You have an incident – may be a breach in progress, may be a breach that happened a while ago but is just noticed – what is your incident response? What do you do? Do you have a plan? Have you tested your plan recently? Is everyone trained in their responder role?
Here are components of what may be involved in an incident:
Identification
- Suspected incident detected
- Activate CIRT (Computer Incident Response Team)
- First responder assessment
- Determine type of threat(s)
- Determine affected resources
- Forensic investigation decision
First Responders/Containment
- Monitor and/or stop hostile activity
- Isolate affected resource(s)
- Information gathering
- Image devices
- Live Packet Capture
- Ensure integrity of data/Chain of Custody
- Ensure availability of critical services/systems/assets
- Investigation
Eradication/Investigation
- Incident response (IR) manager notified
- IR manager assessment
- Determine appropriate response
- Brief CIRT resources
- Perform Incident Response Forensic Analysis
Recovery
- Patch
- Alert & notifications
- HR actions & Prosecute
- Return to normal operations
Report & Follow Up
- Document incident information and brief
- Document lessons learned
- Improve policies, guidelines and procedures
- Improve infrastructure as warranted
- Forensic Investigation Report
Keep your Incident Response partner’s phone number handy! HALOCK’s incident response hotline number is: 800-925-0559.
Implement a continuous incident response readiness program – Incident Response Readiness as a Service (IRRaaS).
Nancy Sykora
Sr. Account Executive