Cybercrime has been gaining track over recent years and is becoming the new reality in business enterprises all over the world. It is, therefore, not a matter of if a company will be targeted by cybercriminals, but when the attack will occur. Hence, it is prudent for all organizations to have a pre-emptive approach to handling and responding to cybercrime incidents for them to minimize downtime and damage costs. A cybercrime incident response, therefore, is a set of guidelines to be followed in the event of a security incident such as a breach to ensure data protection, privacy, and to ensure business continuity.
5 Things that make up an Incident Response Plan
Many organizations have an incident response team that is responsible for coming up with an incident response plan and executing it. A proper incident response plan will:
- Define controls involved in the mitigation of breaches and incidents and the reduction of their impact.
- Ensure the organization has the ability and resources needed to combat security incidents such as a specialized and professional team, or Cyber Incident Response Team (CIRT).
- At the occurrence of a security incident, the response team needs to prioritize what needs to be addressed immediately and what can be delayed.
- The scope of the response plan, as well as the response policy and roles of all members of the response team.
- Include all necessary procedures defining appropriate responses to incidents as well as strategies for incident reporting in case the need arises to report incidences to authorities depending on the industry regulations.
4 Phases of an Incident Response Plan
When an incident occurs, it is crucial to follow an incident response plan which helps guide all pre–defined processes and phases to follow. These phases ensure order in execution since, during a live incident, a frenzy of activities can occur which can reduce the productivity of the response procedure. NIST modeled an incident response plan in four main phases which include: Scoping, Incident Response, Recovery, and Post Incident Review:
- Phase I: PLANNING – this is planning the procedures in response to and mitigation of security incidents.
- Phase II: DETECTION AND ANALYSIS – this encompasses scoping of the initial threat detection and monitoring of potential malicious activities, and analysis of the threat. Threat detection forms one of the most critical phases in the response plan as analysis on the type of response plan needed is undertaken as well as accounting for the necessary prioritization.
- Phase III: CONTAINMENT, ERADICATION, AND RECOVERY – this will entail the development of attack containment strategy, identifying all affected systems, and mitigating the attack, proper documentation, and evidence collection, and developing a remediation and recovery procedure to enable the return of normal operations hence ensuring business continuity.
- Phase IV: POST- INCIDENT ACTIVITY – this involves reviewing actions and lessons learned for improved security measures and also having a plan for evidence retention.
How to Become a Certified Incident Handler
“Organizations are looking for professional incident handlers and response personnel who can prepare security policies and plans to tackle incidents with efficacy in time-constrained scenarios in order to reduce the impact of incidents.” –Jay Bavisi, President of EC-Council Group.
Becoming an EC-Council Certified Incident Handler (ECIH) will accomplish just that. The ECIH will teach you the most current techniques in handling attacks, whether it’s as small as a single computer or across an entire network, you will be prepared to stop the attack and prevent future ones. Not only that, but the ECIH will teach the candidate to create draft security policies with efficacy and ensure that the quality of services is maintained at the agreed levels.