The SANS Institute is a private organization that does information security research and education. We’ll go over the six components of an incident response plan SANS in-depth in this article.
So, this includes the elements like preparation, identification, containment, and eradication. Continue reading to learn more about Cynet’s 24-hour incident response team and how they may assist your company.
What is an Incident Response Plan: Overview
Incident response assists companies in making sure that they are aware of security incidents and can respond rapidly to limit harm. The goal is also to prevent future attacks or situations that are similar to this one.
6 Steps of Incident Response Plan SANS
1. Preparation
During the first phase, first, examine and codify an organization’s security policy, conduct a risk assessment, identify sensitive assets, determine which significant security incidents the team should focus on, and establish a Computer Security Incident Response Team (CSIRT).
2. Identification
Next, identify events that are security incidents. This may include monitoring the organization’s environment for suspicious events. For example, check IT systems for deviations from usual operations and determine if they are security incidents. Collect additional evidence, determine the type and severity of the occurrence, and document everything.
3. Containment
Once an incident is identified, ensure that it does not spread or cause more damage. For example, take all necessary steps to prevent the attacker from spreading a worm or a virus. Also, make sure that the attacker is not able to access any more of the system’s resources.
4. Data Eradication
This step is about making sure that unauthorized information is not kept in any of your systems. For example, take all necessary steps to remove malicious code from the organization’s systems. Also, figure out how the data was collected and determine what can be done to prevent additional occurrences.
5. Data Recovery
After you isolate an incident, try to restore the affected systems to their normal state. For example, you can try to recover data that has been damaged during an attack. Take all necessary steps to recover the affected systems and restore them to normal operation.
6. Lessons Learned
During this phase, first, figure out what caused the security incident and then develop a plan for preventing similar occurrences in the future.
For example, if it was a worm outbreak, figure out how it spread through your networks and then develop a plan for preventing similar occurrences in the future.
Also, find out if there are any regulatory requirements related to this security incident and then develop a plan for meeting them. Plan for recovery from future attacks as well as recovery from this attack itself. For example, you will need recovery plans for if there are multiple attacks or if there are critical system failures during recovery efforts.
What is a CSIRT?
A Computer Security Incident Response Team (CSIRT) is an organization or group that assists in responding to computer security incidents.
For example, a CSIRT can help with incident detection, analysis, and response. Also, a CSIRT can help with coordination and collaboration during incident response efforts.
For example, a CSIRT can be an organization within the business or it can be a separate organization that works with the business. The organization’s size and structure will depend on the size of the business and its security needs. For example, a small business may only need one person to respond to security incidents.
However, a large company may need a team of people who specialize in various areas like response coordination, analysis, and incident prevention.