Cybersecurity Incident Response - Softrams

  • Press
  • Security

ijeomaojiakosoftramscom
February 24, 2022 300 views

A laptop screen displays an important annoucment

 

Definition:

A Cyber incident is an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems.

An incident can be defined as an unexpected disruption to a service. An incident can disrupt your business which will directly or indirectly impact your customers.

Examples of incidents includes the following:

Applications locks, Network services failures, Application crashes, Wi-Fi connectivity issues, file sharing difficulties, unauthorized changes to systems, data or software, Denial of service (DoS), compromised user account etc.

What is the most important thing to do if you suspect a security incident?

If you suspect a incident on a system that contains sensitive data do not attempt to do the investigation or remediation by yourself. You will need to instruct all users on the system to stop work. Remove that system from the office network by unplugging the cable or taking it out from the wireless network and follow the incident response reporting policy according to the existing IR plan.

The importance of reporting an incident:

Incident reporting can act as a heads up to management meaning it helps in raising awareness about the things that can go wrong if corrective and preventative actions are not taking immediately.  It gives management the entire ability to have more detailed information to support their proof whenever an incident occurs or reoccurs. It is good to report incidents as they can provide a reminder of possible hazards. When they are reported promptly then easier to monitor the potential problems and root cause as they can always repeat. Reporting helps to identify who, what, when and where during an attack. Reporting an incident as soon as possible can help contain, limit the adverse effect, reducing the cost to an organization both financial and reputation wise.

Incident Response is a system of people, process, and technology leveraged to prepare for, detect, contain, and recover from a suspected cyber security incident or compromise.

People:

  • Incident Responders
  • Security Operations Center (SOC) Analysts
  • Forensic Analysts
  • Threat Intelligence

Process:

  • Incident Response Plan
  • Runbook/Playbook

Technology:

  • Response(SIEM, Custom tooling)
  • Analysis (Analytical/Forensic tooling)
  • Detection (AV/EDR, Customer log services, SIEM)
  • Not all security incidents can be prevented so organizations must be prepared

Incident Response Lifecycle:

Incident Response Lifecycle is broken into four phases according to NIST, as follows:

Phase 1 – Preparation:

This covers all actions an organization takes to be ready for incident response and this involves putting together the right resources and tools.

Phase 2 – Detection and Analysis: 

To accurately detect and access incidents is difficult for some organizations according to NIST Publication.

Phase 3 – Containment, Eradication, and Recovery:

Advising on the measures necessary to contain the incident, limiting its spread and reducing impact to be as low as possible. Directing the available resources to manage your recovery activities, using the available resources to recover from the incident as quickly and effectively as possible to mitigate service disruptions.

Phase 4 – Post-Event Activity:

The most important part of the lifecycle is learning and improving after an incident to take the adequate time to analyze the efforts of the incident response. Reviewing your incident response procedures following the incident to highlight improvements and inform your planning for next time. Advising on communications both internally and externally, including to authorities, the media and suppliers.

Best Practice

This blog is based on a combination of the best practice cyber incident response framework developed by CREST  NIST SP 800-66rev2 and the international standard on incident management, ISO/IEC 27035.



More Stories

  • Build a Great Product by Focusing on Quality

    Chris Hand
    September 14, 2021

    The best software lets users accomplish their goal without getting in the way. Build quality into your process to launch better produces and empower your users.

  • Fuzzy Wuzzy is Not a Bear

    Paul Mullin
    August 26, 2021

    An algorithm known as "Levenshtein distance" from the 1960s is the foundation for modern auto-correct and search routines. Softrams’ App Foundry recently explored methodological aspects of using such algorithms for matching records based on text fields.

  • Basics of Network Security

    Nitya Parasuramuni
    January 26, 2022

    In 2020, over 1,100 data breaches were reported, affecting nearly 300 million individuals. Designing and maintaining the network infrastructure of an organization is a vital part of security and is needed now more than ever before.