The challenge of recovering from growing cyberattacks cannot be ignored. This process of recovery and containment needs another layer called, incident handling. Even federal agencies are now making incident response capabilities a mandate. The U.S. federal institution has released a guide on incident response that includes a mandate for all businesses to integrate an incident response policy in their business continuity planning process.
Incident Response Readiness – What to do before the incident?
Incident handlers plan, manage, coordinate, and communicate with other staff members of the organization to mitigate and contain the aftermath of incident effects. The responsibilities of an incident handler must comply with the defined incident response plan.
Process of combating cyberattacks by incident handlers
Incident handler priority is to prepare a concrete IR plan, and battle-test, before a significant attack or breach takes place. An incident handler sets up an incident response plan in a series of phrases, addressing a suspected data breach. Every phase has a list of specific needs that should be considered by the incident handler. Besides, there are several other steps that an incident handler follows in combating an incident after effects.
Assembling incident response team –
Right people with the right skills will be able to respond to the incident collectively and in the right way. An incident handler forms a team where the team members are part of other teams like production, sales, development, etc. This is done to pull various capacities and perform containment effectively. Majorly, a SOC team forms the part of the incident handling team. So, an incident handler assembles a group of people from SOC and other specialties of technical and non-technical nature.
Detect and ascertain the source –
The IR team should first identify the cause of the breach and contain the source. Through various indications, the incident handling team will be informed about the incident. The incident handler closely follows all threats and risks to assess the possibility of loss.
Contain and recover –
Once an attack is detected and the source is identified, the incident handler works towards containing the damage. The process would involve disabling network access to restrict the spread of the virus (if any) and making them independent of the network. It may also include installing patches, uninstalling a compromised software, resetting passwords for the breached accounts, block access to insiders, backup the data, and many others. The long-term containment strategy includes bringing all systems to production and ensure their standard business operation.
Assess the damages –
It is difficult to assess the damages until the incident is properly interrogated. Ascertaining the cause of the breach is important and accordingly, the incident response team should define the priority. The incident handler reviews the effects of launching a full-fledged cyber attribution investigation.
Begin the notification process –
In a breach, a data that is sensitive, protected, or confidential is compromised by the attacker. There are certain privacy laws like GDPR, that binds the organization with the clause of giving a public notification in the event of a data breach. It is the responsibility of the incident handler to notify affected parties so that they can protect themselves from other forms of identity theft after their personal information is compromised.
Update or refine incident handling plan –
After containment, an incident handler should reframe or refine the incident handling plan and policies based on the experiences from the recent incident. This may include patching the vulnerabilities, training employees, recommending new software, etc. Such changes prepare the organization from dealing with similar incidents in the future.
Want to be a skilled incident handler?
Join EC-Council Certified Incident Handler (E|CIH) program. The latest iteration of E|CIH has been designed and developed in collaboration with cybersecurity and incident handling and response practitioners across the world. It is a comprehensive specialized-level program that imparts knowledge and skills of handling post-breach consequences by reducing the aftermath of incidents, both financial and reputational.