Spread the love

Its not a question of “if” it’s a matter of “when” a security breach occurs

What is an incident Adverse events in a system or network with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data as a result of successful attack .

Thus incident response is the process to respond and manage cyberattacks or security breaches.

Importance of incident response

  • Having an incident response capability helps respond to incidents  systematically so as to take appropriate actions.
  • Helps personnel minimize loss or theft of information and disruption of services.
  • Prepare for future incident handling and strengthening protection from information gained from previous incident handling..
  • Mitigation of  exploited vulnerabilities a
  • Helps  with dealing properly with legal disputes that may arise during incidents
  • Compliance with regulations and standards in place.

Incident response life cycle

This is a sequence of phase that an incident goes through from the time its identified as a security compromise to the time it is resolved and reported.

1. Preparation

Developing policies and incident handling procedures. This will include building a response team to handle incidents and the triggers to alert internal partners Contacts information and communication channels. Key to this process is effective training to respond to a breach, knowing your system and network by profiling and documentation to record actions taken for later review.

2. Identification

Detect deviation from normal status using various threat intelligence streams, intrusion detection systems and firewalls

Declare an incident once confirmed

Follow incident handling procedures

3. Containment

Prevent attackers from further damaging, isolating affected system  and relying on system backup system  to maintain operations until the breach is contained

Perform forensic analysis of the incident.

4. Eradication

Finding the root cause of the incident and neutralizing that threat. Some actions include;

  • Removing compromised accounts
  • Revoke compromised credentials
  • Remove malware/ artifacts left over by the attackers
  • Restore that system from most clean backup
  • Harden and patch your system

5. Recovery

Put the system back to production in a control manner after validating that affected systems are no longer compromised.

Closely monitor the system for any abnormal network activity

It possible now to calculate the cost of the breach and subsequent damage.

6. Lessons learned

Complete the incident documentation

Learning from the incident to know what went right and what went wrong to improving future response efforts. It is more of a post mortem discussion.

Computer security incident response team (CSIRT)

This is a team that is selected within in organization or sectors and are tasked to detect, analysis and  respond to incidents.

When putting up a team it important to put a cross functional team from the diverse parts of the business to ensure its effectiveness

A computer incident response team will include information security and general IT staff and not limited to representatives from legal, human resources and public relations departments and ensure to create  role and responsibilities and assigning them accordingly to each member.

Examples of  CSIRT

  • Internal CSIRT is an in house team that provide services to their organization
  • National CSIRT is a national wide team that provide services to the entire nation such as Kenya Computer Incident Response Team Coordination Centre Ke-CIRT/CC
  • Incident response providers are companies majorly cybersecurity firms that offer paid services to their clients


  • Detect incidents at early stages and make reports to prevent further incidents
  • Secure organization data, hardware and critical business processes
  • Provide training on security awareness, intrusion detection and penetration testing
  • Create and execute incident response simulations
  • Develop metrics for analyzing  IR program initiatives that involve monitoring and alerting, communication among team members, and technology evaluations
  • update our IR plan document periodically and consistently.

Why organization require response team

  • It helps to recover from security breaches and threats
  • Decrease response time during any future security breach
  • Helps in deploying systems that follow security policy of the organization

Incident response policy and plan

Incident response policy is a document containing procedures, plans, guidelines among others to guide on incident response

Some of the important element that it should contain include

  • Scope of the policy
  • Profiling your assets that need to be protected.
  • Definition of computer security incidents and related items
  • Incident response team its creation, functions and powers
  • Requirements for reporting incidents
  • Guidelines for external communication and information sharing.
  • Handoff and escalation points of incidents
  • Prioritization or rating of incidents.
  • Reporting forms.

Incident response plan in a formal roadmap for implementing incident response in a coordinated method.

Organization needs a plan that meets its own requirements which relates with mission, structure and functions. The plan provides necessary resources needed and management support. Some the important element that it should include are;

  • Organization approach to incident response
  • Incident response checklist/playbook
  • How the incident response team will communicate with the rest of the organization and outside
  • Metric for measuring incident response capability and its effectiveness.

Tools used in incident response

Incident analysis software and hardware include;

  • Digital forensic workstations to create disk images with tools such as FTK imager, memory dumps with tools such as magnet RAM capture, preserve log files, and save other relevant incident data
  • Laptops for activities such as analyzing data, sniffing packets, and writing reports
  • Spare workstations, servers, and networking equipment, or the virtualized equivalents, which may be used for many purposes, such as restoring backups and trying out malware
  • Blank removable media for evidence storage
  • Printer to print copies of log files and other evidence from non-networked systems
  • Packet sniffers and protocol analyzers to capture and analyze network traffic  tools such as Wire Shark
  • Digital forensic software to analyze disk images with tools such as Autopsy
  • Removable media with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories, including hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags, and evidence tape, to preserve evidence for possible legal actions.
  • Security information and events management these are tools that automate the incident process as they provides monitoring, alerts and logs  that such as AlienVault, Solar Winds,
  • Detection tool these include firewalls such as inbuilt windows firewall, PFSense, etc and intrusion detection systems  such as Snort.


A formally documented incident response plan  helps businesses respond rather than react.

Never panic as you may cause much harm to the system.

It’s important to keep backs up of your system which will be useful  for recovery to ensure business continuity.

It is okay to ask for help

Basic stuff

  • Remove the affected computer from the internet and network to prevent your entire network from being infected or affected
  • Do not which off the affected computer or system.
  • Do not reinstall the system without a forensic copy
  • If you got know idea of how to proceed  immediately report to relevant personnel.
  • Activation of the incident plan

 As an organization it is time to

  • Create IR plans and policy
  • Review the existing incident process or creating one
  • Establish IR team
  • Conduct regular incident team meeting
  • Set ground rules
  • Train your staff
  • Inform staff of rules and incident contacts
  • Document recent and future incidents
  • Follow at least one of the incident handling industrial standards such as NIST
  • Create different high level playbooks to complement incident checklist

By kcsfa

Leave a Reply

Your email address will not be published. Required fields are marked *