Skip to main content

How to Build a Successful Incident Response Plan




The fight to protect your company’s data isn’t for the faint of heart.

As an embattled IT warrior, with more systems, apps, and users to support than ever before, keeping everything up and running is a battle in itself.

When it comes to preventing the worst-case scenario from happening, you need all the help you can get, despite your super-hero status.

According to SANS, there are 6 key phases of an incident response plan.
  1. Preparation - Preparing users and IT to handle potential incidents in case they happen
  2. Identification - Figuring out what we mean by a “security incident” (which events can we ignore vs. which we must act on right now?)
  3. Containment - Isolating affected systems to prevent further damage
  4. Eradication - Finding and eliminating the root cause (removing affected systems from production)
  5. Recovery - Permitting affected systems back into the production environment (and watching them closely)
  6. Lessons Learned - Writing everything down and reviewing and analyzing with all team members so you can improve future incident response efforts
Here are three examples from the front lines of incident response that can help you at each phase as you build out your plan.

On Defining Success Incident Response Success


There are many levels of success in defensive work… the common wisdom is that the attacker only has to be right once, but the defender has to be right every time, but that’s not always true.

Attacks are not all-or-nothing affairs - they happen over time, with multiple stages before final success.

To remain undetected against an attentive defender, it is the attacker who must make every move correctly; if an astute defender detects them even once, they have the possibility to locate and stop the whole attack.

You aren't going to immediately detect everything that happens during an attack - but as long as you detect (and correctly identify) enough of an attack to stop it in its tracks, that’s success.

Don’t Panic. Stay Focused.


Execution is key - the range of ways to attack a target can seem limitless - expecting to be an expert on all of them is pointlessly unrealistic.

The most important part of incident response is to handle every situation in a way that limits damage, and reduces recovery time and costs.

At the end of the day, that’s how you’ll be measured on a job well done… not that you’ve covered every angle of every potential vulnerability.

Start with Simple Steps. Attackers are Lazy.


Attackers have technical and economic imperatives to use the minimum amount of effort and resources to breach their targets - the more you remove the low-hanging fruit on your network, the more you raise the actual level of work an attacker has to expend to successfully infiltrate it.

AlienVault has recently created a 5 chapter eBook titled the Insider’s Guide to Incident Responsethat goes further into fundamental strategies that can help you create an efficient and effective incident response plan.

The eBook covers:
  • Arming & Aiming Your Incident Response Team
  • Incident Response Process and Procedures
  • Types of Security Incidents
  • Incident Response Tools
  • Incident Response Training
You can download the entire eBook at AlienVault’s website here.


Comments

  1. danlighter22 November 2017 at 20:48

    Very nice article... This blog nicely explain incident response plan and I found it very helpful. Incident response tools are also very useful. Thanks for sharing.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to Unlock (and Play) Hidden Chess Game Inside Facebook Messenger

What can you do with Facebook Messenger? Chat with your friends Send GIFs, stickers, and photos Make video calls Send people money in Messenger Have you ever wondered to Play a game while you chat with friends? Yes, it is possible. Facebook had made it to the reality by building a hidden built-in functionality in Facebook Messenger that lets you play Chess with your friends without having to install a third-party app. It just takes one simple step to unlock this hidden game. All you need to do is: type " @fbchess play " and hit Enter, during a conversation, and a small square box would appear in the chat box. Here's how to play: The person who initiated the game would be assigned "White" side, to make the first movement. Although there is some standard algebraic notation like:- B for “Bishop” R for “Rook” Q for “Queen” K for “King” N for “Knight” P for “Pawn” Pawns could b
1 comment
Read more

Internet of Threats!

T he Internet of Things (IoT) is continuing to gain traction with an ever-increasing number of connected devices coming to market. But as tech-savvy consumers begin investing in their first devices for a connected home, what is to stop them becoming a cyber attacker's next target? While still uncommon, we know that cyber attackers are going after connected consumer devices, demonstrated on a massive scale by the group of Russian hackers who published thousands of live-streaming webcam footage from over 250 countries. Unless the manufacturers of connected devices take a holistic approach to bolstering their cyber security efforts, these types of attacks will increase in number. To gain a greater understanding of the cyber security risks that consumers could be exposing themselves to, research was conducted into the cyber security posture of six ‘always-on’ consumer IoT devices. The results were unsettling. Veracode carried out a set of uniform tests across all the
Post a Comment
Read more