“Workflow is understanding your job, understanding your tools, and then, not thinking about it anymore.” Merlin Mann
Navigating an incident is a long and complex process. Several phases begin even before an incident happens. NIST Special Publication SP 800-61 recommends four stages (with different sub-phases): Preparation, Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Analysis. It is essential to understand that some components of these phases should be performed continuously either before, during, or after an incident, as shown in the figure below. For example, you may have contained the issue during an incident, meaning you would have to go back to perform additional and ongoing detection and analysis. The key to success in proper response to cybersecurity is to build good processes/workflows and document them in plans and playbooks that can then be practiced and executed by subject matter experts; or as an independent writer and broadcaster Merlin Mann said, “Workflow is understanding your job, understanding your tools, and then, not thinking about it anymore”.
Here is guidance and an example of the actions required to deal with incidents for each relevant stakeholder (team) in the four phases.
1. Preparation Phase.
During the incident management preparation phase, the Cybersecurity Incident Response Team (CIRT) maintains and enhances the organization’s systems and readiness to respond appropriately to a cybersecurity incident with strategic and tactical measures. Activities in this phase include developing and continuously reviewing policies and procedures, performing Risk Assessments and Business Impact Analysis, and training the CIRT and staff on security and incident response practices based on their roles and responsibilities.
2. Detection & Analysis Phase.
During the incident detection phase, security and IT teams evaluate events that may lead to a potential security incident. Once an incident has been detected, an incident ticket or incident record/ticket is opened (for example, in your help desk ticket system) to initiate the detection phase. Detection occurs from different sources.
Technologies involved in this phase include:
3. Containment, Eradication & Recovery Phase.
Containment Phase.
Once an incident is suspected of having a significant impact, the first and most critical step the team should take is to contain the issue to minimize its “blast ratio.” The Incident Leader directs the execution of the incident management containment phase, and teams will isolate and contain the incident not to spread to the rest of the organization.
Technologies involved in this phase include but are not limited to:
Eradication Phase.
During the incident management eradication phase, teams will eliminate components of the incident, such as deleting a malware, disabling breached user accounts, and identifying and mitigating all exploited vulnerabilities. It is crucial to identify all affected hosts within the organization to be remediated during this phase. For some incidents, eradication is performed during recovery.
Technologies involved in this phase include but are not limited to:
Recovery Phase.
During the incident management recovery phase, teams will enact processes and procedures for recovery and complete restoration of any infected endpoints, servers, applications, and data during the incident. During recovery, administrators restore systems to regular operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
Technologies involved in this phase include but are not limited to:
Post-Incident Activity.
During the incident management post-incident phase, teams will perform root-cause analysis and lessons-learned activities with the IT Response Team and various stakeholders shortly after incident recovery and closeout. In addition, any recommended outcomes should be implemented to ensure continuous improvement, and all related active tickets should be updated and closed.
If you want to make sure that your team can adequately respond to cybersecurity incidents, you must put a lot of effort into building the right processes and workflows. Once your processes are built, periodically test them, so your first responders build “muscle memory” and refine their workflow. At CA2 Security, we can help you build and/or improve your Incident Response Plan and test it, so your team is ready to respond and protect your organization.