Cybersecurity Incident Management & Incident Response Process and Policy
In this module 8, I learnt about important aspects in cybersecurity incident management. Earlier in module 2, I learnt about how to identify organisational information assets. These information assets are the most valuable treasure assets that attract attackers. Attacks and data breaches will happen however the duty of any cybersecurity incident response team (CIRT) is to ensure that there is an incident response process and policy in place to defend, defeat and recover from an attack.
Given the evolving nature of cybersecurity threats, CIRT is expected to keep abreast with advancements in attacks. Successful CIRT’s understand that a malicious entity can penetrate an organisations defenses, either internally or externally. The CIRT’s effectiveness is tested on its ability to determine its vulnerabilities/weaknesses and the response processes it has established to fend off attackers when an incident occurs. The cybersecurity kill chain is a known model used to provide a framework for for identifying, prioritising and responding to incidents. The model describes the seven stage process of a cybersecurity incident. The model gives valuable insight into the characteristics of each stage of an attack which can be used by the CIRT to determine the degree of compromise in real time in order to take appropriate decisions to eliminate or reduce the impact of the attack.
The incident response focuses on three phases which include planning, processes and procedures to be followed to handle a incident. Documentation in the form of a policies and checklists are used to ensure the incident response applies appropriate resources to mitigate the incident as quickly as possible. Six key phases of an incident response include preparation, identification, containment, eradication, recovery and lessons.
In general the lesson was very valuable in that it provided information on how one can prepare an incident response plan through preparing the procedure and policy. The procedures of responding to an incident such as the OODA loop and checklists give valuable strategies on how to effectively monitor an attacker and determine their motives.
