Question

Explain the link between the initial response phase and the eradication and recovery phase in the Incident response program. Illustrate your answer by an example.

Answer 1

An incident response program is a systematic way of managing the situations which occurs because of  cyber attack or breach.

The main objective of this program is to recover and resolve the problem within the minimum possible time, so that the major losses can be stopped as soon as the incident occurs.

The incident response plan consists of 4 main steps,they are:

1) Preparation

2) Detection and analysis

3) Containment, eradication and recovery

4) Post incident activity

I would like to explain these process by taking the example of NIST(National Institute of Standards and Technology) . It is a physical sciences laboratory and a non regulatory agency of the United States Department of Commerce. The following are the NIST Cybersecurity Framework steps:

1) Preparation: This is the Initial phase or the first step that is taken as soon as the incident occurs. It is a rapid response to the incident occurs. In case of NIST, then compiled all the list of assets, networks, applications and servers. After compiling the assets they ranked them based on their priorities. Like which asset is the highest priority and high all are the lowest priority. Then they monitored the traffic patterns so that they can create baselines that can be use for comparison. The prioritization was made to safeguard the highest priority one first. And then they created the communication plan on who and how to contact based on each incident type and how to safeguard the data.

2) Detection and analysis: In this step the security incident is identified and do the further research based on the conclusions they got in the first step. In case of NIST, they found the security incident and they got into the research mode. They gathered all the information on the incident and they analyzed it. They found the entry point of the breach, size and breadth of the breach so that they can get to know till what depth the data has got affected. They dis this detection and analysis using various security tools.

3) Containment, eradication and recovery: These are the steps that are followed after detecting and analyzing the breach effectiveness and the damages occured by it. In case of NIST, they consider Containment, eradication and recovery in a single step, whereas, few companies consider each process as a separate step. NIST first did the containment process, in which they tried to stop the bleeding of data and patched the threat's entry point. Then they did the eradication process, wherein they started removing the threat. And the last process of this step is recovery, it aimed to get the system back to business as usual as if the breach has not occured.

4) Post-incident activity: This is the last step of the program, wherein they will learn on how to work still more effectively if the breach happens again. And they consider the areas of improvement that has to taken for the better performance. NIST also got few learning on how much more effectively they can act when the breach happens the next time and they found out which are the security tools that they can use for the next time.

Conclusion: All the phases of the incident response program are equally important and are interlinked with each other for the efficient functioning of the program. In the Initial response phase, the rapid action is taken and the assets are prioritized and the highest priority ones are treated first. And the communication plan was setup to create the security plan. They later detected the threat and analysed the breadth of it. In the initial phase itself the preparation, detection and analysis is done. Next comes the response phase, it can be implemented properly only when the initial phase has fulfilled the steps like preparation, detection and analysis are done properly. Hence its linked with the initial phase very strongly. The function of response phase is to do the process of containment and eradication, wherein the threats will be removed. And finally in the recovery phase they brought the system back to business as usual as if the breach has not occured. This is ho all the phases are linked with each other.