4. INCIDENT RESPONSE
Incident response is a term used to describe the process by which an organization handles a data breach or
cyberattack, including the way the organization attempts to manage the consequences of the attack or breach
(the “incident”).
Unauthorized attempts to access systems or data.
Phishing email
DOS Attacks
Hidden files
Unexpected changes
5. GOALS OF INCIDENT RESPONSE
Confirms whether an incident occurred or not.
Minimizes disruption of business and network operation.
Promote accumulation of accurate information.
Protect privacy rights provided by law and policy.
Provide accurate report and useful recommendations.
Protect your organization reputation and assets.
Educates senior management.
6.
7. PREPARATION PHASE
The preparation phase is the first step in the incident response process.
It involves developing and implementing policies and procedures for handling security
incidents.
it involves creating an incident response team, and identifying the tools and resources
needed to effectively respond to an incident.
During the preparation phase, organizations should also conduct regular security
training and awareness programs for employees, establish communication channels
with external stakeholders, and define roles and responsibilities for the incident
response team.
8. DETECTION AND ANALYSIS PHASE
The detection and analysis phase is the second step in the incident response process.
It involves identifying and analyzing security events to determine if they are actual security incidents, and if
so, the nature and scope of the incidents.
During this phase, incident responders collect and analyze data from various sources such as logs,
network traffic, and system alerts to identify the cause and extent of the incident.
They also prioritize incidents based on their severity and potential impact.
9. CONTAINMENT AND ERADICATION PHASE
The containment and eradication phase is the third step in the incident response process.
It involves isolating the affected systems and preventing further damage, as well as removing the cause of
the incident.
During this phase, incident responders implement measures such as network segmentation, disabling user
accounts, and patching vulnerabilities to contain the incident and prevent it from spreading.
In the Eradication phase, they also remove malware, restore system configurations, and perform forensic
analysis to identify the root cause of the incident.
10. RECOVERY PHASE
The recovery phase is the fourth step in the incident response process.
It involves restoring the affected systems and returning them to normal operation, as well as implementing
measures to prevent similar incidents from occurring in the future.
During this phase, incident responders verify the integrity of the restored systems, test backups, and
implement additional security controls to mitigate future incidents.
They also communicate with stakeholders and provide updates on the incident and its resolution.