Six Stages of Incident Response

A six stage methodology can be implemented to respond to a network security breach. These six stages are, preparation, detection, containment, eradication, recovery, and follow up. Preparation includes a set of defenses to deal with threats, preparing staff by providing security awareness, and creating procedures to deal with incidents as soon as possible. Detection means determining if malicious code is present of files and directories have been altered. Intrusion detection means determining if unauthorized access or misuse has occurred. Failed login attempts, use of commands no related to user’s job, and unexplained use of escalation are also signs of intrusion. Intrusion detections software can alert relevant personnel when intrusion is detected. Detection is most important part of incident response. Without detection, there will be no response.

Containment procedures should be implemented to limit the extent of intrusion and relevant consequences. For example, if multiple failed login attempts are detected against a single account, disabling that account will be a simple containment method. For more serious intrusions, shutting the system down or disconnecting from network can contain the intrusion to limited area. Disabling compromised logins, increasing monitoring activity, changing firewall rules, or more unconventional methods e.g. striking intruder’s system can help contain serious intrusions.

During eradication, our goal is to eliminate the cause of intrusion. Running antivirus and anti-root kit scans can help disinfect systems. During intrusion, worms can spread exponentially. If proper containment procedures were followed, it will be easier to eradicate infections. Proper eradication procedures can help prevent systems from infecting each other.

After eradication, recovery procedures return systems and networks back to their functional state. While it can be time consuming, performing full system restore from known good backups can ensure no infections remain. All compromised logins should be reset to different and stronger passwords. If data loss has occurred, use of last known good full backup can be helpful. All recovery procedures should be logged and checked against detection logs.

Follow-up helps those involved in incident response learn from their mistakes. Follow-up by all teams involved in previous five stages of incident response can bring up any vulnerability that allowed intrusion and how those can be patched. For organizations that work with protected information, follow-up can be useful in legal proceedings. During follow-up, a postmortem analysis of each event should be performed.

In conclusion, all six stages of incident response relate to each other very closely. Record keeping during incident response can help track changes. This will come handy when lawyers come barging in your ‘network closet’ asking details. Remember, incident response can have vast financial impact and documentation helps keep things straight.

The author would love to hear your comments. Let us discuss at Twitter @qasimchadhar.