Incidents Response
In the field of information security, incidents refer to any malicious event in an information system or network that poses a threat to one of the three information security objectives which are confidentiality, integrity, or permanent availability. Therefore, the success of the organization depends on the ability of the incident response team to identify potential threats and put in place appropriate preventive measures. Unfortunately, organizations do not realize the importance of the Incident Response Team until a disaster occurs. That is why the incident response is an important aspect of an organization to detect and prevent attack damage.
During the life cycle of a cyber attack, early detection of incidents can reduce the effects of attacks. The incident response process also helps identify risks, threats, and vulnerabilities that must be fixed to ensure safe and effective operations. Critical accidents may cause significant financial losses and legislative penalties. For example, organizations may be subject to HIPAA penalties for health care information leakage.
Incident response steps aim to restore the normal operating environment in the affected organization through several steps. These steps begin with ongoing preparation and end with lessons learned. There are six main steps for dealing with accidents as following
Preparation phase: It is an ongoing process aimed at getting the team ready to deal with incidents. The preparation phase includes developing policies, laws and regulations, coordinating with service providers, and setting up an incident tracking system. The team for this phase includes the incident response team members, communications, data, software, hardware, documentation, and reports. In the preparation phase, the team is built, trained, and appropriately authorized to all required tools and systems.
Discovery stage: It means announcing the incident and determining whether it was a security incident or not. During this step, discovery must be at all levels such as user devices, systems, and the network, according to the organization’s structure. There are many aspects that enable an incident response team to detect malicious activities such as processes, services, files, network performance, scheduled tasks, and accounts. The Incident Response Team must be aware of the different types of security incidents and identify affected components to begin the containment phase. At the end of the discovery phase, all evidence is collected and preserved to build the chain of custody. It is essential that the evidence chain is kept up to date and protected for future investigations. Information security incident levels may range from moderate to catastrophic in terms of their effects on the affected organization.
The containment phase: is the beginning of the treatment phase. Their goal is to quantify the problem and stop its growth by preventing an attacker from going deeper into affected systems or moving to other systems. The containment phase begins with short-term containment using the quickest measures to contain the problem such as closing ports, disconnecting the network cabling, pulling the power cable, etc. After isolating the problem. The last stage is long-term containment to ensure that the attacker is prevented from gaining access. And in which all activities need major changes such as debugging the system, removing accounts, and implementing control systems.
The eradication phase: in which the effects resulting from the security incident are completely removed. After isolating the problem, the Incident Response Team removes the malware using several activities according to the type of incident for example implementing security systems, changing domain names, and configuring infected systems especially in the case of a Rootkit attack. Vulnerability analysis is one of the most important activities at this stage through free or commercial tools to ensure that vulnerabilities are not exploited again. After ensuring that all offensive traces are removed, the Incident Response Team prepares the best backup to begin the recovery phase.
Recovery phase: It is the recovery phase after the security incident. Its main objective is to restore affected systems to normal operating mode in a safe manner. It is important to know that the decision to restore systems rests with the business owner or systems administrators. The business owner must decide on the exact time to return the system to normal operation. The role of the Incident Response Team is also to provide any technical advice on the current situation. In the event that the systems return, the Incident Response Team monitors the affected systems to ensure that the attack does not occur again
By Raed Alotaibi