Interview with Eric Vanderburg – President
How to Write an Effective Cyber Incident Response Plan
[gravityform id=”27″ title=”false” description=”false” ajax=”true”]
In a previous blog, we discussed what should be included in your incident response plan (IRP). In this blog, we will break down the incident response lifecycle by examining the seven phases that should be included in every incident response plan.
Today, we are going to take a deep dive into the seven phases of an incident response plan. These phases will help outline the steps an organization The phases are:
- Identification
- Preservation
- Containment
- Eradication
- Investigation
- Remediation
- Reflection
What Do Each of the 7 Phases of an IRP Mean?
It all starts with identification. This phase is basically determining whether or not this is an incident to report or not? From here, we need to take whatever we found during the investigation and preserve it so we don’t lose it later on in the investigation. Preservation is required so we don’t lose crucial evidence.
Next up is Containment. This is basically saying, “Let’s figure out what the scope of this incident is and then stop it from spreading.” For instance, let’s consider malware, you may need to take some machines offline or you may need to inform users to stop using certain equipment, or turn off mail accounts – things like that. We then move on to Eradication.
At this phase, we will remove whatever was placed on the machines, such as malware or compromised credentials. We will need to disable things like that.
Then comes Investigation. Here you determine what happened, what was the impact, and what do you need to do regarding this?
Second to last, we have Remediation. This is essentially saying, “Now it’s time to fix the problem that initially created this whole incident.”
Finally, we end with Reflection. This is a good point where you and your business can look back at the whole thing and figure out what could have been done better and roll that right back into your Incident Response Plan so that you have a better plan for the future.
Respond to the Threat
So once you have your incident response plan in hand and you’ve contacted the necessary people, the next step is to respond to the threat. Your IRP will walk you through the process of identifying the threat and preserving critical evidence. This evidence can help during the next phase and may also be required in potential future litigation.
Next, the IRP should outline the process for containing, eradicating, and investigating the cause of the breach. Depending on the findings, additional preservation may be required. You must then eradicate the threat and remediate the vulnerabilities that led to the initial hack.
Finally, once the dust settles, reflect on your response. Reflection will allow you to analyze your response efforts to determine what you did well and what you could have done better. Incorporate these lessons into your incident response plan for future reference.
Each phase plays a critical role in recovering from a data breach. Just having these steps outlined, however, is not enough. Training is key to ensuring your team executes the IRP correctly and efficiently.
Learn More About Protecting Your Business with Tabletop Exercises
Explore our website at www.nexuscyber.com to find more information on Incident Response Plans and fill out the form below or give us a call if you’re ready to start working with our team on your IRP today!
0 Comments