What are the phases of the incident response life cycle?
There are four phases of the incident response life cycle as outlined by the National Institute of Standards and Technology (NIST):
1. Preparation: The first phase is designed to help organizations determine the risks to their systems and data, outline problem management strategies and put mechanisms in place to deal with security incidents. This can include performing a formal risk assessment, implementing the tools and processes to analyze and mitigate incidents, prioritizing threats, creating and training an Incident Response Team and putting together an Incident Response Plan (IRP) in accordance with the NIST life cycle guidelines.
2. Detection and analysis: In this phase, the service operation sets up systems to proactively monitor, detect, prioritize and analyze high-priority incidents, with the aim of recognizing any irregular and suspicious threats or activity in the network environment that might disrupt workflow. Detection and analysis are generally done through a combination of human investigation and security tools that automate security processes. With automation and effective execution, this phase can often minimize the spread and impact of an incident.
3. Containment, eradication and recovery: The third phase addresses security incident resolution. Containment aims to stop the incident from causing further damage — disconnecting the affected server from the network and implementing firewall rules to block the attacker can stop a malware attack, for example. Security administrators or support staff remove the threat upon point of contact, dispatching the malware from the infected server and making sure it doesn’t exist anywhere else in the system. Finally, support staff recover the system to its state prior to the malware infection and restore service quality by reloading apps or restoring data from backups.
4. Post-incident activity: Phase four encompasses steps to prevent similar incidents from happening again. Using data collected from the incident and post-mortem meetings, the organization determines how the incident happened, what preventative measures to strengthen or add, how to improve monitoring and alerting processes, and how to streamline help desk and service requests, remediation and recovery processes. You’ll need to address any legal or regulatory compliance issues in this phase as well.
Altogether, the four phases are designed to build on a comprehensive knowledge base; the effectiveness of phase three relies heavily on the success of phases one and two. To provide optimal protection and restore service quickly, organizations need to implement all four phases together.