Skip to main content

Incident Response Plan

Updated Jan 30, 2024 ·

Overview

An incident response plan is a structured approach for detecting, managing, and recovering from security incidents. It helps reduce damage, minimize recovery time, and improve overall security posture.

The phases of an incident response includes:

  • Preparation
  • Detection
  • Analysis
  • Containment
  • Eradication
  • Recovery
  • Post-incident Activity

Preparation

Preparation involves strengthening systems and networks to resist attacks.

  • All about getting ready for future incidents.
  • Develop a management-approved policy and communication plan,
  • Identify roles and responsibilities.
  • Identify critical data, systems, and single points of failure.
  • Implement an incident response team.
  • Train and test your personnel with simulated incidents.

Detection

The detection phase identifies the security incidents.

  • Monitor all potential attack vectors.
  • Analyze incidents using known data and threat intelligence.
  • Categorize, assess, and prioritize incident response efforts.
  • Standardize incident documentation.

Analysis

Analysis involves a thorough examination and evaluation of the incident.

  • Involves meticulous data collection and handling.
  • Understand the scope and impact of an incident.
  • In addition, provide insight and potential consequences.
  • Ensure the admissibility of evidence in court.
  • Notify the relevant stakeholders.

Digital forensics plays a critical role in the analysis phase of incident response, where investigators examine collected evidence to determine what happened during a security incident and how to respond.

For more information, please see Digital forensics.

Containment

After informing the relevant stakeholders, containment begins, and initial response actions are taken.

  • Limits the scope and magnitude of incident.
  • Taking immediate actions to isolate and contain the incident.
  • Gather evidence.
  • Choose an appropriate containment strategy.
  • Disconnecting infected clients from the network, etc.

Eradication

Eradication begins once the incident is contained. It is focused on removing the malicious activity from a system.

  • After isolating the infected resource, remove the malware.
  • Reinstall a known good image to the client.

Recovery

Recover is focused on restoring affected systems to their normal state after the incident.

  • Identify evidence that may need to be retained.
  • Restore the resource from a known good backup.
  • Install security patches.
  • Implement configuration updates.
  • Business resumes regular activities with increased resilience.

Recovery is all about ensuring that any exploited vulnerabilities before the incident have been fully and appropriately remediated.

Post-incident Activity

This is the last phase and only happens after containment, eradication, and a full system recovery.

Root Cause Analysis (RCA):

  • Main purpose is not to assign blame.
  • Instead, figure out what caused the incident.

RCA Process:

  1. Define/scope the incident.
  2. Determine causal relationship that led to the incident.
  3. Identify an effective solution.
  4. Implement and track solutions

Lessons Learned:

  • Document experiences during the incident.
  • Identifying areas for improvement.
  • What went right, what went wrong, and what can we do better.

After-action Report:

  • Collect formalized information about what occured.
  • Report contains RCA and recommendations for improvement.