Incident handling refers to the processes and procedures an organization follows when responding to a cybersecurity incident or breach. Having a formal incident response plan is critical for quickly identifying, containing, eradicating and recovering from security incidents. NIST, the National Institute of Standards and Technology, recommends organizations follow these 7 key phases of incident handling:
1. Preparation
The preparation phase involves taking proactive steps before an incident occurs to ensure an organization is ready to detect and respond effectively. Key tasks in the preparation phase include:
- Developing incident response policies, plans and procedures
- Establishing an incident response team with defined roles and responsibilities
- Providing training to team members and general staff
- Acquiring necessary tools and technology for detection, investigation and mitigation
- Establishing communication plans and contacts with external parties
Taking time in advance to establish policies, assemble a team, and prepare necessary resources helps organizations to be ready when an incident does strike.
2. Detection & Analysis
The detection and analysis phase covers identifying that a security incident has occurred and determining its scope and characteristics. Tasks in this phase include:
- Detecting anomalies or events that could indicate an incident
- Logging event details and preserving evidence
- Prioritizing the incident based on its risk level
- Analyzing the incident to determine its nature, what systems, data or users have been affected, and what potential harm could result
Effective detection and analysis is crucial for understanding the scope of an incident and making informed decisions on how best to contain it.
3. Containment
During containment, the goal is to limit the impact of the incident and prevent further damage. Key containment tasks include:
- Isolating infected systems to prevent the spread of malware
- Locking compromised user accounts
- Blocking suspicious IP addresses or domains
- Halting processes or behaviors that enabled the incident
Prompt containment reduces the likelihood of the incident broadening in scope and increases the chances of successful eradication.
4. Eradication
Eradication involves removing components of the incident to restore normal operations:
- Eliminating malware from infected systems
- Removing artifacts left behind by attackers
- Identifying and mitigating all vulnerabilities that were exploited
- Searching for additional signs of compromise
Thorough eradication is necessary to ensure the attacker’s presence has been completely removed before returning systems to production use.
5. Recovery
Recovery focuses on restoring systems and services after containment and eradication. Tasks in this phase include:
- Rebuilding compromised systems from clean backups or images
- Validating system integrity to confirm all malware and artifacts have been removed
- Restoring data from clean backups if needed
- Resetting user credentials and monitoring accounts
- Returning recovered systems to operation
Careful restoration and validation helps confirm eradication was successful before putting recovered assets back into production.
6. Lessons Learned
The lessons learned phase aims to improve by identifying gaps and opportunities that surfaced during the incident. Actions include:
- Conducting a post-incident debrief with all involved parties
- Documenting a timeline of events, actions taken, and outcomes throughout the incident
- Identifying areas of success and gaps in the response
- Determining root causes and remedies to improve security controls
- Updating incident response plans and procedures based on insights gained
Capturing lessons learned and continuously improving processes is key to enhancing incident preparedness.
7. Communication
Effective communication is critical throughout the incident handling process. Key communication activities include:
- Notifying senior leadership and keeping them regularly updated
- Coordinating with other incident response team members
- Providing status updates to affected customers or partners
- Reporting incidents to regulators and law enforcement when applicable
- Informing employees, shareholders and public stakeholders if appropriate
Maintaining clear communication streams with both internal and external stakeholders helps manage the impact of the incident.
Conclusion
Following defined phases enables organizations to respond to incidents in an organized way. Preparing in advance, promptly detecting and containing incidents, thoroughly eradicating threats, restoring systems, learning from experiences, and communicating effectively are hallmarks of mature incident response.
Implementing these incident handling steps makes organizations more resilient in the face of cyber attacks and helps minimize their impact.
| Phase | Description |
|---|---|
| Preparation | Take proactive steps to get ready for incidents before they happen |
| Detection & Analysis | Discover the incident and determine its nature and scope |
| Containment | Limit the impact and prevent further damage |
| Eradication | Eliminate all components of the incident |
| Recovery | Restore affected systems and services |
| Lessons Learned | Identify opportunities for improvement in response capabilities |
| Communication | Keep stakeholders informed throughout the process |
