This lesson provides a brief discussion of the incident response life-cycle, including preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. This is a scene-setter before you start working through the planning.
- [Instructor] The basic outline of any incident response plan should always follow the incident response life cycle. Now, for this course, we're going to use the NIST Special Publication 800 dash 61 as our guide. This is also called the Computer Security Incident Handling Guide. This is going to serve as the basis for all of our discussions in this course and in there, it describes four phases that occur during any incident response. These four phases are preparation, detection and analysis, containment, eradication, and recovery, as well as the post-incident activity. During the preparation phase, the organization establishes and trains an incident response team. They're also going to acquire the necessary tools and resources as well as attempt to limit the number of incidents by selecting and all of this is going to be done based on a thorough risk assessment of the company's systems and networks. During the detection and analysis phase, the organization is focused on identifying, categorizing, and prioritizing unusual activity handling efforts are normally going to be spent. After all, just because something is unusual, it doesn't mean it's necessarily malicious or an incident. This is the area of work that most cyber security analysts During the containment, eradication, and recovery phase, the organization is going to use the detection and analysis from the previous phase to devise an exact plan to stop an incident from becoming more widespread. then the organization must eliminate the malware or infection from a contained system and finally, work to recover that system to it's pre-infected state so that the business can return to it's normal operations. At this point, the major stresses of the incident are behind us. For example, maybe we detected there was a bad guy in the network. and we stopped it from spreading. We've also removed the malware, cleaned up the infection, and recovered the system back to normal operations. So, we must have reached the finish line, right? I mean, are we done yet? Well, not quite yet. We still have the fourth and final phase, which is known as post-incident activity. This is the phase where we stop and collect all of our after action reports. who was involved and we're going to document the lessons learned from this incident. What did we do well, what could we have done better? through our continual improvement processes to help ensure that we don't fall victim to the exact same incident again. Now, finally, once the post-incident activity is completed, we go back to the beginning of the life cycle and we re-start the whole thing over again with another round of preparation. For now though, we just need to have we're doing in each of these four phases, as we start to outline our incident response plan.
- Differences between events and incidents
- Elements of policies, plans, and procedures
- The structure of the incident response team
- Selecting a team model
- Leading a team during an incident
- Internal information sharing
- Incident prevention
- Detection and analysis
- Containment, eradication, and recovery
- Calculating the cost of an incident