Incidence Response System (IRS) is a laid-down set of policies, procedures, strategies, lines of action, and approaches that an organization puts in place in order to detect, identify, prevent, and contain the incidence of cyber adversaries. With this policy in place, organizations can be able to see an attack coming, prevent it from escalating, contain the incidence, reduce the impacts, and build walls against possible future attacks.
The incidence Response is strategically broken down into 6 stages
Preparation stage
The stage takes the look at the level of security framework the organization presently have, asset valuation, and the level of risks, vulnerabilities, and threats those assets can bring into the organization’s network with particular attention to the high-end organizational assets. Review of organization’s security policies to suit the present and meet futuristic needs, planning, roles, and responsibilities of security teams, and best security practices to be put in place, tools, and techniques to be used at each stage.
Threat Identification and Analysis Stage
Employing detection tools to find any mistrustful activity or movement in the organization's network. The measure to be used to find out the traces, the kind of attack, the source of the attack, and the end the attacker is set to achieve from of such malicious movement, security practices to mitigate against the traces of suspicious activities, and detailed documentation and of the overall threat analysis.
Threat Containment
Quick containment and isolation of affected areas affected by the incidence or areas where the attackers have penetrated, protection of unaffected areas, remedial of partly affected systems. These states ways to limit the impact of cyber incidents and the damage caused to the barest minimum both for short and long-term periods.
Elimination Stage
Eliminated stage sequels the containment stage, and the security teams make the details of the attack clear. Cleanup exercises is carried out to expel traces of malware, disable tampered user accounts, clear all breached security systems traces made in the threat execution, and replacement of overly condemned systems with new ones.
Recovery phase
Restoring of initially backed up data and data recovery arrangements should be flexible and tailored to reflect circumstances. Restoration of the normal processes and activities. When there is no backup, the usual operations can begin to restore systems to their normal operations, remediate vulnerabilities, patch and update software, replace worn-out hardware, tighten physical and internet security outfits, change passwords, enforce good network monitoring outfits, and change ill modes of operation.
Post-incident activity
After a security breach has occurred in an organization, there are going to be lessons learned, and improvements will begin to take place to forestall future security breaches. Members of the organization should be informed of what happened, how it happened, how the attack was stopped, the measures that were used to stop the attackers, and how future attacks can be prevented. The organizations should keep abreast of new threats, conduct periodic assessments, and strict cyber security awareness/ training.
INCIDENCE RESPONSE PLAN
An Incidence Response Plan (IRP) is a document containing the procedures and measures which are to be adopted in each stage of incident response. It stipulates the roles and responsibilities of the incidence response team as well as their communication patterns and the grades of their response protocol. Incidence response plans break the incidence response systems into clearer terms.
Importance of Incidence Response Plan(IRP)
- It spells out the methods an organization should adopt in cases of cyber attacks and security breaches.
- It gives direction on how to remediate attack scenarios, mitigate the impact and quicken the process of recovery.
- It outlines the roles team members will play in order to give a quicker response to an incidence to avoid escalation.
- It helps organizations detect external penetrations at their earlier stages.
The Computer Incident Response Team (CSIRT)
This is a team of security experts within a large or smaller organization that is charged with the role of preparing and responding to security breaches that could occur in the organization. they take up remedial steps, document findings, the steps employed, and communicate with the leaders of the organization and other players. Membership of this team includes an Incidence Response Managerwho is the leader of the team and coordinator of all the actions of the team. Security Analysts assist the manager in the detection of malicious occurrences and in the improvement of security practices. Other team members include Threat Researchers, Lead Investigators, Documentation Lead, Human Relations Manager, and Communication Lead.