As an embattled IT warrior, with more systems, apps, and users to support than ever before, keeping everything up and running is a battle in itself.
When it comes to preventing the worst-case scenario from happening, you need all the help you can get, despite your super-hero status.
- Preparation – Preparing users and IT to handle potential incidents in case they happen
- Identification – Figuring out what we mean by a “security incident” (which events can we ignore vs. which we must act on right now?)
- Containment – Isolating affected systems to prevent further damage
- Eradication – Finding and eliminating the root cause (removing affected systems from production)
- Recovery – Permitting affected systems back into the production environment (and watching them closely)
- Lessons Learned – Writing everything down and reviewing and analyzing with all team members so you can improve future incident response efforts
On Defining Success Incident Response Success
Attacks are not all-or-nothing affairs – they happen over time, with multiple stages before final success.
To remain undetected against an attentive defender, it is the attacker who must make every move correctly; if an astute defender detects them even once, they have the possibility to locate and stop the whole attack.
You aren’t going to immediately detect everything that happens during an attack – but as long as you detect (and correctly identify) enough of an attack to stop it in its tracks, that’s success.
Don’t Panic. Stay Focused.
The most important part of incident response is to handle every situation in a way that limits damage, and reduces recovery time and costs.
At the end of the day, that’s how you’ll be measured on a job well done… not that you’ve covered every angle of every potential vulnerability.
Start with Simple Steps. Attackers are Lazy.