Incident Response (IR) is one of the most important areas of cyber security.
It’s known for its pressure and intensity. It’s certainly not for everyone.
Here’s everything you need to know:
It’s known for its pressure and intensity. It’s certainly not for everyone.
Here’s everything you need to know:
What is it?
Put simply, IR is the steps used to prepare for, detect, contain, and recover from a data breach or cyberattack.
It is an effort to quickly identify an attack, minimise its effects, contain damage, and remediate the cause to reduce the risk of future incidents.
Put simply, IR is the steps used to prepare for, detect, contain, and recover from a data breach or cyberattack.
It is an effort to quickly identify an attack, minimise its effects, contain damage, and remediate the cause to reduce the risk of future incidents.
IR Planning
An incident response plan is a set of documented procedures detailing the steps that should be taken in each phase of incident response.
It should include guidelines for roles and responsibilities, communication plans, and standardised response protocols.
An incident response plan is a set of documented procedures detailing the steps that should be taken in each phase of incident response.
It should include guidelines for roles and responsibilities, communication plans, and standardised response protocols.
Key Terminology:
Event—change in settings/status/comms e.g server requests, permissions updates, or data deletion
Alert—triggered by an event to warn of suspicious events e.g the use of an unused port
Incident—an event that puts your system at risk e .g theft of credentials
Event—change in settings/status/comms e.g server requests, permissions updates, or data deletion
Alert—triggered by an event to warn of suspicious events e.g the use of an unused port
Incident—an event that puts your system at risk e .g theft of credentials
According to the National Institute of Standards and Technology (NIST), there are four key phases to incident response:
1/ Preparation: a plan must be in place to both prevent and respond to events.
1/ Preparation: a plan must be in place to both prevent and respond to events.
2/ Detection and analysis: determine whether an incident occurred, its severity, and its type
3/ Containment and eradication: halt the effects of an incident before it can cause further damage
4/ Post-incident recovery: lessons learned to improve security and incident handling
3/ Containment and eradication: halt the effects of an incident before it can cause further damage
4/ Post-incident recovery: lessons learned to improve security and incident handling
According to SANS, there are six phases to incident response:
1/ Preparation of systems and procedures
2/ Identify incidents
3/ Containment of attackers and incident
4/ Eradication of attackers and re-entry
5/ Recovery from incidents & restoration of systems
6/ Lessons learned
1/ Preparation of systems and procedures
2/ Identify incidents
3/ Containment of attackers and incident
4/ Eradication of attackers and re-entry
5/ Recovery from incidents & restoration of systems
6/ Lessons learned
6 common incident types:
1/ Unauthorised Attempts to Access Systems or Data
2/ Privilege Escalation Attack
3/ Insider Threat
4/ Phishing Attack
5/ Malware Attack
6/ Denial-of-Service (DoS) Attack
1/ Unauthorised Attempts to Access Systems or Data
2/ Privilege Escalation Attack
3/ Insider Threat
4/ Phishing Attack
5/ Malware Attack
6/ Denial-of-Service (DoS) Attack
Industry Frameworks for IR:
NIST: nvlpubs.nist.gov
The SANS Incident Response Framework: sans.org
IR Template (this will show you what plans typically look like): security.berkeley.edu
NIST: nvlpubs.nist.gov
The SANS Incident Response Framework: sans.org
IR Template (this will show you what plans typically look like): security.berkeley.edu
sans.org/white-papers/3…
Incident Handler's Handbook | SANS Institute
Incident Handler's Handbook
security.berkeley.edu/incident-respo…
Incident Response Planning Guideline | Information Security Office
Looking for the Campus Incident Response Plan? Go to Information Security Documents instead. The bel...
nvlpubs.nist.gov/nistpubs/Speci…
What is the role of an Incident Response Team?
To enact the IRP.
The key duties are to prevent, manage, and respond to security incidents. This can involve researching threats, developing policies and procedures, and training end users in cybersecurity best practices.
To enact the IRP.
The key duties are to prevent, manage, and respond to security incidents. This can involve researching threats, developing policies and procedures, and training end users in cybersecurity best practices.
Does every org have their own team?
Not always. Many orgs use IR managed services that can replace or supplement in-house teams.
They typically offer a higher level of expertise and can provide 24/7 monitoring and response. They usually work on retainer paid monthly.
Not always. Many orgs use IR managed services that can replace or supplement in-house teams.
They typically offer a higher level of expertise and can provide 24/7 monitoring and response. They usually work on retainer paid monthly.
How do you get into IR and what’s the day to day like?
Good questions.
I’ll be dropping an Incident Response Career Pathway this week.
Turn on notifications via my profile so you don’t miss out 🔔
Good questions.
I’ll be dropping an Incident Response Career Pathway this week.
Turn on notifications via my profile so you don’t miss out 🔔
If you found this valuable, I'd greatly appreciate a Like / RT.
It signals to me what type of content is useful to you.
If you'd like to discuss more, visit the Calpha Community Discord 👍
Have a great day!
It signals to me what type of content is useful to you.
If you'd like to discuss more, visit the Calpha Community Discord 👍
Have a great day!
P.S. If you want to get started, or go further in your cyber security career, you'll love my weekly newsletter (it's free).
1 job hunting tip every week to help you land your dream role.
Link here: calpha.beehiiv.com
1 job hunting tip every week to help you land your dream role.
Link here: calpha.beehiiv.com
Loading suggestions...