Incident and response planning is an important resource for companies focusing on their cyber security. This is because they are aware of the significant threat posed by cyber attacks and they are aware that sooner or later they will fall victim to a cyber attack.
Sensitive data and confidential information are very valuable in the modern digital age and cyber criminals are constantly trying to get hold of them. And since it is only a matter of time before a company is attacked, it is relevant for all companies to have a solid incident and response plan. But what does an incident and response plan actually consist of, and what are the seven key response phases?
In this blog post, we discuss the seven phases of the cybersecurity incident response process and how you as a company can create your own effective and compelling incident and response plan.
What is an incident and response plan?
All companies should thoroughly understand what an incident and response plan entails and how to design one.
An incident and response plan is an action plan that your company can implement when a security incident, such as a cyber attack, occurs. Ideally, the plan should be a crisp, concise document that outlines the response steps to be performed by the incident and response team and the information security team.
The plan should also include the roles and responsibilities of anyone in the executive and management teams who may be involved in the incident management process.
The plan should answer questions such as: What should be done with the affected user accounts and systems? What communication chain should be followed? Who should be informed when, how and by whom? Should law enforcement authorities be contacted and, if so, when?
All these issues, which relate to the immediate aftermath of the incident period, should ideally be covered in the incident and response plan.
What are the seven response phases following a security incident?
According to the US National Institute of Standards and Technology or NIST, an incident and response plan has four main phases. However, many cyber security experts break these down into a more comprehensive list of seven response phases. We will describe all seven phases here.
1. Preparing for future incidents
As the name suggests, this phase of the incident and response plan comes before the incident even takes place. It is a very important phase that determines how your company can respond to a security incident.
The preparation phase of an incident and response plan takes into account that the company will most likely be hit by an attack sooner or later and makes sure to prepare the company and its key stakeholders for a future attack.
This phase is all about risk assessment, where the company assesses where the greatest vulnerabilities lie, which assets are most likely to be attacked and what the company should do when it is attacked.
Defining clear communication channels, determining which response steps to follow, maintaining critical business plans and activities, etc. are all part of this critical phase of the incident and response plan. Providing high quality awareness training to your staff also falls under this phase.
2. Identifying the incident
This phase is all about identifying the incident or cyber attack that has occurred. Identifying the incident immediately after it occurs is crucial to ensure that the, possibly critical, situation does not get out of control.
This phase starts with assessing whether the incident in question is a cyber attack and, if so, how critical is it? A determination of the severity is a large part of this phase.
Next come questions about the aspects of the business that have been compromised. What exact damage does the incident cause? Classifying the security incident depending on the type of attack is also part of this phase.
3. Mitigating the impact of the incident
Controlling the consequences of the incident is the next phase of the incident and response plan. The company should already have a strategy in place that maps out how you can limit the damage or consequences.
During the mitigation phase, make sure the company considers both short-term and long-term strategic elements. Aspects such as what systems might crash in the event of a cyber attack and what backup processes are in place should be discussed at this stage.
4. Eliminating the cause of the incident
This phase of the incident and response plan deals with eliminating the cause of the security incident. Once the company has contained the situation and identified the root cause of the problemYou find a solution to eliminate it.
As well as removing any malware safely, this phase also focuses on fixing vulnerabilities and updating old versions of software.
5. Recovering systems or data
Once vulnerabilities have been fixed and malware has been eliminated, recovery is the next phase. This phase focuses on getting systems back up and running.
Monitoring the systems and data and ensuring that they have been properly restored or rebooted is essential to return operations to normal.
6. Reflection on the incident
One of the most critical aspects of any form of incident and response planning is reflection. This is also often referred to as 'post incident' actions. Looking back at the incident and evaluating how it was handled, assessing whether the actions taken were sufficient and assessing whether all key decision makers and stakeholders responded accurately and effectively. These are some of the aspects you can review in this phase of the incident and response plan.
If changes need to be made to the Incident and Response Plan, this will be the phase to introduce them.
7. Test, test, test
With the help of your incident and response plan, you will hopefully have made it through a serious security incident. But it is important to remember that this does not necessarily mean you will get through another incident. Cybercriminals often attack the same companies multiple times, each time with a new strategy or attack method.
This is why, as a business, you need to continually test and review your incident and response plan and try to find any gaps in it that criminals may try to exploit next time.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.