Incident Response Lifecycle

Develop a policy approved by management.
Identify critical data and systems, single points of failure.
Train staff on incident response.
Implement an incident response team. (covered in subsequent topic)
Practice Incident Identification. (First Response)
Identify Roles and Responsibilities.
Plan the coordination of communication between stakeholders. Consider the possibility that a primary method of communication may not be available.

After an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organisation so that they can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (e.g., firewall rulesets, boundary router access control lists). Higher levels of system logging or network monitoring are often part of the recovery process.

Identify evidence that may need to be retained.
Document lessons learned.
Retrospective
- - Preparation
  - Detection and Analysis
  - Containment, Eradication and Recovery
  - Post-incident Activity

Google Sites

Report abuse