NIST - 'An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.'
Cybrary - 'An incident is an unplanned disruption or degradation of a network or system service and needs to be resolved immediately.'
The documentation of a predetermined set of instructions or procedures to to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s). [NIST]
NIST Computer Security Incident Handling Guide (SP 800-61) provides guidance on exact elements to include:
Mission, strategies, and goals of incident response.
Senior management approval.
Approach to incident response.
Metrics for measuring response capabilities and effectiveness.
Roadmap for maturing response capability.
How the incident response program fits into the organization.
Documented incident types/category definitions.
Accidental / Human Error
Malicious / Compromise C-I-A
Roles and responsibilities.
Granting clear authority for actions to be taken during an incident.
Who can/does perform IRP activities:
Identification / Triage
Decisions Making - Must be an organizational executive.
Equipment Collection / Confiscation
Forensics - Independence / Segregation of Duties
Repair / Recovery
Communicating - Talking outside the organization.
Cyber-incident response teams.
Computer Emergency Response Team (CERT)
Cyber Incident Response Team (CIRT)
Computer Security Incident Response Team (CSIRT)
Formalized, standing, or ad-hoc.
Internal or external.
Central, distributed, or coordinating.
Systems, network, database admins.
Included in many help desk systems.
Collecting evidence (physical, virtual, etc.)
Reporting / Disclosing To:
Internal Management (Legal, HR, CEO, CFO)
Legal Authorities / Law Enforcement (Local, FBI)
Affected Organizations / Clients / Customers
Internet Crime Compliance Center (IC3) - www.ic3.org
Also needs to report what outside agencies (if any) should be notified.
Escalation guidelines would indicate under what circumstances you need to ask for additional assistance.
Testing, Exercises, and Training.
Prepare each role with training.
Practice using real world scenarios.
Test systems and processes to find issues.
Tabletop and functional exercises.
Create an "Incident Response Plan" or IRP.
Testing & Exercises
Logs - IDS, SIEM, AV
Incident triage / validation.
Determine incident scope.
What and who is affected.
Number of systems affected.
Analysis - Impact and Recoverability Effort
Documentation & Notification
Ensuring incident doesn't continue or spread.
Securing the scene / limiting access / isolating systems (quarantine)
Find and eliminate the root cause.
Removing elements of the incident, such as malware.
Patching / Updating Software
Restoring from Backup
The process of restoring and returning affected systems and devices back into your business environment.
Restoring from backup
Hardening systems (using known baseline)
Access control (network or systems)
Authentication (change passwords)
After-action meeting with all Incident Response Team members.
Capture actions such as the cause, the cost, and recommendations for preventing future incidents.
Discuss what you've learned from the data breach.
Regulatory or legal requirements.