Incident Response

Incident Response Scenario and Process

A plan to respond to a cyber security incident.

Understanding the need for a plan

How to create a plan

How to document it

How to implement the plan and put it in place.

How to test it

Should be methodical and documented.

If not, evidence can be missed, lost or destroyed.

What do we use?

Many different resources from which to draw, so you must determine which best suits your company/business.

  • NIST
  • SANS

Incident Response is a Process

  • Preparation
  • Detection & Analysis
  • containment, Eradication & Recovery
  • Post-Incident Activity
  • Be Prepared
  • Be Systematic & Organised
  • Act Quickly
  • Fix the Problem
  • Make Improvements

CIS Critical Security Controls

CSC 19: Incident Response and Management
Family CSC Control Description Foundational Advanced
Application 19.1 Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling. Y
Application 19.2 Assign job titles and duties for handling computer and network incidents to specific individuals. Y
Application 19.3 Define management personnel who will support hte incident handling process by acting in key decision-making roles Y
Application 19.4 Devise organisation-wide standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included int he incident notification. This reporting should also include notifying the appropriate Community Emergency Response Team in accordance with all legal or regulatory requirements for involving that organisation in computer incidents. Y
Application 19.5 Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an email address of security@organisation.com or have a web page https://organisation.com/security). Y
Application 19.6 Publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities. Y
Application 19.7 Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. Y

Two major styles of response

  • Preparation
  • identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned
  • Preparation
  • Detection and Analysis
  • containment, Eradication & Recovery
  • Post-Incident Activity

In depth preparation

Detection and Analysis:
- Identify attack vectors
- Identify Signs of attack
In order to be able to respond to them

Containment, Eradication & Recovery:
- Develop strategy
- Identify types of threats/attacks
- Craft a good recovery plan

Post Incident Activity


Breakdown of steps

Step 1: Preparation

Considered by many to be the most important step, but often times overlooked.

Requires the following items:

  • Security Policy
  • Incident Response Team Procedures / Processes
  • Proper Training for Incident Response Teams
  • Lines of Communication laid out
Step 2: Identification

Includes the following:

  • Proper Alerting Tools: SIEM (Security incident and event management tools) - AV (Anti virus tools) - EDR (Endpoint detection and response tools) - etc
  • Analysis of Alerts/Events
  • Classification of Incidents/Events
  • Notification of Incident
    - can be internal or external
    - Incident Response plan must be designed to adequately deal with both
Step 3: Containment

This step can be extremely long or very short.

Much depends on the preparation and type of incident.

It's usually handled by an on-site team but can be external consultants assisting.

Containment provides control of the problem

Containment encompasses evidence collection

Containment ensures intruder is either expelled from the environment or restrained

Think "Stop the bleeding!"

Step 4: Post-Incident Activity

This, too, is often an overlooked or neglected step.

It involves learning from the incident

Improving the overall security posture of your organisation

Improving the response effort for future incidents

Can include:

  • Report - verbal and written
  • Team meetings
  • Review of written processes and procedures
Example Notification

Thank you

Based on the information provided, we believe that your personal information may have been impacted by this incident.

Click the button below to continue your enrollment in TrustedID Premier.

For more information visit the FAQ page.

Get in Touch

What's on your mind?

Contact Details