be a breach that happened a while ago but is just noticed – what is your incident response?  What do you do?  Do you have a plan?  Have you tested your plan recently?  Is everyone trained in their responder role?

Here are components of what may be involved in an incident:

Identification

  • Suspected incident detected
  • Activate CIRT (Computer Incident Response Team)
  • First responder assessment
  • Determine type of threat(s)
  • Determine affected resources
  • Forensic investigation decision

First Responders/Containment

  • Monitor and/or stop hostile activity
  • Isolate affected resource(s)
  • Information gathering
  • Image devices
  • Live Packet Capture
  • Ensure integrity of data/Chain of Custody
  • Ensure availability of critical services/systems/assets
  • Investigation

Eradication/Investigation

  • Incident response (IR) manager notified
  • IR manager assessment
  • Determine appropriate response
  • Brief CIRT resources
  • Perform Incident Response Forensic Analysis

Recovery

  • Patch
  • Alert & notifications
  • HR actions & Prosecute
  • Return to normal operations

Report & Follow Up

  • Document incident information and brief
  • Document lessons learned
  • Improve policies, guidelines and procedures
  • Improve infrastructure as warranted
  • Forensic Investigation Report

Keep your Incident Response partner’s phone number handy!  HALOCK’s incident response hotline number is:  800-925-0559.

Implement a continuous incident response readiness program – Incident Response Readiness as a Service (IRRaaS).

Nancy Sykora
Sr. Account Executive