Now days we are dealing with lots of Security Incidents (which is Violation of Security Policy) and to deal with them we must follow some guidelines to address such security incident, here we will discuss Incident Response lifecycle that we (I am a Incident Handler) follow. You will have idea about what do we do in an overview perspective instead of going into too much detail. In case you want to go in detail you can also ask your friend google for it.The lifecycle includes 7 steps to deal with Security Incidents:
- Preparation: Here we get prepared against all types of threats we will put various controls, Use latest updated patches for application and OS, use NGAV with latest definations. We do things to prevent against security incident to occur.
- Identification: This step involves identifying the security incident on the basis of various IoC's, IoA's and other symptoms. We can also use different types of logs such as Network/System/etc.
- Containment: Once you have identified the threat its important to contain that threat in order to prevent it getting spread over the network or else where. You can use EDR technologies to do that remotely. However operations can be performed within the system.
- Investigation: We must to root cause analysis and try to answer question like how/when/where/why about the threat or attack, and capture all the details for the related incident.
- Eradication: Now its time to eradicate the files or other threats that casused the incident to happen in the first place. You can uninstall infected programs and also use anti-malwares to do the same.
- Recovery: Restore the machine with the latest backup's for data and configration setting.
- Follow-Up: Follow-ups must be done to find out the cost of the incident and loss of the productivity. We must also see similar incidents does not happen in future.
These above steps will give you an overview about the process for how can incident response lifecycle can be performed. Every organization may have different steps but these are recommended by NIST and comes under Cyber Security Best Practices.Kindly share your views and let us know if you do thing in a different manner. Till then stay safe !!!