Incident Response (IR)
A lifecycle model for describing incident management
I guess you might have heard this buzz word multiple times using somewhere in cyber security talks, forums and discussions. But we all need a simple analogy or would say outlining to understand this in a better way.
Let’s talk about that!
Before we deep dive into any further terms/concepts we need to know some basics about IR i.e., Events and Incidents?
An Event is any observable occurrence in a network or system at large. This can be of two types –
1. Regular Events: All normal activities happening in network/system.
2. Adverse Events: Adverse traffic, deviations from baseline posture, odd traffic and any tampering.
An Incident is any unplanned interruption to IT systems/services or a outage in the service which we are delivering through that. Please remember all Incidents can be originated from an event but the vice-versa of that is not possible.
Incident Response (IR) Lifecycle | |
Process Flow | What we do here? |
Preparation (We also can call this a pre-incident process phase i.e., laying the groundwork before adverse situation takes place) | Prepare the IR team, Incident triggers, communication plan, setting up workarounds, tools and establishing proper guides, procedures, and aspects which will be needed for Incident handling activities. Preparation of War Room (getting together to solve a particular problem). |
Detection & Analysis | Determining if an event that has been occurred is a true incident and justifying the context. Doing further analysis on the event to know the impacts at a broader level. Basically, all events cannot be an incident but any incident is known to be originated from an event only. |
Containment, Eradication and Recovery | Main goal is to stopping the problem from getting deteriorated and setting up a stoppage for that. Also, getting rid of attackers on the system, cleaning up all the mess and then restoring the affected systems back to the normal in a safe and stabilize mode. |
Post – Mortem (Retrospection) | This is all into looking post–incident assessment once that has been happened to learn the lessons from that. Documenting whole investigation i.e., maintaining chain of events/custody for any legal implications, few learning points, and to utilize that further for making any revisions/improvements (CAN – Condition, Action and Needs) to the existing Process/Governance/Policy/SOP/Measures/Controls |
No comments:
Post a Comment