Blog

What Are the Phases of an Incident Response Plan?

Mar 03, 2021

SSCP_incident_response Disaster recovery is now a normal part of business operations. However, before the year 2000, disaster recovery was a “nice to have” addition to a business. Then, the “Y2K” bug became the impetus that brought disaster recovery to the forefront of business preparedness. Next, in 2001, the rise of terrorism brought new attention to the need for businesses to prepare for disasters. As time progressed, incidents such as the blackout of 2003 that shut down the northeastern United States for a day, made many recognize that disaster recovery centers could not be on the same power grid, let alone at the same geographic location.

Reflecting on those times, it is interesting that the biggest threats to businesses from a cybersecurity perspective were all based on computer virus mitigation and other disruptors such as the SQL-Slammer worm . The world of cybersecurity was still young.

In recent years, cybercrime has increased, changing the entire approach to how business is conducted. Disaster recovery remains an important part of any business plan, but it is executed only in the direst of circumstances. The new threat landscape has caused a shift in focus to incident response. Unlike the static nature of a disaster recovery structure, incident response is a fluid, real-time construction that requires a different set of disciplines.

There are specific phases of incident response. The National Institute of Standards and Technologies (NIST) has outlined the steps in its Special Publication 800-61 (currently at revision 2) entitled “Computer Security Incident Handling Guide.” The phases outlined in that document match the required skills outlined in the Systems Security Certified Practitioner (SSCP) Common Body of Knowledge. While it is easy to recite these phases, there is more to it than that. Certification requires a deeper dive into each aspect of incident response in order to result in a unified, cohesive, and actionable plan.

Preparation

The first step in any incident response plan is preparation. This may be the most important phase, as failure to adequately prepare can result in nothing more than a scattered and insufficient response in the event of an emergency.

As an example, the global COVID-19 pandemic, showed what can occur when adequate preparation is overlooked. Many businesses supported occasional remote work, but when the entire workforce was required to use remote access, improper planning meant the difference between a smooth operation, and productivity-crippling bottlenecks. Of course, correct preparation has to be balanced against cost, and a trained security practitioner is prepared to work with management to ensure that balance. Just as a pandemic response requires phased approaches for ramp-up and ramp-down circumstances, so too may an incident an incident response plan.

Many cybersecurity practitioners might shudder at the idea of preparation, as the mind is inclined to immediately go to long, opining documents about proper procedures. This is not what many practitioners dreamed of doing when they first entered into the field of cybersecurity, after all. However, there is much more to preparation than procedural documentation. Preparation must be done in a collaborative spirit, bringing together multiple teams within an organization including legal, communication, and executive leadership.

This is where a certified SSCP can shine. The security practitioner has the ability to work with a documentation team in order to articulate what is required in an incident response plan for a particular organization. As with all documentation, there is no one-size-fits-all plan. Each organization requires the specialized perspective of the person with hands-on knowledge of the technical aspects of the business.

The security practitioner is an integral part of the development and articulation of the documentation. It includes input into the following:

  • Statement of management support and endorsement
  • Statement of alignment with the organization’s strategy, mission, vision, objectives, and goals
  • Objectives of the policy scope and limitations
  • Definitions of terms
  • Roles and responsibilities
  • Prioritization of risk when discovered
  • Metrics and performance measures
  • Communications planning
  • Mandatory adherence to incident response plans, processes, and procedures
  • How the policy complies with laws, regulations, or standards the organization must adhere to

A key component of an incident response plan includes the creation of the response team. Again, this is where the SSCP skills can add incredible value. The ability to understand the problem and to be able to describe it to the less-technical team members is a valuable asset during a crisis.

Communication planning is also essential to a fully realized incident response plan. Just as supply-chain management is important for business continuity, a broad and carefully managed communication process can impact how a business fares in a crisis. Accurate reporting to various outside parties can mean the difference between a successful response and a damaging mixture of assumptions and misinformation.

Detection and Analysis

Even before an incident occurs, a person who has achieved SSCP status is the person who is trained to recognize the difference between a false alarm and an incident worthy of notification to management that can invoke the incident response plan. Not all events are security incidents, after all, and the security practitioner is the person tasked with knowing the difference. Likewise, not all security incidents rise to the level of that which requires the invocation of the incident response plan.

Tools such as intrusion detection systems, security incident and event management (SIEM), anti-malware, and file integrity monitoring tools are all parts of the SSCP toolkit. Log files can offer a wealth of information about events on a set of systems. So too can publicly available information from reputable security. These tools are what a qualified security practitioner can use when building a case as to the severity of an incident, insight which will be shared with upper management.

Containment, Eradication, and Recovery

Once the plan is invoked, it is time to take corrective action. Containment is the part where the security practitioner has to “stop the bleeding.” Different events require a different approach, of course. For example, a ransomware event would be handled much differently than the discovery of a compromised database.

Eradication is the phase where the threat needs to be removed from the environment. Some eradication methods can be automated such as virus removal. Others, such as the removal of malicious code, may require more manual intervention.

Recovery may be a quicker way to restore a business to normal operation if eradication is not possible. For example, in the case of a ransomware event, eradication is not the best option. Instead, recovering the system from a recent backup would be the better option.

Post-Incident Activities

Sometimes referred to as the “lessons learned” phase of incident response, the post-incident phase is where the incident is reviewed and documented. This document serves not only to memorialize the incident; it can also be used to modify the original incident response plan. Additionally, the post-incident report can be used as a learning tool for future team members and as a model for structured walkthrough exercises (also known as tabletop exercises).

The Importance of Incident Response

In this age of constant cyber-attack, incident response is a fundamental element of a mature security team. It is a vital process for a business that strives to be prepared in the event of an emergency.

Knowing the phases of an incident response plan are crucial to this endeavor. Fortunately, a Systems Security Certified Practitioner (SSCP) is a valuable team member who can function in all phases of the plan. They are the ones who can be present to help in the most trying of times.

To learn more about incident response and implementing a plan for your company, read our white paper, How You Can Become a Cybersecurity Hero .

How SSCP Certification Helps

There is no better way to showcase your technical skills and security knowledge than achieving the SSCP credential. Whether you are an experienced security professional or just starting out into the fascinating world of cybersecurity, the (ISC)² SSCP credential is ideal to enhance your ability to implement, monitor and administer security procedures and controls that ensure your organization’s confidentiality, integrity and availability.